Recommendation 7

DSIT told us that it was a matter of urgency that the issue of legacy systems in government is addressed, not only to take advantage of the opportunities offered by AI, but also to address other risks including cyber security vulnerabilities. It emphasised prioritising the “systems that have the most valuable data” and “the highest levels of security vulnerability”.9 It added 4 C&AG’s Report, para 2 and Figure 1; DSIT, A blueprint for modern digital government, January 2025 5 Committee of Public Accounts, Use of AI in Government- Written evidence 6 Qq 18, 22 7 DSIT, State of digital government review, January 2025, pp 5, 17 8 Q 44; CDDO, Transforming for a digital future: 2022 to 2025 roadmap for digital and data, updated September 2023 9 Q 50 10 that this was both a software and hardware problem.10 However, it also warned that there is no magic bullet, it will take hard work over a long time to fix, and acknowledged that it needed to get a better grip on the issue.11 Concerning hardware, DSIT emphasised the importance of cloud services as a way for government to move away from maintaining large data centres, although we note in this case the potential trade–off between concentrating usage to achieve greater value for money and diversifying providers to seek greater resilience and security.12 As part of our inquiry into Government cyber resilience, the Cabinet Office told us that “quite a lot of our legacy systems are operating off a very small number of cloud providers, and until you fix some of the legacy issues, it is very difficult to move off some of the cloud services that are there”.13 We will consider this issue further in later scrutiny.