The UK government has launched a new Government Cyber Action Plan committing £210 million ($282 million) to strengthen cybersecurity across digital public services. Furthermore, it holds government departments to the same standards imposed on critical infrastructure operators.
The plan, announced alongside the second reading of the Cyber Security and Resilience Bill, establishes a new Government Cyber Unit. This unit will be led by the UK’s Chief Information Security Officer and overseen by the Department for Science, Innovation and Technology (DSIT). The unit is expected to improve risk identification, incident response, and recovery capabilities across central government.
Reform Plans
As part of the reforms, cybersecurity will be elevated through the creation of a dedicated Government Cyber Profession. This separates it from the broader Government Security Profession. It also signals a stronger institutional focus on cyber risk management.
Under the new framework, government departments will be subject to the same cybersecurity requirements as cloud service providers. In addition, search engines and operators of critical infrastructure such as data centres face these requirements. The UK government estimates the investment could deliver annual savings of up to £45 billion across the public sector.
Commenting on the initiative, Digital Minister Ian Murray said: “Cyberattacks can take vital public services offline in minutes – disrupting our digital services and our very way of life. This plan sets a new bar to bolster the defenses of our public sector. It puts cybercriminals on warning that we are going further and faster to protect the UK’s businesses and public services.”
UK Government Cyber Attacks
The announcement follows a series of high-profile security failures across government. The Foreign Office confirmed an intrusion in October widely attributed to Chinese state-sponsored actors. Additionally, the Legal Aid Agency, overseen by the Ministry of Justice, suffered a major breach in April.
A National Audit Office (NAO) report published twelve months ago found that 58 of 72 critical IT systems reviewed across central government contained “multiple fundamental system controls that were at low levels of maturity.” Auditors also warned ministers that government security risk was “extremely high.” They identified at least 228 legacy systems in March 2024, with 28 percent assessed as having a high likelihood of operational and security risks.
In a related move, DSIT also launched a Software Security Ambassador Scheme to encourage adoption of its Software Security Code of Practice. Initial ambassadors include Cisco, NCC Group, Palo Alto Networks, Sage, and Santander. They will promote secure development practices and help shape future policy. The initiative mirrors the US Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge, which attracted over 340 organizations in 2024.
However, some analysts questioned whether the funding level is sufficient. Colette Mason, author and consultant at Clever Clogs AI, noted: “£210 million sounds impressive until you remember the Jaguar Land Rover hack cost 0.5 percent of GDP. That’s the real benchmark here. Not whether we have a plan, but whether this plan can actually plug holes faster than an army of attackers find them.” She added that securing government systems requires first mapping and patching vulnerabilities across a complex web of suppliers, contractors, and legacy infrastructure.
Craig Wentworth, principal analyst at TechMarketView, said the challenge goes beyond funding. “The challenge extends beyond funding to legacy infrastructure, fragmented estates, and the expanding attack surface created by rapid digital transformation itself,” he said. He added that vendors offering security-by-design architectures and transparent supply chains are likely to benefit, while those overlooking foundational vulnerabilities may struggle.
