UK Government Admits Flaws in Cyber Resilience Strategy, Overhauls Cyber Policy with New Action Plan
Published
Key Takeaways
- Policy Reset: The U.K. government has acknowledged failures in its previous cybersecurity approach and launched a new Government Cyber Action Plan.
- Centralized Accountability: A new Cyber Unit will be established to set mandatory policies and centralize accountability for cybersecurity across all government bodies.
- Systemic Failures: The plan directly addresses long-standing issues like underinvestment in legacy IT, unclear risk ownership, and supply chain vulnerabilities.
The British government has conceded that its long-standing approach to its own cybersecurity has been insufficient, prompting the launch of a new U.K. Government Cyber Action Plan. The document, presented to Parliament, serves as a major policy reset, acknowledging that the public sector faces a "critically high" cyber risk.
Officials warned that a previous target to secure all government organizations from known vulnerabilities by 2030 will be impossible to meet under the old framework. The plan highlights that responsibilities for cyber risk have been "unclear at all levels of government," leading to systemic failures.
New Centralized Approach to Government Digital Security
The core of the new strategy is a move away from issuing non-binding guidance toward a centralized and mandatory model. To achieve this, a Government Cyber Unit will be established by next year, which will be responsible for setting policy direction, coordinating implementation, and acting as a single point of accountability for public sector cybersecurity.
Announced on the same day that the government’s flagship Cybersecurity and Resilience Bill (CSRB) received its second reading in Parliament, the plan also calls for an overhaul of incident response, with more centralized coordination during major events and stronger contractual cybersecurity expectations for strategic suppliers.
Addressing Legacy IT and Technical Debt
The action plan directly confronts the challenge of "technical debt" across government departments. Decades of underinvestment have resulted in outdated and insecure legacy IT systems that are difficult to protect.
The new strategy will focus on managing this risk by building a clear inventory of aging systems and their vulnerabilities. Furthermore, the government aims to professionalize its cyber workforce to attract and retain top talent, addressing a key capability gap.
“I think the timing of the Government Cyber Action Plan is partly designed to mitigate some of the criticism about the majority of the public sector not being in scope of the CSRB, unlike how the European Union has included the public sector under NIS2,” said Jamie MacColl, a cyber researcher at RUSI.
Meanwhile, the U.K. Space Agency (UKSA) is exploring the use of satellite phone services, including SpaceX's Starlink, to address coverage gaps in Britain's Emergency Services Network (ESN) and is inviting interested parties to provide input.
On Monday, a Higham Lane School cyberattack forced closure, impacting telephones, emails, and servers. A major security breach at NHS Professionals, revealed in June, unveiled concerning vulnerabilities.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular