Significant Gap Exists in UK Cyber Resilience Efforts

Critical Infrastructure Security
,
Geo Focus: The United Kingdom
,
Geo-Specific

Threat Outpaces Government’s Ability to Keep Pace, Says Parliamentary Committee

Akshaya Asokan (asokan_akshaya) •
May 9, 2025    

See Also: Essential Elements to Consider when Choosing a Micro-Segmentation Solution

In a report published on Friday, the Committee of Public Accounts said there exist “substantial gaps” in the government’s “understanding of how resilient its IT estate is to cyberattack.”

The United Kingdom vowed in 2022 to significantly upgrade the defenses of critical functions against cyberattacks over the next three years, setting itself up for a 2025 goal that multiple observers – including the committee – have said won’t be reached (see: Critical UK Government Systems at High Risk, Warn Auditors).

The country has felt a series of stinging cyberattacks over the last few years including a July 2024 attack on a pathology laboratory services provider that resulted in thousands of postponed medical appointments and a blood shortage. A 2023 ransomware incident at the British Library has cost roughly 7 million pounds to remediate, the committee said. The government in December 2023 accused a Russian intelligence agency of running a year’s long campaign to interfere in British politics.

“Government’s adversaries, both hostile states and criminals, have developed their capability faster than government expected,” the committee wrote.

A persistent lack of skilled cybersecurity professionals in the civil service is one reason for the persistent gap in resilience, parliamentarians wrote. “Government has been unwilling to pay the salaries necessary to hire the experienced and skilled people it desperately needs to manage its cybersecurity effectively.” Government figures show the workforce has grown and there are plans to recruit more experts – but a third of cybersecurity roles are either vacant “or filled by expensive contractors,” the report states. “Experience suggests government will need to be realistic about how many of the best people it can recruit and retain.”

The report also faults government departments for not taking sufficient ownership over cybersecurity. The prime minister’s office for years relied on departments to perform a cybersecurity self-assessment, until in 2023 when it launched GovAssure, a program to bring in independent assessors. GovAssure turned the self-assessments on their head, finding that the departments that ranked themselves the highest through self-assessment were among the less secure.

Continued reliance on legacy systems have figured heavily in recent critiques of British government IT, and it does in the parliamentary report, as well. “It is unacceptable that the center of government does not know how many legacy IT systems exist in government and therefore cannot manage the associated cyber risks.”

A Cabinet Office spokesperson said it “welcomes” the report findings. “Last month we also unveiled details of our Cybersecurity and Resilience Bill which will be introduced to Parliament later this year, ensuring our critical national infrastructure and digital economy are better protected and less vulnerable to attack,” the spokesperson added (see: UK Government Previews Cybersecurity Legislation).

The bill, which the equivalent of the European Union’s Network and Information Security Directive or NIS2, imposes measures such as mandatory patching and incident reporting.

At a conference this week hosted by the National Cybersecurity Center, the NCSC announced several measures to shore of cyber resilience. These include proposed plans to swith from SMS-based verification to passkeys to access government services later this year and the launch of a voluntary code of practice for technology providers (see: UK Government to Roll Out Passkeys Late This Year).