97.This Chapter sets out technical challenges of legacy systems and cyber security, that the Government will need to overcome if it is to maximise the potential of digital for the Government.
98.The Government Digital Service has defined legacy systems, which can include:
as technology that is:
99.In Managing the risks of legacy ICT to public service delivery, the NAO explained that legacy systems created issues for the Government as they increasingly presented barriers to the introduction of new digital advances, as developments in policy required faster, newer and more efficient systems. They said:
The risks of legacy ICT will increase over time as the gap between the system functionality and business need widens and the complexity of the systems and software increases. The management and technical resources needed to maintain and make further changes also increases.
100.UKCloud Ltd, a cloud platform provider, characterised Government legacy technology as complex, as they had a “lack of interoperability between systems and services, and by monolithic long-term contracts that are expensive and difficult to break”. Further, the British Computing Society explained that “legacy systems create vulnerabilities that need to be understood and managed”. Reports from both the Institute for Government and the NAO noted that legacy systems are the major obstacle to “digital by default”. The 2011 Government ICT strategy also cited legacy ICT as a major barrier to the rapid introduction of new policies and GDS strategies.
101.The British Computing Society told us that at the heart of most of the digitisation issues that the Government faced (within the field of digitisation) was technical infrastructure, based in legacy systems. In a 2013 NAO Report, it was estimated that £480 billion of Government revenue was reliant on legacy technology, and that key systems such as the Department for Work and Pensions’ pension service and HMRC’s VAT collection service were both reliant on embedded legacy systems. Further, Simon Hansford from UKCloud told us that the Government’s continued spending on legacy systems without an appropriate plan to replace them would result in “wasting public money”. As the Institute for Government pointed out in its October 2018 Report, despite the recommendations made in the 2013 Report, the 2017 Government Transformation Strategy recognised that many of these systems were still in place.
102.The British Computing Society argued that departments could not afford to ignore legacy technology, due to the increasing security risk it presented, as well as how it impinged upon the Government ability to harness innovative technology and effectively utilise data to improve its relationship with citizens, a key aim of digitisation (as we outlined in Chapter 2 of this Report). UKCloud also expressed concern that if the Government did not appropriately address its legacy issues, this would impinge upon transformation.
103.Legacy systems have created many different barriers to digitisation. The first, and perhaps most pressing issue was that Government data was held in these legacy systems, meaning that the full transformative potential of collaborative data use could not be reached. We have explored in further detail the challenges relating to data-sharing and collaboration between departments in the previous Chapter. The British Computing Society explained that because the data was held in separate, department legacy systems, interoperability was an issue for departments who otherwise could have benefited from the sharing of data about citizens. Daniel Korski, representing PUBLIC, shared these concerns.
104.The evidence we received, such as from Mr David Durant and others, generally expressed encouragement for the use of application programming interfaces (APIs) (a way of enabling different systems to interact with one another), open standards (ensuring different systems and data can interoperate) and open source software policies (enabling users to copy, distribute and use software freely or at low cost), but often asserted that more needed to be done, structurally, aside from the publishing of standards, to ensure cross-department collaboration and data-sharing. The British Computing Society pointed to the need for GDS to overcome the significant technical challenges, such as interoperability issues that stemmed from legacy systems. They suggested that in order for data silos to be addressed “citizen and government environments need to integrate in the back office and unlock data to make the citizen experience as rich as possible; and this has not yet been achieved.”
105.We also heard that silos within departments were an issue for the Government. Jacky Wright, the Chief Digital Officer for HMRC noted that her department specifically experienced this issue, as there were large amounts of disparate data throughout HMRC within embedded legacy systems, meaning that effective collaboration with other departments, such as the Department for Work and Pensions, proved to be a challenge. Further, though APIs were utilised to extract and re-format data so that it was shareable, the British Computing Society pointed out that this was only possible with the “right standards and a solid data model”. This view was supported by Tom Smith representing the Office for National Statistics, who explained that “you need to understand and develop the data engineering and infrastructure that underpin the management, storage and safe use of data.” Mr Smith, however, urged us not to ignore the progress made by GDS to address these issues in previous years, stating that “some of the Departments have developed on the back of GDS’s work very strong technical expertise, and that level across Government is now much stronger than it was.”
