The UK today launched its Government Cyber Action Plan, committing £210 million to strengthen defenses for digital public services and to hold departments to the same cybersecurity requirements as critical infrastructure operators.
KEY FACTS
- Funding £210 million committed
- New unit Government Cyber Unit led by the UK CISO
- Estimate up to £45 billion saved annually across public sector
- Requirements departments to meet same security rules as cloud and critical infrastructure operators
The package will establish a Government Cyber Unit overseen by the Department for Science, Innovation and Technology and will create a dedicated Government Cyber Profession elevated from the current Government Security Profession. The unit is tasked with improving risk identification, incident response and recovery capabilities.
A National Audit Office report found that 58 of 72 critical IT systems reviewed across central government contained multiple fundamental system controls at low levels of maturity. Ministers were also advised that government security risk is extremely high and that auditors identified at least 228 legacy systems in March 2024, 28 percent of which were flagged as having a high likelihood of operational and security risks.
DSIT also launched a Software Security Ambassador Scheme to drive adoption of its Software Security Code of Practice. Initial ambassadors include Cisco, NCC Group, Palo Alto Networks, Sage and Santander and will champion secure development practices and contribute to future policy.
The announcement follows recent security failures, including an October intrusion confirmed at the Foreign Office and a major breach at the Legal Aid Agency in April. Digital minister Ian Murray warned that “Cyberattacks can take vital public services offline in minutes” – and outlined the plan as raising the bar on public sector cyber defences.
“£210 million sounds impressive until you remember the Jaguar Land Rover hack cost 0.5 percent of GDP,” – Colette Mason, author and consultant. “You can’t secure a leaky bucket by pouring in more money if you haven’t mapped and patched every crack first.” “The challenge extends beyond funding to legacy infrastructure and fragmented estates,” – Craig Wentworth, principal analyst.
WHY IT MATTERS
The plan centralises cyber capability and applies uniform security requirements to government departments, aiming to reduce disruption to public services. Its success will depend on the new unit’s ability to address legacy systems and deliver measurable remediation across the estate.