Recommendation 6

Government’s work to date has not been sufficient to make it resilient to cyber attack by 2025, and meeting its 2030 aim to make the wider public sector cyber resilient will require a fundamentally different approach. The Cabinet Office’s focus on implementing its initiatives, such as GovAssure, has been at the expense of it coordinating a cross–government plan that challenges departments to meet their cyber resilience targets. The cyber risk to government is now extremely high and the Cabinet Office does not expect to meet its aim for “government’s critical functions to be significantly hardened to cyber attack by 2025”. Its aim for the whole of government and the wider public sector to be “resilient to known vulnerabilities and attack methods no later than 2030” is very ambitious. This is only achievable if government moves further and faster than it has before. The Cabinet Office assured us it is planning to take a fundamentally different approach for how it operates in future. It is reassuring that the Cabinet Office is learning from the experience of Australia, Canada and other international governments as it designs its new approach to improving government’s cyber security and resilience. We would welcome the greater transparency on public sector resilience levels that the Australian Government has used successfully to improve accountability. recommendation Following the conclusion of the 2025 Spending Review, the Cabinet Office should set out what levers and instruments the centre of government will use to take a fundamentally different approach to cyber resilience. 6 1 The challenge of cyber resilience in Government Introduction