A major UK government department is relying on aging technology and IT infrastructure, thereby reducing the resiliency of vital services and increasing the risk of cyber-attacks, a new report has found.
Almost a third (30%) of applications used by the Department for Environment, Food and Rural Affairs (Defra) are unsupported, meaning security or software updates are no longer being issued for them, an investigation by the National Audit Office (NAO), the UK’s independent public spending watchdog, revealed.
Defra is the government department responsible for numerous critical environmental services, including disease prevention, flood protection and air quality. A major cyber incident could have severe societal consequences.
The NAO’s investigation concluded that while Defra is taking steps to address urgent service risks and vulnerabilities in its digital systems, “it does not have a plan for the wider digital transformation that is needed.”
In addition, the NAO noted that it was not until the government’s 2021 spending review that the department was given the necessary funding to tackle the problem in a strategic and planned way, with £366m ($445m) provided for IT investment in the period 2022-2025.
Since receiving this funding, Defra has begun making progress on tackling its most pressing digital legacy challenges. However, “the additional funds are not enough to reduce risks to an acceptable level, nor fund a broader digital transformation,” according to the NAO.
The report added that the department and its associated arm’s length bodies are not expecting to fix its legacy systems until 2030.
The new analysis followed an investigation carried out by the NAO in July 2021, which identified IT legacy systems as one of six key areas of concern across government.
Gareth Davies, head of the NAO, commented: “Government continues to rely on many outdated IT systems at significant cost. Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way. The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this program and others like it across government are delivered effectively.”
Reacting to the news, Raghu Nandakumara, head of industry solutions at Illumio, said: “It’s concerning that a huge proportion of government systems are being left vulnerable to attack, particularly with ransomware so prevalent. But it’s also not surprising.”
He added that many large organizations have a large amount of legacy infrastructure that can take a long time to retire or patch. In these situations, it is essential steps are taken to reduce the risk of such systems being exploited. “At a very minimum, this means limiting access to systems and services with known vulnerabilities and imposing a strategy of least privilege,” he stated.
Ed Williams, EMEA director of SpiderLabs at Trustwave, said that unsupported technology is one of the biggest security challenges for organizations currently.
“Technical debt for large complex organizations compounds year on year, every effort should be made to remove unsupported technology and to add resiliency to organizations through proper asset management, regular vulnerability scanning (both internal and external) and a robust pen test program,” he noted.
Defra has not yet responded to the NAO’s findings.