MoD IT vulnerabilities a serious national security risk, experts warn

Ministry of Defence (MoD) plaque in London, UK.
(Image credit: Getty Images)

Security experts have raised national security concerns following claims that the Ministry of Defence (MoD) has the most vulnerable IT systems in Whitehall. 

Eleven systems at the defense department were found to be “red-rated” and exposed to critical levels of risk, according to reports in the Telegraph. A red rating is the highest level of risk allocated to a department under UK government guidelines covering security vulnerabilities and the potential for breaches.

News of the MoD’s security failures follows questions tabled to the government by Matt Rodda, Labour’s artificial intelligence (AI) minister, and highlights the scale of issues both at the defense ministry, as well as the broader security posture of several UK government departments.

A total of 34 systems in operation across Whitehall have been given a red rating in recent months, six of which belong to the Department of Work and Pensions (DWP).

The Ministry of Justice was found to have five critically-vulnerable systems, while the Home Office and Cabinet Office were both given four red-rated systems.

“The scale of this problem is utterly unacceptable,” Rodda told the Telegraph. “The Ministry of Defence, the department chiefly responsible for the security of Britain, should simply not have this many critical failures in its systems. We can’t even get the basics right.”

Rodda added that the government “must update the public” on whether failures could prompt serious national security risks.

Jake Moore, global cyber security advisor at ESET, said the scale of potentially vulnerable systems is a serious cause for concern given the threat posed by increasingly sophisticated and technically proficient threat actors operating globally.

“This is extremely worrying especially when government systems are constantly targeted by numerous threat actors,” he said.

“Fixing legacy problems has always been a thorn in the side of the government but when national security is at risk, these issues need to be addressed immediately.

“Costs are often seen as the reason behind a slower uptake on such fixes but now it is seen as a serious risk, it should hopefully be recognized as essential investments in national security and a critical step towards safeguarding the country’s digital infrastructure.”

The MoD has sharpened its security focus in recent years

The MoD has worked to improve operational security and resilience in recent years, unveiling a new strategy in 2022 that focused specifically on a ‘secure by design’ approach to the products and devices used by staff.

In May 2022, the defense department announced its ambition to become resilient to “all known cyber security vulnerabilities” and attack methods by 2030.

The MoD said it also aims to ensure its critical functions are “significantly hardened” to attacks by 2026.


A webinar from Cloudflare on the latest DDoS attack trends

(Image credit: Cloudflare)

Get unique insights into the latest DDoS attack trends, Cloudflare’s defense architecture, and how it affects you


Secure by design principles will be applied to all hardware and products used by the department as part of the strategy, officials said at the time. This approach will also see the government division focus heavily on skills development for staff and cyber security awareness training.

The MoD has encountered significant challenges in driving its digital ambitions, however. A report from the National Audit Office (NAO) in October 2022, for example, found the department was facing serious skills and talent shortages.

A key hurdle for the MoD was talent recruitment and retention, the report found, with the department unable to match salaries offered by the private sector.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.