Whitehall departments apply an “if it ain’t broke don’t fix it” approach to insecure and outdated IT, the head of the Government Digital Service (GDS) has warned.
Speaking to MPs on Monday, Kevin Cunnington said departments are guilty of prioritising policy requirements over infrastructure upgrades.
“Legacy IT costs more to secure and it’s more difficult to secure,” Cunnington told the science and technology select committee. “It is a real security concern that we move away from legacy to things that are more modern.”
Sign up to Emerging Threats, our weekly cyber security newsletter
Cunnington added that there was a significant cost associated with running older systems: “These things are getting increasingly costly to maintain and therefore the sooner we can move away from the legacy, the cheaper the system would be to operate.” Another concern is around interoperability. It is harder to connect legacy systems to one another than it is with modern IT.
The interim chief digital and information officer at the Department for Work and Pensions, Simon McKinnon, admitted that a “large part” of the ministry’s core service is delivered through legacy systems. The department is currently running 11 legacy mainframes. “They are critical to what we deliver and the move away from them has to be done very carefully,” he said. “It’s going to take many years.”
The Government Security Group in partnership with GDS and the National Cyber Security Centre is currently working with departments to help them secure the investment they need to modernise their systems. Cunningham said it was essential that modernisation programmes are given priority.
A survey conducted last year revealed that 65 per cent of civil servants thought their existing IT infrastructure was partly to blame for holding back departments’ modernisation programmes.
Aingaran Pillai, the chief executive of Zaizai, warned that the government risks wasting public money if it cannot upgrade services fast enough. “The risk is that current projects will become a burden on the public purse because in five years’ time – or less – they will need to be revamped.”
Multi-million pound outsourcing deals are often blamed for the public sector’s comparatively slow adoption of new digital products and services. Speaking at the GovTech Summit in Paris in November, Matt Hancock, the health secretary, said “in the past […] governments have gone to large system integrators so that a very small team can spend a huge amount of money asking somebody else to project manage it”.
Speaking on Monday, Cunnington admitted that legislative constraints meant it was much harder to upgrade legacy systems in the public sector than the private sector.