UK’s £210 million Cyber Action Plan Addresses Endemic Failings in Securing Public Services, But Is It Enough?

The UK’s Government Cyber Action Plan is now set to unfold over at least three years and put to use some £210 million to improve the cyber defenses of the country’s put-upon public services. But will it be enough? The plan unquestionably lays out stronger standards for both government departments and private agencies, but questions linger as to whether both the scope and funding will be adequate to the task.

UK cyber action plan comes after multiple high-level security failures

The cyber action plan exists due to a self-diagnosed “critically high” cyber risk among numerous public services, with years of poor funding leading to a swamp of legacy systems and technical debt that now impacts some 28% of all government departments. This has manifested as recent and crippling attacks on entities such as Royal Mail, the British Library, a number of city councils, the Ministry of Defence payroll, and the Foreign, Commonwealth and Development Office (FCDO) among others. The worst single incident was the attack on NHS contractor Synnovis, which led to over 100,000 delayed appointments and at least one attributed death from failure to get timely care.

The first phase of the cyber action plan commences immediately, with the establishment of a new Government Cyber Unit to head up national government incident response across all departments (and led by a new Government Chief Information Security Officer). This phase runs through April 2027 and focuses on establishing new security standards for government agencies and critical infrastructure operators. The second phase of expansion runs from 2027 to 2029, with general improvements intended indefinitely from 2029 forward.

Cyber security of public services must be dug out of a very deep hole

Despite the ongoing issues of technical debt, the UK government is quickly forging ahead with moving public services online as AI capability develops. The success of the cyber action plan may hinge on concurrent improvements in “security by design” from private partners, something directly addressed by the plan’s Software Security Ambassador Scheme. This component of the plan has already recruited major vendors such as Cisco, Palo Alto Networks and NCC Group as lead adopters of the new security standards. These standards come from a Software Security Code of Practice which is voluntary, but it is hoped will be broadly adopted with these industry leaders getting on board early.

The cyber action plan will undoubtedly provide a benefit, but there are questions about it reaching the rosy government projections of £45 billion in annual savings due to public services breach reduction. For starters, £210 million over three years simply may not be enough to fix the problem. Another issue is the underdevelopment of standards for certain areas, chiefly mobile device security and APIs; improvements here lie almost entirely under the voluntary Software Security Code of Practice. The plan does more directly involve government in critical infrastructure defense and ramp up funding, however, something that should provide smaller and more beleaguered entities with some relief.