Almost a third of the applications used by the UK government's Department for Environment, Food, and Rural Affairs (Defra) have gone end of life (EOL), leaving the UK's public sector vulnerable to cyber attacks.
A National Audit Office (NAO) report has found that while the department is focused on digital services, it has no plan in place to replace the outdated and risky software which accounts comprises 30% of all the department's software.
Defra itself has estimated that 76% of its total digital, data, and technology spend is funnelled into maintaining these legacy systems.
Defra has spent over a decade attempting to remediate its legacy applications issue but did not receive adequate funding to do so until the 2021 Spending Review. This allocated £366 million for digital investment between 2022 and 2025. Under current plans, legacy systems will not be totally fixed until 2030.
Legacy software is a cyber security risk because it means the application no longer receives any kind of support from the original developer, including security updates.
It means a hacker has ample time to develop an exploit for a vulnerability in any of these legacy applications. Trying to exploit a supported product is time-sensitive since vulnerabilities are often patched by the vendor before exploits can be developed.
The NAO also stated that the department still falls far short in its digital transformation strategy. It believes the funds are insufficient to reduce the current risk to an “acceptable level”, let alone expand digital transformation across the department.
This is a current pain point, as the department still performs only a third of its 21 million yearly customer transactions digitally.
To achieve a successful digital transformation, the NAO further advised government departments to develop a strategy that puts digital and data considerations at its foundation. In 2021, the NAO stated that there is a “consistent pattern of underperformance” across 25 years of government digital programmes.
Getting board-level buy-in for security strategy
Why cyber security needs to be a board-level issue
Defra is the department within the UK government responsible for the protection of the environment, as well as the food, farming and fishing industries. A great deal of the department’s work relies on digital services, including its duties in disease prevention, maintaining air quality, and overseeing flood defences.
“Government continues to rely on many outdated IT systems at significant cost,” said Gareth Davies, the head of the NAO.
“Defra faces a particularly challenging task in replacing its legacy applications and has begun to tackle it in a structured way.
“The full potential of technology in improving public services and reducing cost to the taxpayer can only be accessed if this programme and others like it across government are delivered effectively”.
As the independent parliamentary body responsible for scrutinising the public spending of Parliament, the NAO has a track record of putting a spotlight on failures in government digital strategy.
In October, it found that the digital projects within the Ministry of Defence (MoD) are undermined by a severe lack of tech skills, and has exposed poor data practices within departments such as HMRC, the ONS and Department for Business.
Poor maintenance of essential applications, or the continued use of applications no longer supported by developers, can present a serious security risk, especially if the applications contain zero-day vulnerabilities.
“This sprawl of applications raises questions about software supply chain risk,” said Michael White, technical director and principal architect at the Synopsys Software Integrity Group.
“Any application selected by IT will likely undergo extensive due diligence, but so-called shadow IT or grey IT projects may skirt this scrutiny - either directly, or via sub-components and platforms which they rely on.
“This could also include open source components which either accidentally or deliberately contain vulnerabilities or malicious code. As the report identifies, responsibility for applying security patches for these ‘orphan’ applications may also pose an organisation-level risk when considering events such as the well-known log4j vulnerability which occurred last year.”
In the US, the Cyber security and Infrastructure Security Agency (CISA) last year put in place a mandatory patch programme, requiring government agencies to patch identified security exploits within two weeks. The agency keeps a curated catalogue of vulnerabilities that have been exploited in the wild.
