General Atomics

NAO report reveals severe cyber threat to UK government

According to a new report published by the National Audit Office (NAO), the cyber threat to UK government is severe and advancing quickly, with the public spending watchdog emphasising that government must act now to protect its own operations and key public services.


 
Image by Titima Ongkantong / copyright Shutterstock
 
The National Audit Office (NAO) evaluated whether government was keeping pace with the rapidly evolving cyber threat it faces from hostile actors.
 
It identified that the government’s new cyber assurance scheme, GovAssure, which independently assessed 58 critical departmental IT systems by August 2024, found significant gaps in cyber resilience with multiple fundamental system controls at low levels of maturity across departments.
 
At least 228 ‘legacy’ IT systems were in use by departments as of March 2024 and the government does not know how vulnerable these systems are to a cyber attack.
 
If successful, cyber attacks can have devastating effects on government organisations, public services and people’s lives. In June 2024, a cyber attack on a supplier of pathology services to the NHS in south-east London led to two NHS foundation trusts postponing 10,152 acute outpatient appointments and 1,710 elective procedures.

The British Library, which experienced a cyber attack in October 2023, has already spent £600,000 rebuilding its services and expects to spend many times more as it continues its recovery work.
 
Successive governments have been working for at least a decade to build the UK’s cyber resilience, including publishing a strategy for improving government organisations’ cyber security in January 2022.

This strategy included a target for key government organisations to be “significantly hardened to cyber attack by 2025”. Yet government has not improved its cyber resilience fast enough to meet this aim.
 
One reason for this is shortages of cyber skills within government. In 2023-24:

  • one in three cyber security roles in government were vacant or filled by temporary staff (contingent labour)
  • more than 50% of cyber roles in several departments were vacant
  • 70% of specialist security architects in post were temporary staff

Departments reported that the salaries they can pay and civil service recruitment processes are barriers to hiring and keeping people with cyber skills.
 
Other concerns include a lack of coordination within government jeopardising effective cyber defence. The respective roles of departments and organisations at the centre, such as the National Centre for Cyber Security (NCSC), are insufficiently understood. Departmental leaders have not consistently recognised the relevance of cyber risk to their strategic goals.
 
Financial pressures have also meant that some departments have significantly reduced the scope of their work to build cyber resilience, which could increase the severity of an attack when it happens. In March 2024, departments did not have fully funded plans to remediate around half of government’s legacy IT assets (53%, or 120 out of 228), leaving these systems increasingly vulnerable to cyber attack. Under-investment in technology and cyber was a key factor in the British Library cyber incident.
 
The NAO is urging the government to act now to build its cyber capabilities and defences. It recommends government:

Within the next six months:

  • develops, shares and starts using a cross-government implementation plan for the Government Cyber Security Strategy.
  • sets out how the whole of government needs to operate differently and what is needed for this transformation to be effective, so that it can achieve its goals for government cyber security and resilience.

Within the next year:

  • make and enact plans to fill cyber skills gaps in workforces.

Gareth Davies, head of the NAO said: “The risk of cyber attack is severe and attacks on key public services are likely to happen regularly, yet government’s work to address this has been slow.

“To avoid serious incidents, build resilience and protect the value for money of its operations, government must catch up with the acute cyber threat it faces.

“The government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills, strengthens accountability for cyber risk and better manages the risks posed by legacy IT.”

Nathaniel Jones, VP, AI & Security Strategy at Darktrace said: "The NAO’s findings highlight both challenges and opportunities in UK government cybersecurity. While departments are actively working to harness AI solutions, they’re also managing complex legacy IT systems that require careful attention. The findings that 58 critical systems need strengthening provides a clear roadmap for improvement.

“The Government now has an opportunity in its upcoming Cyber Security and Resilience Bill and national procurement statement to upgrade the UK’s defences for a modern age. As we enter an era where AI is compounding offensive cyber capabilities, government departments will need to fundamentally upgrade their security approaches to safely harness modern day solutions for better public services. This isn’t just about patching existing systems – it’s about building security architectures that can adapt to the future landscape."

