Defra's legacy software problem 'threatens' UK gov cyber security until 2030

Thérèse Coffey, Secretary of State for Environment, Food and Rural Affairs, walking with a red binder under her arm
(Image credit: Getty Images)

Almost a third of the applications used by the UK government's Department for Environment, Food, and Rural Affairs (Defra) have gone end of life (EOL), leaving the UK's public sector vulnerable to cyber attacks.

A National Audit Office (NAO) report has found that while the department is focused on digital services, it has no plan in place to replace the outdated and risky software which accounts comprises 30% of all the department's software.

Defra itself has estimated that 76% of its total digital, data, and technology spend is funnelled into maintaining these legacy systems.

Defra has spent over a decade attempting to remediate its legacy applications issue but did not receive adequate funding to do so until the 2021 Spending Review. This allocated £366 million for digital investment between 2022 and 2025. Under current plans, legacy systems will not be totally fixed until 2030.

Legacy software is a cyber security risk because it means the application no longer receives any kind of support from the original developer, including security updates.

It means a hacker has ample time to develop an exploit for a vulnerability in any of these legacy applications. Trying to exploit a supported product is time-sensitive since vulnerabilities are often patched by the vendor before exploits can be developed.

The NAO also stated that the department still falls far short in its digital transformation strategy. It believes the funds are insufficient to reduce the current risk to an “acceptable level”, let alone expand digital transformation across the department.

This is a current pain point, as the department still performs only a third of its 21 million yearly customer transactions digitally.

To achieve a successful digital transformation, the NAO further advised government departments to develop a strategy that puts digital and data considerations at its foundation. In 2021, the NAO stated that there is a “consistent pattern of underperformance” across 25 years of government digital programmes.


Getting board-level buy-in for security strategy

Why cyber security needs to be a board-level issue


Defra is the department within the UK government responsible for the protection of the environment, as well as the food, farming and fishing industries. A great deal of the department’s work relies on digital services, including its duties in disease prevention, maintaining air quality, and overseeing flood defences.

“Government continues to rely on many outdated IT systems at significant cost,” said Gareth Davies, the head of the NAO.

“Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way.

“The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively”.

As the independent parliamentary body responsible for scrutinising the public spending of Parliament, the NAO has a track record of putting a spotlight on failures in government digital strategy.

In October, it found that the digital projects within the Ministry of Defence (MoD) are undermined by a severe lack of tech skills, and has exposed poor data practices within departments such as HMRC, the ONS and Department for Business.

Poor maintenance of essential applications, or the continued use of applications no longer supported by developers, can present a serious security risk, especially if the applications contain zero-day vulnerabilities.

“This sprawl of applications raises questions about software supply chain risk,” said Michael White, technical director and principal architect at the Synopsys Software Integrity Group.

“Any application selected by IT will likely undergo extensive due diligence, but so-called shadow IT or grey IT projects may skirt this scrutiny - either directly, or via sub-components and platforms which they rely on.

“This could also include open source components which either accidentally or deliberately contain vulnerabilities or malicious code. As the report identifies, responsibility for applying security patches for these ‘orphan’ applications may also pose an organisation-level risk when considering events such as the well-known log4j vulnerability which occurred last year.”

In the US, the Cyber security and Infrastructure Security Agency (CISA) last year put in place a mandatory patch programme, requiring government agencies to patch identified security exploits within two weeks. The agency keeps a curated catalogue of vulnerabilities that have been exploited in the wild.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.