Government ‘doesn’t know how vulnerable its ancient IT systems are to cyber attack’
Government ‘doesn’t know how vulnerable its ancient IT systems are to cyber attack’
Share:
The government is unable to find out how vulnerable many of its IT systems are to a cyber attack because of their age, a report has found. Analysis by the UK’s public spending watchdog has found the cyber threat to the British government is ‘severe and advancing quickly’ – but there are ‘significant gaps’ in its resilience to such attacks.
![[LONDON, ENGLAND - NOVEMBER 23: A general view of the exterior signage at The British Library on November 23, 2023 in London, England. Rhysida, a ransomware group, has claimed responsibility for the October 31 cyber attack, leading to the leakage of employee data, including passport photos and HMRC employment records. (Photo by Leon Neal/Getty Images)]](https://metro.co.uk/wp-content/uploads/2025/01/SEI_206448652-9d62.jpg?quality=90&strip=all&w=646)
At least 228 of the IT systems used by government departments are described as ‘legacy’, meaning they are ‘ageing and outdated’, according to the report from the National Audit Office (NAO). ‘Legacy systems are often more vulnerable to cyber attack because their creators no longer update or support their use, few people have the skills to maintain them, and they have known vulnerabilities,’ it says.
![[Big Ben And House Of Parliament In Westminster Palace From Westminster Bridge In London, United Kingdom]](https://metro.co.uk/wp-content/uploads/2025/01/GettyImages-2037317979.jpg?quality=90&strip=all&w=509)
The assessment from the NAO, the UK’s public spending watchdog, aimed to work out the risk of the government falling prey to an attack of the kind that brought the British Library to its knees in 2023. Within six months of the ransomware attack, the library reported the costs directly related to it had reached £600,000. Its impacts are still felt today.
The use of legacy IT systems by the library was highlighted by the NAO as a major factor in the sheer scale of the pain inflicted by the hackers. Between September 2023 and August 2024, there were 430 incidents managed by the National Cyber Security Centre, the report said – with 89 of those assessed as ‘nationally significant’.