106.Evidence from the Cabinet Office, outlined a number of actions that the Government had taken to ensure that data could be appropriately shared across Government, despite its legacy foundations. For example, using GOV.UK Registers to ensure data was accessible to those who needed it, as well as GDS’s lead on the promotion of common standards across departments to ensure consistency and interoperability. Tom Smith, representing the Office for National Statistics perceived that GDS had been successful in its promotion of standards: “one great success of GDS was enabling, facilitating and supporting a step change in the technical expertise and capability within Government.”
107.We also heard that legacy systems had created a barrier in technology procurement, as departments had been “locked in” to large IT contracts as there were only a small number of suppliers who could support significant legacy issues. UKCloud explained that the initial creation of GDS had “given Government a lever in its bid to break the stranglehold of its legacy technology suppliers (the so-called oligopoly)”, but the momentum and commitment to change this had been compromised, and the Government needed to cultivate an environment that encouraged SMEs. The British Computing Society told us that “80% of the work to be done is about addressing the issues of legacy systems, 20% is opportunity for innovation and the potential for SME involvement”. The Minister for Implementation, Oliver Dowden MP, also expressed concern to us about the accessibility of the current procurement framework for SMEs. Further issues with procurement will be discussed in the next Chapter.
108.The final difficulty relating to legacy systems that was highlighted to us was that of digital skills. For example, the British Computing Society and techUK explained that the difficulties encountered by legacy technology had been exacerbated by the finite lack of digital skills in Government and it was difficult to ensure employees had the right digital capabilities to deal with legacy issues. Simon McKinnon, the Chief Digital Officer for the Department for Work and Pensions, explained that though the Government currently had the right level of skills to deal with complex legacy systems, they would get increasingly hard to maintain as skills became shorter in supply. However, he also told us that the Government was working to train employees and build capability in legacy systems going forward. This is partially demonstrated by guidance published on the GOV.UK website, which outlined key strategies such as the Digital Data and Technology Profession Capability Framework. This outlined the necessary digital skills for technical roles in Government, and the Civil Service Workforce Plan 2016—2020, which set out plans to build the capability of the Civil Service. Skills will be explored in greater detail in the next Chapter.
109.Some of the evidence that we heard emphasised the importance of understanding the difficulty the Government faced in being able to move away from legacy, for example, techUK spoke of the need for GDS to be mindful of the constraints and challenges that public authorities had in moving away from or upgrading legacy processes and systems. Simon McKinnon, the Chief Digital Officer for DWP, told us that although his department was taking action to tackle its legacy problem, it had to prioritise certain workstreams due to business critical need. This was confirmed by the then Director General of GDS, Kevin Cunnington, who explained:
We tend not to fix it if it ain’t broke; we tend to prioritise new policy requirements. Secondly, as Simon says, it is much harder to fix Government legacy because it comes with all sorts of legislative constraints than it is in the private sector.
110.Jacky Wright, the Chief Digital Officer at HMRC, also explained that it was difficult to make a convincing case to the Treasury to replace legacy systems, due to the cost (see Annex 3). She told us that her department had begun an audit of its legacy systems to assess cyber vulnerabilities, in order to develop such a business case. We are not aware if HMRC has yet concluded this audit. Kevin Cunnington, the then Director General of GDS, was asked if there was a satisfactory level of ambition across Government to deal with legacy issues. He explained that it was their goal for the next spending round. Further, when we asked the Minister for Implementation, Oliver Dowden MP, and Kevin Cunnington if there had been an appropriate audit of the scale of the legacy issue across Government, neither could provide us with an answer. GDS have, however, set out public guidance that presented various options for departments when attempting to deal with legacy challenges. Their guidance set out the five options for departments dealing with legacy systems. These were:
111.Legacy systems have been flagged as an issue in previous Parliamentary inquiries and independent Reports from both the NAO and the Institute for Government yet there appears to be a limited mapping of legacy systems within departments and across the Government. In the then Public Administration Select Committee’s 2011 Report, it categorised legacy systems as a “a serious risk to government”. Despite this, similar conclusions were reached in the Government Transformation Strategy in 2017, and then again in the Managing Legacy Technology guidance published in February 2019.
