IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Defra's legacy software problem 'threatens' UK gov cyber security until 2030

The department spends over two-thirds of its digital budget on maintaining the risky applications, with no plan in place for a fix within the decade

Almost a third of the applications used by the UK government's Department for Environment, Food, and Rural Affairs (Defra) have gone end of life (EOL), leaving the UK's public sector vulnerable to cyber attacks.

A National Audit Office (NAO) report has found that while the department is focused on digital services, it has no plan in place to replace the outdated and risky software which accounts comprises 30% of all the department's software.

Defra itself has estimated that 76% of its total digital, data, and technology spend is funnelled into maintaining these legacy systems.

Defra has spent over a decade attempting to remediate its legacy applications issue but did not receive adequate funding to do so until the 2021 Spending Review. This allocated £366 million for digital investment between 2022 and 2025. Under current plans, legacy systems will not be totally fixed until 2030.

Legacy software is a cyber security risk because it means the application no longer receives any kind of support from the original developer, including security updates.

It means a hacker has ample time to develop an exploit for a vulnerability in any of these legacy applications. Trying to exploit a supported product is time-sensitive since vulnerabilities are often patched by the vendor before exploits can be developed.

The NAO also stated that the department still falls far short in its digital transformation strategy. It believes the funds are insufficient to reduce the current risk to an “acceptable level”, let alone expand digital transformation across the department.

This is a current pain point, as the department still performs only a third of its 21 million yearly customer transactions digitally.

To achieve a successful digital transformation, the NAO further advised government departments to develop a strategy that puts digital and data considerations at its foundation. In 2021, the NAO stated that there is a “consistent pattern of underperformance” across 25 years of government digital programmes.

Related Resource

Getting board-level buy-in for security strategy

Why cyber security needs to be a board-level issue

Intercity 'Getting board-level buy-in for security strategy' whitepaper coverFree Download

Defra is the department within the UK government responsible for the protection of the environment, as well as the food, farming and fishing industries. A great deal of the department’s work relies on digital services, including its duties in disease prevention, maintaining air quality, and overseeing flood defences.

“Government continues to rely on many outdated IT systems at significant cost,” said Gareth Davies, the head of the NAO.

“Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way.

“The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively”.

As the independent parliamentary body responsible for scrutinising the public spending of Parliament, the NAO has a track record of putting a spotlight on failures in government digital strategy.

In October, it found that the digital projects within the Ministry of Defence (MoD) are undermined by a severe lack of tech skills, and has exposed poor data practices within departments such as HMRC, the ONS and Department for Business.

Poor maintenance of essential applications, or the continued use of applications no longer supported by developers, can present a serious security risk, especially if the applications contain zero-day vulnerabilities.

“This sprawl of applications raises questions about software supply chain risk,” said Michael White, technical director and principal architect at the Synopsys Software Integrity Group.

“Any application selected by IT will likely undergo extensive due diligence, but so-called shadow IT or grey IT projects may skirt this scrutiny - either directly, or via sub-components and platforms which they rely on. 

“This could also include open source components which either accidentally or deliberately contain vulnerabilities or malicious code. As the report identifies, responsibility for applying security patches for these ‘orphan’ applications may also pose an organisation-level risk when considering events such as the well-known log4j vulnerability which occurred last year.”

In the US, the Cyber security and Infrastructure Security Agency (CISA) last year put in place a mandatory patch programme, requiring government agencies to patch identified security exploits within two weeks. The agency keeps a curated catalogue of vulnerabilities that have been exploited in the wild.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

“Botched government procurement” leads to £24 million Atos settlement
high-performance computing (HPC)

“Botched government procurement” leads to £24 million Atos settlement

10 Jan 2023
UK and Japan strike digital partnership to collaborate on IoT security, semiconductors
Policy & legislation

UK and Japan strike digital partnership to collaborate on IoT security, semiconductors

7 Dec 2022
DCMS to consider establishing national institution for UK semiconductor industry
Hardware

DCMS to consider establishing national institution for UK semiconductor industry

6 Dec 2022
Netherlands urges citizens to prepare survival kits in case hackers target critical infrastructure
cyber attacks

Netherlands urges citizens to prepare survival kits in case hackers target critical infrastructure

2 Dec 2022

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
ION Trading reportedly pays LockBit ransom demands
ransomware

ION Trading reportedly pays LockBit ransom demands

6 Feb 2023
Tips for Boosting your Organisation’s Security Posture with Encryption
Sponsored

Tips for Boosting your Organisation’s Security Posture with Encryption

6 Feb 2023