Outdated Tech in UK Government: A Cybersecurity Threat Revealed by FOI Request

A recent Freedom of Information request by TaxPayers Alliance has revealed that many crucial government services, including HMRC, DHSC, and UK Atomic Energy, are using vulnerable and outdated services that are no longer supported by Microsoft, posing a significant cybersecurity threat. What challenges do ageing systems present, what did the Freedom of Information request reveal, and why does this demonstrate the dangers of physical server installation over cloud-based solutions?

What Cybersecurity Challenges Do Ageing Systems Present?

The exponential rate at which technology improves has resulted in a massive transformation of everyday life in less than a century. Prior to the 1800s, humanity had mostly been agriculture-oriented, with other industries being reserved for those with wealth (many early researchers and engineers were from nobility or upper classes as they had the freedom to ponder). However, major technological breakthroughs such as steam power and electricity saw a dramatic shift in the workforce, how people lived their lives, and the role of technology in modern society.

Jump to 2023, and technology has become so critical to modern society that without it, society would collapse. Most major monetary transactions are done via the Internet, a large portion of entertainment comes in the form of video hosting services, and even food is being heavily influenced by technology. However, technology can be a double-edged sword, introducing numerous challenges that have to be approached with caution.

Of these challenges, one that concerns many engineers is the nature of ageing systems and the speed at which systems are replaced. Simply put, as technology improves so rapidly, devices that are put into service can quickly find themselves outmoded by newer versions. 

In the case of software-driven devices, updates can be pushed out to fix security flaws and provide new capabilities, but as the underlying hardware has been left unchanged, there will come a time when updates alone cannot improve the capabilities of the device. Considering that hardware is almost always immutable, no number of updates can improve a device's hardware capability, thus seeing such devices fall behind with the times. 

Therefore, ageing systems typically need to be replaced outright. While this may help to bring the latest technological capabilities to an application, the high cost of replacing devices every few years can be extortionate. At the same time, replacing devices can be massively wasteful, contributing to the growing pile of global e-waste. 

Due to these high costs, most devices remain in use, even if they are terribly outdated and no longer supported by the original manufacturer. The result is that the rapid change in technology can quickly see millions of vulnerable systems left in service around the world, presenting cybercriminals with easy targets. 

Freedom of Information Request Reveals Security Flaws in UK Government Servers

Recently, the TaxPayers Alliance, a non-profit organisation aimed at lobbying for lower tax rates and reduced tax wastage by the government, filed for a Freedom of Information (FOI) request on the hardware and infrastructure used by crucial government systems. The result from this request has shown how many of these systems are based on legacy hardware¹ in dire need of replacement and extremely vulnerable to hackers. 

According to the TaxPayers Alliance, three departments which responded to the request, HM Revenue and Customs (HMRC), Department of Health and Social Care (DHSC), and the UK Atomic Authority, have been found to using thousands of servers and databases whose support from Microsoft has already ended due to their age. Furthermore, the software being used to run these servers has also been revealed to be horrendously out of date, meaning that both the hardware and software are vulnerable to potential cyber-attacks. 

Replacing the systems being used by these government institutions would be extremely high, and upgrading to new software is no small feat. However, considering the potentially sensitive nature of the data being stored, the servers present a very real threat, both to the government and the general population.

Moreover, the challenges faced by government institutions in updating their technology are further highlighted by a recent report from the National Audit Office (NAO). The report revealed that HMRC's Making Tax Digital programme, a key initiative aimed at digitising the tax system, is now three years behind schedule and over £1bn over its original budget². This underscores the urgent need for government departments to modernise their IT systems and infrastructure. 

Of course, it is well known that government institutions are not held up to the same standards as the private sector. For example, private banks go out of their way to ensure that the latest servers and technology is used to protect customer data, and any bank found not to be using strong security practices would be hung, drawn, and quartered by authorities. But when government institutions make mistakes at this scale, there is very little that can be done.

“These numbers are deeply troubling, showing that key parts of government remain reliant on ancient IT systems, despite being exposed to well-documented serious cyber-vulnerabilities. This failure is exposing data to criminals and costing taxpayers billions in maintenance and incident management. Ministers must urgently commit to bringing the state in line with private sector standards, rather than wasting billions on pointless pet projects.”¹ 

The National Cyber Security Centre (NCSC), a part of GCHQ, has also highlighted the evolving cyber security threats faced by various sectors, including the legal sector. From ransomware attacks by criminals to intellectual property theft by state actors, the threats are diverse and constantly evolving³. The NCSC's report underscores how the widespread adoption of hybrid working during the COVID-19 pandemic has increased online risks.

The report provides case studies that demonstrate the severe impacts of cyber incidents. For instance, the conveyancing firm Simplify Group was unable to process house moves for weeks after an attack, costing the company £6.8 million³. This example further highlights the urgent need for modernising and securing IT systems across all sectors.

To make matters worse, some of the vulnerabilities in the hardware used by the institutions could easily be exploited by novice hackers. Furthermore, the flaws in these systems are publicly known due to their age, and the lack of software and hardware support means that those vulnerabilities will not be fixed any time soon.

Why Does This Example Demonstrate the Dangers of Physical Servers Over Cloud-Based Systems?

One solution to protecting such infrastructure would be to switch over to cloud-based services run by large tech companies. By deploying virtual servers in the cloud, government institutions would be able to remove the need for owning the physical hardware, which not only reduces the upfront cost of such a system but also entirely eliminate the need for physical maintenance (incidentally, it appears that Companies House already deploys AWS as its server, but this has not been confirmed).

Using cloud-based servers also has the advantage that the underlying hardware is maintained by the service provider and that such services are often scalable. Furthermore, cloud-based services are often hardware agnostic, meaning that services can quickly be moved across different platforms at speed. This also introduces the possibility for localisation of services, whereby small-scale deployments are made nearer to customers, improving access. 

Physical servers are undoubtedly more secure from the point of view of data ownership, as all data is physically stored on disks under the control of the server operator. However, if the hardware itself is no longer supported by modern operating systems, and the software used on those servers is terribly outdated, then the advantages of a physical server are instantly rendered mute.  

References

1. TaxPayers Alliance. (2023). Outdated tech on Whitehall likely costing taxpayers billions. Retrieved from https://www.taxpayersalliance.com/outdated_tech_on_whitehall_likely_costing_taxpayers_billions
2. The Guardian. (2023). Whitehall wide open to cyber-attack. Retrieved from https://www.theguardian.com/technology/2023/jun/18/whitehall-wide-open-to-cyber-attack
3. National Cyber Security Centre. (2023). Legal firms urged to strengthen cyber defences with the latest guidance from experts. Retrieved from https://www.ncsc.gov.uk/news/legal-firms-urged-to-strengthen-cyber-defences