Earlier this week I published a positive article about the government announcement regarding a £210 million investment in a ‘Cyber Action Plan’. But after admitting numerous failures in how Whitehall currently defends its own digital systems the cracks started to show.
It all looked good on the surface, but when I dug deeper the realisation of what has actually been happening for years before this announcement leave much to be desired.
The document was presented to Parliament by the Department for Science, Innovation and Technology (DSIT) and concedes that the current system of accountability has left much of the British government vulnerable to cyberattacks, with responsibilities for risk “unclear at all levels of government,” including across the supply chain.
“To protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach and a step change in pace,” states the action plan. It warns the public sector is facing a “critically high” cyber risk despite years of work on improving its defences.
Why has this happened and how can it be in such a mess, money! Yes here we go again, short sighted stupidity from governments has starved investment in the infrastructure that is the foundation of our government defences against cyber attacks.
Chronic Lack Of Investment
Cyberthreats have escalated and the threats are increasing in sophistication, whilst the government capability has struggled to keep pace with these threats.
Last year, the head of Britain’s cyber and signals intelligence agency GCHQ, Anne Keast-Butler, warned that the country was grappling with the most “contested and complex” threat environment in decades, noting there were four times as many attacks last year than in the year previously.
But what were they expecting, they clearly were not geared up to cope and should have been. The underlying problem for British government departments and agencies in trying to defend themselves is their reliance on legacy technology, stated the action plan, acknowledging a report by the National Audit Office which last year warned of the dire state of government IT infrastructure.
Also see: NCSC Cyber Essentials Struggle
According to the new document, decades of underinvestment have left departments running outdated systems that are difficult or impossible to secure to modern standards. This “technical debt” has meant they have fallen farther and farther behind, leaving the government systems more and more exposed.
But instead of mass replacement stick a patch on the problem and ignore the desperate need to properly invest in the infrastructure. The plan is risk management ensuring the government has visibility and understanding over its own critical digital assets.
Advertisement
What could go wrong, risk management is exactly what it says. Its a form sticking your fingers in your ears and hoping you don’t hear anything go wrong. Cyber criminals have more and more advanced tools available to them, AI being an extremely useful tool in their armour. The government is being attacked 24/7 and cyber criminal organisations would love nothing more than to breach our national security and cause havoc, patching the problem is a weak and ridiculous solution.
Also see: HMRC Self Assessment Scams
Jamie MacColl, a cyber research fellow at RUSI, said: “The big unsaid part of this is funding”. “Going back to the National Audit Office report from last year, this is an IT problem as much as it’s a cybersecurity problem”.
“It’s a fact that there’s not enough funding to replace legacy IT infrastructure, and having a cybersecurity action plan is not going to be the thing that fundamentally addresses that. Unless there’s more funding, I think there’s a limit to what the Cabinet Office or DSIT can do to drive up standards across the public sector.”
In other words there are not just cyber security issues but fundamental problems with the basic infrastructure. A chain is only as strong as its weakest link and there are numerous weak links in the government chain.
Opinion
Here we go again! years of lack of government investment, no real structured plan and patching an open wound is the only ‘plan’ they have. With the clear lack of funds eroding their systems to the point where quick upgrades aren’t even possible because the equipment is so old and outdated.
How can a major world government who keeps spouting about how technologically advanced they are and wanting to be world leaders in AI, be so fundamentally flawed in their approach.
Also see: Widespread Scams Using Social Media Finfluencers and AI
I don’t think the solution is to throw billions of pounds at the problem, this would lead to all sorts of wrongly targeted investment and a huge amount of government money thrown away.
Going back to the chain analogy, start with the fundamentals find the weakest links, strengthen them and build up from there. This would mean a much greater investment over a longer period of time, it would also mean the weaknesses become fewer and the threats decrease.
Now that’s a logical, sensible plan to move forward and slowly become a fortress against the cyber criminal organisations banging on our walls. So that won’t happen, patching will continue and the weaknesses will continue to be exposed.
