back to article Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

The UK government is significantly behind on its 2022 target to harden systems against cyberattacks by 2025, with a new report from the spending watchdog suggesting it may not achieve this goal even by 2030. As part of the Government Cyber Strategy 2022, the UK government pledged to have its critical functions markedly more …

  1. Guy de Loimbard Silver badge
    Holmes

    If they want to take action

    They could do so.

    I suspect, much as the article alludes to, that HMG IT infrastructure is so convoluted, with disparate systems aplenty, that there is no real quick answer here.

    The fact that they've used external reviewers, rather than continue to self assure, is very much a step in the right direction.

    Legacy systems, and there are a lot of those in HMG, can be protected, but only if you truly understand the risk.

    Not everything needs to be upgraded to provide security, however, if you can identify the risk(s), you can likely install necessary compensatory controls, to good effect, without having to get rinsed by the big 4 to tell you there's a problem, without addressing it.

    Which is probably what's going to happen next!

    I'd happily help them on this quest, but I doubt HMG even thinks to look into the pool of experts on El Reg and elsewhere, as we probably didn't go to the right school!

  2. amanfromMars 1 Silver badge

    Re: governments failing to protect themselves against resilient cyberattacks[ers]

    What part of "defending the indefensible is impossible” is not understood?

  3. PCScreenOnly

    And digital ID's here we come

    and starting with Driving Licenses....

    Easy data grabbing for whoever

  4. DJV Silver badge

    Air gap

    The first thing that needs to be done is to immediately air-gap anything that doesn't need to be networked or public-facing. Those remaining then need to be investigated and resolved with high priority. Everything else can either stay air-gapped or only returned to full access once fully evaluated and any shortcomings fixed.

    It shouldn't take them more than a couple of centuries...

    1. Martin M

      Re: Air gap

      The problem with this idea is that almost everything created since the early nineties if not earlier does need to be networked.

      You can try to separate “internal facing” from “public facing”, but you’ll quickly find that at least some of the important public facing services need to connect to the internal services, at which point you no longer have an air gap.

      In any typical enterprise, even working out what the services are, which need to be internal and external and what connects to what takes time. In one very large and systemically important company I worked with briefly, they had been warned that their main data centre was unacceptably flammable to the extent it was uninsurable. A power incident had shown there wasn’t working DR for the most basic services. They had two lists of critical services - each around 1000, from simple infrastructure to e.g. multiple out of support SAP instances, barely understood but highly interconnected custom mainframe services, modern customer portals - they thought might be running in it. These lists overlapped by only about 40%, partly due to inconsistent system naming, yet were still incomplete.

      It took 6 weeks of intensive effort for a four person team with wide remit to talk frankly to anyone in business, IT or suppliers to try to get to a point where we had even a basic understanding of what was running, who was using it, and how important it was to them. We didn’t even try to figure out the integration picture (person years of effort) and just used horribly crude assumptions to put a very approximate number (over £100m) for the board to kick off what turned out to be a five year remediation programme to procure three new datacentres, network and computer infrastructure, carry out proper analysis on and migrate or demise services without causing outages worthy of newspaper headlines. The last two were the hard bits.

      This was a while back, but these problems never die as IT rots over time. Never underestimate how poorly legacy IT is understood, and how difficult it is to touch.

      1. Roland6 Silver badge

        Re: Air gap

        The real problem has been the focus on continuous updates and cloud and the decision that GCloud wasn’t really a private in-house cloud but just a cloud hosted on public cloud.

        Before this with in-house systems the mechanisms for secure linkage of web servers to backend systems was well known and understood, plus being in house those backend systems really were behind firewalls etc with no publicly exposed ports.

  5. Pascal Monett Silver badge
    Trollface

    All those reports and they still can't get it right

    It would seem that there is a wealth of knowledge about what is insufficient, and no drive to correct the issue.

    I guess it's normal : civil servants are there to generate reports, not work, and ministers are certainly not there to stick their necks out and take risks (cf Yes Minister).

  6. Doctor Syntax Silver badge

    "Sure, the pension contributions are sizeable"

    If that's so it's a big change since my day. It worked like this: there were no deductions as such but the salary was reduced by what was supposed to be the equivalent amount. The notional deductions were not invested in a fund as the Civil Service pension scheme was, and presumably still is, in essence, a Ponzi scheme. The scheme was a final salary scheme paying 1/80th of final salary for each year's service (I left for a 160th scheme) with, of course, the salary reduced by the notional contribution amount.

    The public perception was that Civil Service pensions were gold-plated. True, gold-plating is used to make cheap look good. They certainly weren't solid gold.

    I'd advise anyone thinking of applying for any of these posts to look very carefully at what's offered - you'll be dealing with rip-off merchants.

  7. Tron Silver badge

    That was a world beating pledge.

    We will be making another world beating pledge in response to this report, after a period of 4 years consultation.

    A number of government systems are actually outsourced to the French. I'm sure they are very good at national security and data integrity, so they will be fine. I'm sure no one ever has a bad word to say about our other fine partners, either, such as Fujitsu and Oracle.

    As for legacy systems (we prefer to call them 'mature platforms'), our banks and universities use the very latest releases of COBOL and Fortran. I will admit that we have had trouble sourcing parts since the sanctions with Russia came in, as most of our spare parts came from there. Suffice to say that a huge new factory run by world beating start up British Valve will be coming on stream in 2027, and normal supply will resume.

    I would also point out that public sector staff are not underpaid. Private sector staff are overpaid.

    1. cyberdemon Silver badge

      Re: That was a world beating pledge.

      > Private sector staff are overpaid.

      The execs, senior manglement and shareholders are overpaid. The actual staff get a tiny fraction of the hourly rate charged to the government by their bosses.

  8. Horizontal

    No surprise...

    I'm not surprised when the keep on using Oracle. You've only got to look at the shambles of what Birmingham City Council and Oracle have made of their IT system.

  9. david willis

    Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses

    Blasts... Hmmm

    They make a few pertinent points, but by and large to quote a politician "savaged by a dead sheep" ?

  10. EnviableOne

    Not a Skills Gap

    it's there in black and white, the skills are there, and the GAP is the gov expects them to work for less than they are worth.

    while there are a few charitable individuals who are prepared to take the lower remuneration, in exchange for helping society as a whole,

    the rest of us value the struggle needed to get to a level where we can help and need appropriate recompense for the added stress and threat that comes with a high-profile role, and the chance that even though there are external audits now, the problems are somewhat systemic, and need organisational overhaul, beyond the remit of the role.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like