What’s Wrong with the Government’s Security Posture and How Do We Fix It?

Phil Muncaster asks what can be done to plug the gaping holes in visibility and resilience highlighted by a scathing new report

We knew it was bad, but not as bad as this. On January 29 the National Audit Office (NAO) released a bombshell report revealing, in gory detail, the challenges facing central government cybersecurity leaders. Blaming skills gaps and funding shortages for much of the malaise, it warns that the cyber-threat to government is “severe and advancing quickly”, urging immediate action to protect vital public services.

The spending watchdog did not pull its punches. But the gaps in cyber resilience it identifies are so pronounced that fixing them will be extremely challenging, especially with a self-imposed deadline of 2030.

A giant target

There’s no doubting the massive target central government has painted on its back. The National Cyber Security Centre (NCSC) warns of a “diffuse and dangerous” threat from hostile states as well as cybercrime groups. Hacking tools and easy-to-use pre-packaged services are freely available online, as are breached credentials, including those linked to .gov email domains. The use of generative AI tools to upskill threat actors in penetration testing, and innovative new techniques like IT impersonation are already accelerating and improving outcomes for adversaries.

“There’s no doubting the massive target central government has painted on its back.”

This matters for central government in particular, given the huge number of citizens that rely on public services. The NAO report cites NCSC figures claiming that 40% of incidents managed by the agency between 2020 and 2021 targeted the public sector. Breaches at NHS provider Synnovis and the British Library show the devastating impact and cost these can have.

Yet despite the ambition outlined in the Government Cyber Security Strategy: 2022–2030, plans appear to have languished under the previous administration.

What’s gone wrong?

The headline-grabbing part of the report is all about visibility and resilience, and the work of the Government Security Group (GSG) – the Cabinet Office body that oversees central government security. It claims that a 2023-24 assessment by the government’s new cyber assurance scheme, GovAssure, found that 58 critical departmental IT systems had “significant” gaps in cyber resilience, creating “extremely high” risk.

“The data highlighted multiple fundamental system controls that were at low levels of maturity across departments including asset management, protective monitoring, and response planning,” the report notes. “GSG reported to ministers the implication of these findings: the cyber-resilience risk to government was extremely high.”

Edwin Weijdema, EMEA field CTO at Veeam, argues that asset management, protective monitoring and incident response planning are three “interconnected pillars” vital to cybersecurity.

“If you don’t know about it, you can’t secure it – so a thorough asset inventory is the first step to knowing exactly what needs protection,” he tells Assured Intelligence.

“Once you have this visibility, protective monitoring of those assets provides real-time detection of suspicious activity, helping to prevent small issues from turning into major breaches. Finally, a robust response plan ensures you’re ready to recover quickly when incidents occur, turning potential chaos into controlled chaos with a smaller blast radius and much less damage tied to it.”

“Fifty-eight critical departmental IT systems have ‘significant’ gaps in cyber resilience.”

According to the NAO, the GSG also failed to include legacy IT systems in the GovAssure audit because many of its recommended controls were apparently not applicable to such technology. That has unwittingly created a significant visibility gap at the heart of government.

“In March 2024, departments reported using at least 228 legacy IT systems. Of these, 28% (63 of 228) were red-rated as there was a high likelihood and impact of operational and security risks occurring,” the NAO report notes.

Other critical cybersecurity challenges and failings highlighted by the NAO include:

• Until April 2023, the government did not collect “detailed, reliable data” about the cyber resilience of individual departments
• The government has not improved cyber resilience quickly enough to meet its aim to be “significantly hardened” to cyber-attack by 2025
• Departments still find it difficult to understand the roles and responsibilities of the cyber-related bodies at the centre of government
• GSG has no effective mechanisms in place to show whether its approach to government cybersecurity is effective, or even a plan to make government organisations cyber resilient by 2030

The NAO also slams individual departments for failing to meet their responsibilities to improve resilience. It claims that leaders “have not always recognised how cyber risk is relevant to their strategic goals” and that boards often don’t even include any members with cyber expertise.

James Morris, CEO of the non-profit Cybersecurity and Business Resilience Policy Centre (CSBR), argues that there’s plenty to be done.

