UK government admits years of cyber policy have failed, announces reset

In an unusually candid admission on Tuesday, the British government acknowledged that its years-long approach to its own cybersecurity was flawed and warned it will be impossible to meet a previous target of securing all government organizations from known cyber vulnerabilities and attack methods by 2030.

Describing numerous failures in how Whitehall currently defends its own digital systems, the government presented a new Government Cyber Action Plan as a major policy reset to protect public services. It comes ahead of a relaunched national cyber strategy, which will be called a National Cyber Action Plan, to be published later this year.

The document was presented to Parliament by the Department for Science, Innovation and Technology (DSIT) and concedes that the current system of accountability has left much of the British government vulnerable to cyberattacks, with responsibilities for risk “unclear at all levels of government,” including across the supply chain.

“To protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach and a step change in pace,” states the action plan. It warns the public sector is facing a “critically high” cyber risk despite years of work on improving its resilience to attacks and outages.

Those risks are “not hypothetical” stated the government but “recurring realities that result in service breakdown [and] harm to the public,” describing incidents such as the ransomware attack on Synnovis — which contributed to at least one patient’s death — as symptoms of systemic failures to tackle the challenge.

A powerful ‘Government Cyber Unit’

At its core, the government describes the new approach as a move away from the previous focus on providing nonbinding guidance to public sector authorities. Under the new action plan it will instead advance a more centralized and mandatory model for cybersecurity, with a new Government Cyber Unit established by next year that will hover over all government organizations to set policy direction, coordinate implementation activities and provide a single point of accountability.

An overhaul of incident response is also being planned, with more centralized coordination during major cyber events, regular cross-government exercises and better preparation for large-scale disruptions. 

Strategic suppliers to government will face stronger contractual expectations around cyber security, reflecting the government’s assessment that third-party vulnerabilities pose a growing threat to public services.

Following ridicule over a job listing in 2023 that was perceived to be dramatically underpaid, the government also announced a new Government Cyber Profession to attract and retain better talent.

Joe Jarnecki,  a cyber research fellow at RUSI, said the move should be welcomed as something “that will likely increase the attractiveness of government cybersecurity roles,” although he cautioned “government will not be able to match private sector salaries.”

Jarnecki said: “Given that this is an implementation plan for what could or should have been an internal strategy, why is this a public document? I do think transparency should be welcomed, but the question I would ask is who is this for?”

MPs moving on legislation

The plan is announced on the same day that the government’s flagship Cybersecurity and Resilience Bill (CSRB) receives its second reading in Parliament. The second reading is the first opportunity for MPs to debate the basic premise of the legislation, and among the most relevant criticisms of the bill are the suggestion that it would establish a two-tier system between the obligations on private sector companies versus public sector entities operating essential services.

Jamie MacColl, a cyber research fellow at RUSI, said: “I think timing of the Government Cyber Action Plan is partly designed to mitigate some of the criticism about the majority of the public sector not being in scope of the CSRB, unlike how the European Union has included the public sector under NIS2.”

According to the action plan, senior leaders in government will be held responsible for cyber outcomes rather than being allowed to treat security as a purely technical issue — an attempt to answer the criticism about the public sector being held to a lower standard than others.

Under the current draft of the CSRB, there are stronger and more enforceable obligations on private sector entities than there are on public sector ones, including fines and regulatory sanctions. The EU’s comparable legislation, NIS2, does not feature such a separation.

MacColl told Recorded Future News it wasn’t clear how the pledge regarding senior leaders being held to account would be upheld: “Personally, I don’t see the action plan addressing those specific criticisms. In my reading, there are no meaningful enforcement mechanisms if government departments and agencies aren’t meeting the standards the action plan sets out.”

A legacy of failure

Cyberthreats have escalated far more quickly than the government’s own defenses. State-backed actors and organized criminal groups are described as increasingly sophisticated, while government capability has struggled to keep pace to keep them out.

Last year, the head of Britain's cyber and signals intelligence agency GCHQ, Anne Keast-Butler, warned that the country was grappling with the most “contested and complex” threat environment in decades, noting there were four times as many attacks last year than in the year previously.

The underlying problem for British government departments and agencies in trying to defend themselves is their reliance on legacy technology, stated the action plan, acknowledging a report by the National Audit Office which last year warned of the dire state of government IT infrastructure.

According to the new document, decades of underinvestment have left departments running outdated systems that are difficult or impossible to secure to modern standards. This “technical debt” has accumulated faster than it has been addressed, increasing vulnerability year after year.

The plan is not a program of mass replacement but instead attempting to manage the risk by ensuring the government has visibility and understanding over its own critical digital assets, including by building a clear inventory of aging systems and their vulnerabilities across government departments and agencies.

“The big unsaid part of this is funding,” said MacColl. “Going back to the National Audit Office report from last year, this is an IT problem as much as it’s a cybersecurity problem.

“It’s a fact that there’s not enough funding to replace legacy IT infrastructure, and having a cybersecurity action plan is not going to be the thing that fundamentally addresses that. Unless there’s more funding, I think there’s a limit to what the Cabinet Office or DSIT can do to drive up standards across the public sector.”