Related

Skybus managing director leaves with immediate effect
Jonathan Hinkles, a highly experienced airline executive with over 30 years in the industry, who has stepped down from Skybus
Skybus managing director leaves with immediate effect
The unexpected departure comes just months after the airline was at the centre of the high-profile collapse of Cornwall's subsidised London Gatwick air service.
Aerospace

2 Jul 2026

London Cranfield Airport targets more business traffic with rebrand and new partnership 
Robert Abbott, CEO of London Cranfield Airport and Nick Weston of Weston Aviation
London Cranfield Airport targets more business traffic with rebrand and new partnership 
The Bedfordshire airport has joined The Collection, a network of business aviation airports coordinated by Weston Aviation as it seeks to pivot towards more lucrative customers.
Aerospace

2 Jul 2026

EasyJet launches Gatwick-Newquay route after PSO ends
easyJet Airbus A320neo
EasyJet launches Gatwick-Newquay route after PSO ends
The first service was operated on 23 June and it will continue to link the two airports on Tuesdays and Saturdays throughout the summer. 
Aerospace

2 Jul 2026

DIP decoded: What the Investment Plan means for British airpower
Royal Air Force F-35B
DIP decoded: What the Investment Plan means for British airpower
The Defence Investment Plan confirms GCAP as the anchor of future British combat air, but the wider picture includes F-35A, autonomous aircraft, AI-enabled targeting and stronger air and missile defence.
Defence Most Read

2 Jul 2026

USAF prepares to pour $4.2bn into air bases at Lakenheath, Mildenhall and Fairford
USAF at RAF Mildenhall 2
USAF prepares to pour $4.2bn into air bases at Lakenheath, Mildenhall and Fairford
The United States Air Force is reportedly preparing a $4.2bn investment programme across RAF Lakenheath, RAF Mildenhall and RAF Fairford, reinforcing the long-term role of its key UK operating bases.
Defence

2 Jul 2026

Defence Investment Plan puts UK drone delivery challenge in focus
Royal Navy Drone
Defence Investment Plan puts UK drone delivery challenge in focus
The UK's DIP allocates billions for drones, but that could be a drop in the ocean before the UK can capitalise on the drone economy.
Defence

1 Jul 2026

BAE Systems’ Endura demos radiation-hardened capability for space missions
BAE Systems’ Endura demos radiation-hardened capability for space missions
BAE Systems has successfully demonstrated the ability of its Endura system-on-chip (Soc) space processor…
Space

29 Jun 2026

BAE Systems to build high-res imagery satellites for Vantor
BAE Systems to build high-res imagery satellites for Vantor
BAE Systems has entered into an agreement to build high-resolution imaging satellite buses for Vantor, a provider of unified spatial intelligence from space to ground.
Space

25 Jun 2026

ADS appoints Matthew Reynolds as CIO
ADS appoints Matthew Reynolds as CIO
ADS Group - parent organisation of trade association ADS and Farnborough International - has appointed Matthew Reynolds as its Chief Information Officer (CIO).
Aerospace Defence Events Security ...

19 Jun 2026

Smiths Detection completes transition to CVC Capital Partners
Smiths Detection completes transition to CVC Capital Partners
Smiths Detection completes transition to CVC Capital Partners
Smiths Detection has completed its transition from Smiths Group to CVC Capital Partners (CVC), a private markets investment firm.
Aerospace Security

1 Jul 2026

Serbus acquires Westica
Serbus acquires Westica
Serbus acquires Westica
Provider of secure Critical National Infrastructure (CNI) networking and communication solutions, Serbus, has acquired Westica Communications Limited (Westica), for an undisclosed sum.
Defence Security

30 Jun 2026

CAA warns of risks posed by incorrectly packed batteries
Pack right. Safe Flight. CAA
CAA warns of risks posed by incorrectly packed batteries
Ahead of the big summer getaway where over 60 million people are expected to…
Aerospace Security

26 Jun 2026