“Cyber resilience needs to be hardwired into the processes of central government departments and made a priority for their core strategic and operational work,” he tells Assured Intelligence.

“It should also be identified as a core strategic priority for ministers and senior civil servants.  Each department should identify where skill gaps are putting resilience at risk and plans should be put in place to improve cyber resilience skills among existing staff.”

Too few skills, not enough money

However, at the heart of the problem appear to be both money and talent. A cyber directorate set up by the GSG to lead cybersecurity improvement across government apparently had 32% of posts unfilled when first established. In 2023-24, a third of security roles in central government were either vacant or filled by temporary staff, with the share of vacancies in several departmental security teams over 50%.

“Attracting talent is made harder when departments must compete with deep-pocketed private sector organisations.”

“There are only two real options: increase the supply of cybersecurity skills, or recognise that market rates are what they are for cybersecurity skills, and pay them. Better still, do both,” says Ian Stretton, director at consulting firm Green Raven Limited. “But these are long-term fixes that will take years to effect.”

Attracting talent is made harder when departments must compete with deep-pocketed private sector organisations for a limited number of skilled professionals. The government announced in 2021 a £2.6bn funding boost for cyber, of which it apparently allocated £1.3bn to departments for cybersecurity and legacy IT remediation. However, since 2023, departments have “significantly reduced” the scope of improvement programmes, the NAO says. As of March 2024, departments did not have fully funded plans to remediate around half of the government’s legacy IT assets.

How to sort out this mess

In the absence of funding, it will be a tough ask to meet the recommendations set out by the NAO (see boxout). However, it is possible, according to the experts Assured Intelligence spoke to.

“Central government departments can boost cyber resilience – even in the face of legacy IT – by focusing on three core principles: speed, skills and accountability,” argues Veeam’s Weijdema.

“Speed in detection is crucial because the sooner you spot a breach, the less time attackers have to move laterally, exfiltrate data or disrupt critical services. Continuous log monitoring, threat intelligence feeds, and anomaly detection tools should be in place to catch potential intrusions in near real-time. Equally important is the ability to respond swiftly. Well-defined processes and empowered teams prevent small issues from escalating into large-scale crises.”

Government must also recognise the high demand for security professionals and pay competitive salaries, as well as offering clear career progression, and investing heavily in training to plug the skills gap, Weijdema adds. Security teams should be held accountable for the outcomes of the measures they take, he says.

“The world is still thinking about cybersecurity like medieval monarchs used to think about castles.”Ian Stretton

“Finally, regular drills and exercises – like red-team attacks or simulated breaches – will help to instil a culture of digital emergency response,” Weijdema continues. “Just as physical first responders train constantly for disasters, a cyber workforce should practice containing threats under realistic conditions. Such exercises refine tactics, highlight weaknesses and foster collaboration.”

Green Raven’s Stretton agrees that government must find the money to compete with the private sector on salaries, but warns that this alone will not be enough.

“Even if there were enough cybersecurity professionals to go around, current cyber-defence strategies revolve around building higher and higher walls. But this isn’t a sustainable approach to cybersecurity, and cyber pros know it,” he tells Assured Intelligence.

“The problem is the world is still thinking about cybersecurity like medieval monarchs used to think about castles: just dig deeper ditches and build higher ramparts and it’ll be fine. Instead, we need to get smarter and focus defensive resources on where we know they are going to be needed.”

By making the most of AI-powered cyber-threat intelligence, government bodies can get back on the front foot against their adversaries, Stretton argues.

“Rather than constantly reacting to general threats, knowing who is coming after your organisation, and with what ‘weapons’, means you can remove the blindfold and react to what poses the greatest threat,” he says. “It’s analogous to how the security services work: there aren’t enough of them to keep us safe by sheer force of numbers, so they use sophisticated intelligence-gathering to pre-empt attacks and intercept attackers.”

The fact that the NAO report has been published at all is a positive sign. It’s signifies the new government’s recognition of the growing cyber-threat facing Whitehall, and its desire to achieve key parts of the 2022-2030 strategy by the end of the year. However, whether it can match this ambition with results remains to be seen.