The Cabinet Office is set to miss its targets for the UK government to be “cyber resilient” by the end of 2025, and needs to do more to strike the right balance between supporting departments, holding them to account, and doing more from the centre of government, a Public Accounts Committee (PAC) report has concluded.
In the report, Government cyber resilience, published today (9 May 2025), the cross-bench PAC presented a mixed picture of its findings. On the positive side, it praised the Cabinet Office for taking steps to independently verify the resilience of critical IT systems in government departments.
However, it also said this exercise had revealed that in general, resilience is much lower than expected, with many systems containing fundamental weaknesses.
A July 2024 assessment of 72 critical systems at 35 departments identified significant cyber resilience gaps, with multiple control failures in risk management and incident response planning, and although this was an improvement on the past situation, the PAC said more should have been done quicker. In particular, it again lamented the reliance on self-assessment to identify at-risk, legacy assets – a point raised during expert testimony in March.
“We find it alarming that risky legacy IT systems – which the Department for Science, Innovation and Technology (DSIT) estimated make up 28% of the public sector’s IT estate – have not undergone a similarly independent assessment,” said the PAC, which is chaired by Geoffrey Clifton-Brown, MP.
“We recognise that the size and complexity of the public sector, and its supply chains, make it challenging for government to manage cyber risk. However, it is unacceptable that the centre of government does not know how many legacy IT systems exist in government and therefore cannot manage the associated cyber risks.”
Additionally, government departments have not done enough to prioritise cyber security, a situation not helped by a lack of clear guidance from the Cabinet Office. Across Westminster, various bodies are underestimating the severity of the threat, and their decisions are not reflecting the urgency of the issue. The report calls for all departments to do more to ensure security leaders are involved at senior management and decision-making levels.
“Looking forward, the Cabinet Office will not meet its target for government to be cyber resilient by the end of 2025. The Cabinet Office is aware that helping the wider public sector be cyber resilient by 2030 will require government to take a fundamentally different approach,” the report said.
The PAC added that the Cabinet Office was on the right path and learning from the experience of others, and the MPs said they looked forward to greater transparency with regard to overall progress on cyber resilience.
Better pay please
The committee’s report went on to criticise the government for being “unwilling to pay” the salaries needed to hire the right cyber security professionals into Whitehall, and noted that although the government has increased its wider digital workforce to approximately 23,000 people, one in three cyber security roles are either going unfilled, or are being performed by third-party contractors.
“Experience suggests government will need to be realistic about how many of the best people it can recruit and retain,” said the report.
“This includes the need for departments to have digital and security leaders on their most senior boards. Many departments have not understood the severity of the cyber threat or done enough to prioritise cyber security.”
Not keeping up
In general, the PAC report found that government has not kept up with the gathering cyber threat to the UK from hostile foreign states and financially-motivated criminals, exemplified by incidents such as the 2023 ransomware attack on the British Library, the 2024 incident at NHS supplier Synnovis, and more recently, the ongoing cyber attacks affecting UK supermarkets. There is now a significant gap between the extent of the threat and the government’s response to it.
The committee also identified more risks in government supply chains, where insufficient funding, staff, and oversight mechanisms mean that third-party incidents risk cascading into the public sector – as the Synnovis incident showed, where thousands of hospital appointments had to be cancelled after the attack disrupted the pathology services provider.
The report called for the Cabinet Office to set out what levers and instruments it now plans to take to manifest a new approach to cyber resilience, following the conclusion of the 2025 Spending Review.
The National Cyber Security Centre warned earlier this week that a divide will emerge over the next two years between organisations that can keep pace with cyber threats enabled by artificial intelligence and those that fall behind.