112.Further, evidence we received emphasised the urgency for the Government to tackle the legacy problem now. The British Computing Society explained that “the longer the legacies remain in place the higher the risks become.” UKCloud also warned against allowing the legacy problem to go into stasis, as legacy technology becomes “locked-in to a small number of suppliers” and “will become tomorrow’s problem for somebody else to solve”. The skills gap increases as legacy systems become more out-dated and hard to manage (see further exploration of this point at paragraph 109).
113.Legacy systems are a significant barrier to effective Government transformation and digitisation. We acknowledge the attempts of the Government, its predecessors and individual departments to produce guidance and to deal with legacy issues. However, the same issues frequently recur, suggesting that the Government and GDS’s advice has not been fully implemented. We acknowledge that there is a significant cost attached to the replacement of legacy systems, which the Treasury must resource adequately.
114.GDS should conduct an audit of all legacy systems across Government, including where they are based, what actions to take, the expected cost of such action and the resulting timescales. GDS’s framework of retain (do nothing), retire (drop), re-host (lift and shift), repurchase (shop and drop), re-platform (life and shape) should be used to determine what actions to take with each legacy system. The audit should assess which approach is most realistic but ‘retain’ should not be used widely as the proposed action in the long-term as there is clear evidence that the legacy system issue is going to increase over time and there are challenges with regard to the skills for supporting such systems. GDS should seek to publish the findings of this audit. This audit should be completed no later than December 2020.
115.Cyber security was presented to us as another technical challenge that the Government would face in its digital transformation process. This was a particular concern for cyber security company, Kaspersky Lab and UKCloud, the cloud platform provider, amongst others, as they argued that if the Government did not strengthen its cyber security policy, it could leave itself, and citizen data, vulnerable to attack.
116.The structures of governance and accountability around Government cyber security were set out to us in a joint letter from DCMS and the Cabinet Office:
117.The evidence received relating to the effectiveness of cyber security governance was mixed. Deloitte argued that the establishment of the National Cyber Security Centre (NCSC), as being the lead body for skill and strategy, was positive. They said:
The advent of the NCSC makes a significant step forward in ensuring that Government digitisation can be achieved with an increasing focus on cyber security. The quality of UK technical cyber security advice ranks among the best in the world.
Further, the Office for National Statistics commended the guidance and standards that the NCSC had set out, as they ensured “significant digital services undergo the appropriate security assessment, including the protection of citizen and business data”. Professor Chris Johnson, representing the UK Computing Research Committee said that the National Cyber Security Centre was important as it aided individual departments and ensured that the Government was taking cyber security policy seriously both at the top of Government and through cyber essentials training of employees.
118.Conversely, Ministers suggested that there was a split in cyber security accountability, as demonstrated when the Committee asked about the WannaCry attack on the NHS. An investigation conducted by Redscan, a computer security service, in December 2018 revealed that despite the high profile nature of the WannaCry attack that affected the NHS in 2017, there were still significant cyber security issues facing the NHS that they were not equipped to deal with. Redscan’s report was based upon the findings of a three-month freedom of information campaign, which surveyed more than 150 NHS trusts in the UK. The report concluded that:
When the Minister for Digital and the Creative Industries was asked about this, she explained that although it was the Government’s responsibility to set cyber security standards, ultimately it was the role of individual departments to ensure that they were adhered to.
119.techUK raised concerned that the “division of labour” of different parties in cyber security, such as GDS’s oversight on setting standards and monitoring vulnerabilities, and NCSC’s authority to respond strategically to incidents, could, at times “lead to confusion as to who is responsible for cyber security across government.” This view was supported by Deloitte, who observed that cyber security policy in the UK could be improved by a more joined-up Government approach.
120.Despite this, the Chief Digital Officer for HMRC, Jacky Wright, explained that the division of responsibilities for cyber security was a positive thing—as it had built in checks and balances—being an issue of major concern for national security. Further, the Cabinet Office suggested that the combination of skilled bodies, throughout Government, including GDS, NCSC and GCHQ, resulted in the UK being considered a “world leader” in global cyber security standards. A 2017 report from the IfG explained that, although the establishment of the NCSC had been useful in reducing the overall number of various bodies responsible for cyber security, in the UK, no major attack had yet tested the robustness of the NCSC; the WannaCry attack had demonstrated the danger of leaving responsibility for cyber security squarely in the hands of departments or employees.
