Defra's legacy software problem 'threatens' UK gov cyber security until 2030 – IT PRO

View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Getty Images
Almost a third of the applications used by the UK government's Department for Environment, Food, and Rural Affairs (Defra) have gone end of life (EOL), leaving the UK's public sector vulnerable to cyber attacks.
A National Audit Office (NAO) report has found that while the department is focused on digital services, it has no plan in place to replace the outdated and risky software which accounts comprises 30% of all the department's software.
Defra itself has estimated that 76% of its total digital, data, and technology spend is funnelled into maintaining these legacy systems.
Defra has spent over a decade attempting to remediate its legacy applications issue but did not receive adequate funding to do so until the 2021 Spending Review. This allocated £366 million for digital investment between 2022 and 2025. Under current plans, legacy systems will not be totally fixed until 2030.
Legacy software is a cyber security risk because it means the application no longer receives any kind of support from the original developer, including security updates.
It means a hacker has ample time to develop an exploit for a vulnerability in any of these legacy applications. Trying to exploit a supported product is time-sensitive since vulnerabilities are often patched by the vendor before exploits can be developed.
The NAO also stated that the department still falls far short in its digital transformation strategy. It believes the funds are insufficient to reduce the current risk to an “acceptable level”, let alone expand digital transformation across the department.
This is a current pain point, as the department still performs only a third of its 21 million yearly customer transactions digitally.
To achieve a successful digital transformation, the NAO further advised government departments to develop a strategy that puts digital and data considerations at its foundation. In 2021, the NAO stated that there is a “consistent pattern of underperformance” across 25 years of government digital programmes.
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
Defra is the department within the UK government responsible for the protection of the environment, as well as the food, farming and fishing industries. A great deal of the department’s work relies on digital services, including its duties in disease prevention, maintaining air quality, and overseeing flood defences.
“Government continues to rely on many outdated IT systems at significant cost,” said Gareth Davies, the head of the NAO.
“Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way.
“The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively”.
As the independent parliamentary body responsible for scrutinising the public spending of Parliament, the NAO has a track record of putting a spotlight on failures in government digital strategy.
In October, it found that the digital projects within the Ministry of Defence (MoD) are undermined by a severe lack of tech skills, and has exposed poor data practices within departments such as HMRC, the ONS and Department for Business.
Poor maintenance of essential applications, or the continued use of applications no longer supported by developers, can present a serious security risk, especially if the applications contain zero-day vulnerabilities.
“This sprawl of applications raises questions about software supply chain risk,” said Michael White, technical director and principal architect at the Synopsys Software Integrity Group.
“Any application selected by IT will likely undergo extensive due diligence, but so-called shadow IT or grey IT projects may skirt this scrutiny – either directly, or via sub-components and platforms which they rely on. 
“This could also include open source components which either accidentally or deliberately contain vulnerabilities or malicious code. As the report identifies, responsibility for applying security patches for these ‘orphan’ applications may also pose an organisation-level risk when considering events such as the well-known log4j vulnerability which occurred last year.”
In the US, the Cyber security and Infrastructure Security Agency (CISA) last year put in place a mandatory patch programme, requiring government agencies to patch identified security exploits within two weeks. The agency keeps a curated catalogue of vulnerabilities that have been exploited in the wild.
Accelerating healthcare transformation through patient-centred medtech solutions
Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes
Big payoffs from big bets in AI-powered automation
Automation disruptors realise 1.5 x higher revenue growth
Hyperscaler cloud service providers top ten
Why it's important for companies to consider hyperscaler cloud service providers, and why they matter
Strategic app modernisation drives digital transformation
Address business needs both now and in the future
Empowering employees to truly work anywhere
How to remove a huge pagefile.sys or resize it
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page