Britain’s digital backbone—from hospitals and banks to the power grid and cloud servers—is dangerously exposed to cybercrime, hostile state activity and system failure, according to a new report from Parliament’s Office of Science and Technology (POST).
The briefing warns that “departments have not met their responsibilities to improve their own and their wider sectors’ cyber resilience” and that the nation’s reliance on outdated technology, fragile supply chains and under-skilled staff leaves critical systems vulnerable.
Rising Storm of Cyber Threats
– Ransomware is described as one of the most “acute threats” to the UK, with incidents rising sharply.
– State-aligned actors from Russia, China, Iran and North Korea are stepping up attempts to infiltrate critical national infrastructure.
– Environmental hazards such as floods and heatwaves already cause outages — in 2022, an NHS data centre collapsed during a heatwave, cancelling operations and appointments.
– Accidental failures and human error continue to trigger costly shutdowns.
“There is a widening gap between increasingly complex threats and the UK’s defensive capabilities.”
— National Cyber Security Centre (NCSC)
Cracks in the Shield
The report highlights the persistence of “legacy IT” across government. As of January 2025, more than 300 outdated systems remained in use across 28 public bodies — with a quarter rated “red risk”.
Supply chains also pose a significant weakness. Only 14% of UK firms review cyber risks in their immediate suppliers, with even fewer examining deeper dependencies.
Meanwhile, human error remains the leading cause of breaches, with phishing scams, weak passwords and poor cyber awareness exploited by attackers.
The Bill on the Horizon
The Government’s proposed Cyber Security and Resilience Bill will update the Network and Information Systems Regulations, extending oversight to supply chain vendors, tightening reporting requirements, and granting regulators stronger powers.
But experts warn that legislation alone won’t close the gap. Sustained investment is needed to modernise public services, reduce “technical debt” and embed “secure by design” principles into everything from consumer gadgets to defence systems.
Cyber Incidents That Shook the UK
- 2017 — NHS WannaCry Attack: One-third of English hospital trusts disrupted; appointments cancelled nationwide.
- 2022 — NHS Heatwave Outage: Two data centres were knocked offline by extreme heat, forcing cancellations.
- 2024 — CrowdStrike Glitch: A software update accidentally crippled 8.5 million devices globally, including UK businesses.
SIDEBAR: Key Findings from the POSTnote
- The UK is increasingly dependent on vulnerable digital infrastructure.
- Cyberattacks are growing in sophistication, fuelled by AI tools.
- Government departments are lagging in meeting basic security standards.
- Critical gaps in regulation: weak incident reporting, no vendor liability, and limited board accountability.
- Call for mandatory minimum standards, stronger incentives and long-term investment.
Growing Threats
The report identifies ransomware as one of the most acute dangers, alongside escalating attacks by state-aligned actors from Russia, China, Iran and North Korea. Environmental hazards such as extreme heatwaves and floods, as well as accidental human errors, also pose rising risks.
Weak Defences
The National Cyber Security Centre has highlighted a “widening gap” between complex, fast-moving threats and the UK’s ability to defend against them—particularly in critical national infrastructure such as energy, health and transport. Many government departments still rely on outdated IT, with the National Audit Office describing the situation as “unacceptable”.
Vulnerabilities Exposed
– Outdated “legacy” systems and unsupported software remain widespread.
– Supply chains are a “weak link,” with few organisations assessing the cyber risks posed by their vendors.
– Human error continues to account for a significant share of breaches.
Calls for Action
While government strategies such as the National Cyber Strategy 2022 and a forthcoming Cyber Security and Resilience Bill promise reforms, the report stresses that uptake of resilience measures remains uneven. Small firms and public bodies, in particular, lack the skills and funding to adopt robust protections.
The POSTnote highlights gaps in regulation, including weak reporting requirements, poor accountability at board level, and the absence of legal liability for insecure software. Experts urge stronger incentives—such as mandatory minimum standards and holding vendors accountable for flaws—alongside long-term investment to modernise public sector systems.
The Bottom Line
The report concludes that cyber resilience must be treated as a national priority. Without decisive action, the UK risks financial disruption, public unrest, and even threats to life if critical systems are compromised.
The Verdict
The POSTnote pulls no punches: the UK is not keeping pace with the scale of cyber threats. Without urgent reform and investment, Britain risks financial turmoil, public unrest and even threats to life should critical systems fail.