121.Both Professor Chris Johnson, representing the UK Computing Research Committee and Antony Walker, Deputy CEO of techUK, recommended the creation of a new Ministerial role which had ultimate responsibility for cyber security. When we asked the Minister for Digital and the Creative Industries, Margot James MP and the Minister for Implementation, Oliver Dowden MP, if there should be a Minister for Cyber Security, they explained that this role technically resided with David Lidington, the Chancellor of the Duchy of Lancaster. However, the Minister of State for Security and Economic Crime also has responsibility for “cyber security” as part of portfolio, and the potential problems with this split of responsibilities was emphasised by the 2018 Report Cyber Security of the UK’s Critical National Infrastructure by the Joint Committee on the National Security Strategy (JCNSS). In that Report the JCNSS explained:
There is no single Minister with responsibility for the cyber resilience of CNI, or for cyber security in general. Instead, there is a patchwork of cross-cutting ministerial oversight that is structured by department […] focused political leadership is also essential, given the potential extensive impact of a major cyber-attack on the UK’s CNI and the fast-changing nature of the threat, as well as the need to drive a consistent response across a number of departments and agencies. We have heard little to convince us that there is such a ‘controlling mind’ at the centre of Government that is proactively leading efforts to improve the cyber resilience of CNI.
122.The Report went on to recommend the creation of a Cabinet Minister “designated as a cyber security lead” who could:
In response to the JCNSS’s Report, the Government explained that existing cyber security governance arrangements fulfilled the requirements set out and that the cross-cutting responsibilities of various ministers for different aspects of cyber security would remain in place.
123.More needs to be done to centralise leadership of cyber security policy and ensure that all departments are prioritising it in the same way. Responsibility in Government for cyber security policy is spread between departments to ensure checks and balances are in place, but we are concerned that this may result in a lack of accountability for specific incidents. We support the 2018 recommendation of our colleagues on the Joint Committee on the National Security Strategy that there should be a Minister for Cyber Security. The Government should reconsider creating a Minister for Cyber Security who will be able to hold Ministers across Government to account for their internal cyber security. This Minister would also be responsible for working with other public sector bodies, including the NHS and local Government, to ensure that best practice and guidance was being shared across the public sector.
124.Concerns were raised by Kaspersky Lab, a private security company provider for Government services, that the WannaCry attack showed that basic cyber security was not up to scratch in the public sector. The NAO published a report on WannaCry which emphasised its severity: “the attack led to disruption in at least 34% of trusts in England although the department and NHS England do not know the full extent of the disruption”. Kaspersky Lab explained that this attack had happened due to basic cyber security failures, including failures in updated software, patches, and vulnerabilities in programmes and applications that could be exploited so hackers could gain malicious entry. The UK Computing Research Committee (UKCRC) argued that the Government had made good progress in the urgent action in cyber policy since the attack. However, a recent report from the Public Accounts Committee concluded that the National Cyber Security Strategy 2016–2021, which set out how the Government planned to manage cyber security in the UK, was not on track to meet 11 out of 12 of its strategic outcomes by 2021, and that sufficient action had not been taken to ensure the Government and citizens were secure. The Minister for Digital and the Creative Industries argued that the NHS had taken appropriate action for protection but conceded that “substantial financial pressures” sometimes compromised investments made to upgrade security systems.
125.More generally, the oral evidence was mixed on the standards of cyber security expected across departments. For example, Simon Hansford representing UKCloud, a service provider for cloud computing services, explained that the standards of cyber security across departments were very low. Conversely, Tom Loosemore, an ex-Deputy Director of GDS, observed that standards had been too high and had prevented GDS from implementing effective digitisation: “some of the cyber-security standards were terrifying in their inappropriateness, even in 2010. They actively stopped us doing the right thing from a cyber perspective”.
126.There was also a concern that cyber security standards varied across departments. An Institute for Government Report,Improving the Management of Digital Government, concluded that departments had variations of cyber security standards and dependency on vulnerable legacy systems. This view was supported by the work undertaken by Jacky Wright in HMRC, as part of her audit of the vulnerability of HMRC legacy systems (see Annex 3). Professor Chris Johnson from the UK Computing Research Committee also shared this point of view, stating that the differing cyber security standards further disincentivised SME and small technology providers as the procurement landscape made it difficult for providers to understand how they should be bidding. In contrast, techUK explained that the introduction of these standards had been a success for procurement as it set out “the minimum-security measures that government departments are required to implement to protect their information, technology and digital services”. We return in more detail to the issue of procurement in Chapter 5.
