UK Government Faces Critical Cybersecurity Risks
The UK Government is currently at a “critical risk” of cyber attack and is struggling to keep pace with the rapidly evolving threats posed by hostile states. Four senior officials from the Cabinet Office have pointed out that years of neglect, inadequate funding, and recruitment challenges have left the UK increasingly vulnerable to cyber warfare from both hostile nations and international criminals.
As part of a Parliamentary inquiry into the nation’s resilience, these officials highlighted that various government departments are trapped in a cycle of using outdated legacy IT systems, coupled with a significant lack of expertise in effective defense mechanisms. Bella Powell, the cyber director at the Government Security Group (GSG)—a specialized task force within the Cabinet Office focused on safeguarding government departments—has stated that resilience levels across the UK are “substantially lower” than expected. She emphasized that the “escalating threat” from countries like Russia and China has become a “substantial risk,” concluding, “The sum total is that we are at critical risk at the moment.”
Cat Little, the Permanent Secretary at the Cabinet Office and Chief Operating Officer at the Civil Service, echoed these sentiments, noting that officials are “running against the tide” in their efforts to bridge the gap between the rising threat of cyber attacks and the UK’s defenses. She remarked, “To keep pace, we are working twice or even three times as hard to evolve and remain proactive, but my honest assessment is that there will always be a gap.”
These revelations came during an evidence session at Parliament’s Public Accounts Committee (PAC), which was scrutinizing the UK’s preparedness for a potentially catastrophic cyber attack. The session reviewed findings from a 2024 report by the National Audit Office (NAO), which concluded that the UK’s resilience is lacking in several critical areas.
Concerns from Security Officials
During the inquiry, Vincent Devine, head of the Government’s Chief Security Office, expressed profound concern, stating, “We should be extremely worried” because the UK has not been “as aware of the threat as we should have been,” despite recognizing the issue over ten years ago. He elaborated, “Government Departments have faced numerous demands over the past decade. We likely did not prioritize cyber security adequately, and we were not prompted by serious incidents in the way we have been in recent years.”
David Omand, former head of the Government Communications Headquarters (GCHQ), corroborated that Cabinet Office officials were justified in raising alarms about the cyber risks posed by hostile state actors. He noted, “It is all of us who will suffer from the lack of resilience in systems upon which we depend. This is equally true for known resilience gaps in the broader critical national infrastructure, which is largely controlled by the private sector, as well as our ongoing vulnerability to criminal attacks, including ransomware.” He stressed the urgent need for cybersecurity to become a priority issue for all organizations, whether public, private, or non-profit.
This comes in the wake of a marked increase in cyber warfare incidents targeting UK critical services and businesses by international criminals and hostile states. Last year, a devastating cyber attack on the National Health Service (NHS) resulted in the cancellation of over 10,000 appointments and operations. Shortly thereafter, Russian hackers targeted the UK ambulance service, endangering their communication systems. Similar threats have plagued government departments, including the Foreign Office and the Ministry of Defence. Investigations revealed these attacks were orchestrated by a Kremlin-affiliated group of cyber hackers, marking a “major escalation” in Moscow’s cyber warfare tactics.
Intelligence sources have long warned that the UK is “running blind” in terms of cyber resilience, and recent admissions from government officials have underscored the scale of this challenge.
Hostile States and Cyber Threats
As tensions in Europe escalate due to the ongoing war in Ukraine, Russia’s hybrid warfare tactics against the West have intensified. During an October address, Ken McCallum, Director General of MI5, stated that Russia is on a mission to create “mayhem” across the UK and that we should “anticipate further testing—and in some instances, defeating—of the West’s cyber defenses.” Powell informed the PAC that both Russia and China present “substantial risks” to the UK, citing significant concerns regarding espionage and data theft activities orchestrated by Russia’s main intelligence agency, the GRU, as well as disruptive actions from Chinese state actors.
Devine added that the threat landscape has “grown and evolved” over the past three years, a subtle reference to the onset of the Ukraine conflict. He noted that hostile states have rapidly developed their capabilities and become more “aggressive and reckless” in their attacks. “Previously, our main concerns revolved around the loss of government information—classic espionage—or cyber crime, which is also information-based. Now, we are increasingly worried about the potential disruption of essential services,” he stated.
A former government cybersecurity official expressed that the intent of hostile actors has always been known to change and evolve, yet there was “little preparation for that.” The official remarked, “With the situation in Ukraine, any leverage over Russian-speaking organized crime groups or state actors dissipated overnight. Three years later, and there is still no effective response.”
Recruitment Challenges in Cybersecurity
The government is struggling to compete with the private sector in a job market that offers significantly higher salaries, leading to a shortfall in cybersecurity expertise. The NAO report highlighted that skills gaps represent the “biggest risk” to the UK’s cyber resilience, with one in three cybersecurity roles in government either vacant or filled by temporary staff for the 2023-24 period. Little informed the PAC that there are “significant vacancies” across government departments and expressed her dismay at the over-reliance on contractors and external personnel.
The government has recently implemented a new digital pay framework intended to make salaries more competitive with the private sector. However, Little acknowledged that there are still “very scarce” competitive salaries in a “highly competitive market.” She stated, “We must offer better compensation. To realize our ambitions, we need both leadership and technical expertise in place.”
Legacy IT Systems and Vulnerabilities
A critical weakness in the UK’s defense against cyber attacks lies in the government’s continued use of legacy IT systems, which are outdated and lack the capacity for growth. These systems are viewed as potential vulnerabilities, as their inability to update defenses raises concerns that they could serve as backdoors into government networks for hackers. As of January, the PAC was informed that there were 319 legacy IT systems still in operation across the government, with nearly a quarter of them classified as “red-rated”—indicating the highest risk of attack, operational failure, or failure to meet departmental objectives.
Joanna Davinson, Interim Government Chief Digital Officer at the Cabinet Office, noted that nearly one-third of public sector IT is classified as legacy, with 15 percent of organizations unaware of the risks posed by their systems. Little remarked that this gap in awareness is “unacceptable,” emphasizing the need for increased funding from central government to modernize these systems. She stated, “This discussion highlights that in a period of constrained resources, the Government must prioritize decisions based on risks and the level of assurance required.”
Labour MP and PAC member Lauren Edwards urged the Prime Minister to incorporate cyber resilience into the UK’s broader defense strategy. In an interview with The i Paper, she declared, “The Cabinet Office has a significant task ahead. The international political landscape is unsettled and changing rapidly; the Government must prioritize ensuring that all departments are robust enough to withstand increasing cyber assaults from hostile nation-state actors and criminals alike. Cyber resilience must be regarded as an essential element of the UK’s defense strategy, with strong support from the Prime Minister down. An urgent priority is to attract cyber specialists to the government workforce and implement plans to cultivate these skills among our youth. While this may incur costs, the potential expense of failing to strengthen our government’s cyber defenses could be far greater in the long term.”