127.The Minister for Digital and the Creative Industries explained that all departments were subject to minimum cyber security standards. The Cabinet Office told us that these standards should help both departments and suppliers to better understand cyber security risks in Government supply chains, as “Government will assess whether suppliers meet them, and they will be written into new contracts to enforce full compliance”.
128.The Government has taken positive steps to develop cyber security standards. Despite this we remain concerned that cyber security policy varies between departments even if there are minimum cyber security standards. This creates unnecessary procurement barriers particularly for SMEs and small tech providers. The Cabinet Office should review their universal, departmental cyber security standards and ensure they are sufficient, and clearly set out the requirements that bidders must meet to be eligible for Government procurements by the end of 2019. If any department wishes to diverge from these standards, they should have to make a case to the Minister for Implementation.
203 Lucy Carey and Claire Ashworth, “”, GOV.UK, May 2018
204 National Audit Office, “”, HC 539, (September 2013)
205 UKCloud Ltd () para 4.2
206 BCS, The Chartered Institute for IT () para 3.2
207 Cabinet Office and Efficiency and Reform Group, “”, March 2011, para 35
208 BCS, The Chartered Institute for IT () para 2.2
209 National Audit Office, “”, , (September 2013), para 2
211 Institute for Government, “”, (October 2018), p 6
212 UKCloud Ltd () para 4.2
213 BCS, The Chartered Institute for IT () para 4.3
215 Mr David Durant () para 4.2
216 BCS, The Chartered Institute for IT () para 4.2
217 BCS, The Chartered Institute for IT () para 4.3
220 Cabinet Office () para 27–35
221 Cabinet Office () para 29
223 UKCloud Ltd () para 4.3
224 UKCloud Ltd () para 1.1 –1.2
225 BCS, The Chartered Institute for IT () para 5.2
227 BCS, The Chartered Institute for IT () para 5; techUK () para 16
230 Digital, Data and Technology, “”, March 2017, last updated December 2018
231 Civil Service, , July 2016
232 techUK () para 7
236 Government Digital Service, “”, February 2019
237 Government Digital Service, “”, February 2019
238 National Audit Office, “”, (March 2017); Institute for Government, “” (October 2018)
239 Public Administration Select Committee, Twelfth Report of Session 2010–12 , “Government and IT—“a recipe for rip-offs”: time for a new approach”, , July 2011
240 BCS, The Chartered Institute for IT () para 3.2
241 UKCloud Ltd () para 4.3
242 Kaspersky Lab (); UKCloud Ltd () para 2
243 Department for Digital, Culture, Media and Sport and the Cabinet Office () p 1–2
244 Deloitte LLP () p 5
245 Office for National Statistics () p 2
248 Redscan, “”, December 2018
250 techUK () para 22
251 Deloitte LLP () p 6
252 Cabinet Office () para 98
253 Institute for Government, “”, (June 2017), p 13
256 Joint Committee on National Security Strategy, Second Report of Session 2017–19, “Cyber Security of the UK’s Critical National Infrastructure”, , July 2018, para 75
257 Joint Committee on National Security Strategy, Second Report of Session 2017–19, “Cyber Security of the UK’s Critical National Infrastructure”, , July 2018, para 80
258 Joint Committee on National Security Strategy Third Special Report of the Session 2017–2019, “Cyber Security of the UK’s Critical National Infrastructure: Government Response to the Committee’s Third Report of Session 2017–2019” , March 2019, para 20
259 Kaspersky Lab () p 2
260 National Audit Office, “”, (April 2018), para 5
261 Kaspersky Lab () p 2
262 UK Computing Research Committee (), para 1-3
263 Public Accounts Committee, Ninety-Ninth Report of the Session 2017–2019, “Cyber security in the UK” , June 2019, para 4
267 Institute for Government, “”, (June 2017), p 10.
269 techUK () para 23
271 Cabinet Office ()
Published: 10 July 2019