The government has announced a new £210 million Cyber Action Plan, presented as a major step toward strengthening the resilience of public services against rising cyber threats. It arrives alongside the Cyber Security and Resilience Bill, currently progressing through Parliament, and is framed as essential to protecting citizens as more services move online.
The plan promises clearer visibility of risks, faster incident response, stronger central coordination, and improved resilience across government. But beneath the confident language lies a deeper tension: the measures are largely reactive, not proactive, and they do not address the structural vulnerabilities created by the government's own digital transformation agenda.
🎯 Cyber Action Plan Overview
- £210 million investment in cybersecurity across government departments
- New Government Cyber Unit for centralized coordination and response
- Software Security Ambassador Scheme targeting supply chain vulnerabilities
- Enhanced incident response and risk visibility requirements
- Reactive approach that doesn't address underlying architectural risks
🎯 What the Cyber Action Plan Claims to Deliver
According to the government, the plan will transform cybersecurity across public services through five key pillars designed to create a more resilient digital government:
A. Improve Visibility of Cyber Risks
Departments will be required to surface and report cyber and digital resilience risks more consistently, enabling central oversight and targeted intervention. This represents a shift from departmental silos toward comprehensive risk mapping across government.
B. Strengthen Central Coordination
A new Government Cyber Unit will coordinate risk management and incident response across departments, taking the lead on complex, cross government threats. This centralised approach aims to eliminate gaps in communication and response during major incidents.
C. Speed Up Incident Response
Departments must maintain robust incident response arrangements to minimise harm and accelerate recovery when attacks occur. This includes standardised protocols, improved communication channels, and faster escalation procedures.
D. Raise Resilience Across Government
Targeted investment will close major gaps in cyber defences, particularly for critical services such as healthcare, benefits, and taxation. This includes upgrading legacy systems, implementing modern security controls, and enhancing monitoring capabilities.
E. Reduce Software Supply Chain Risk
A new Software Security Ambassador Scheme will promote secure by design practices across major vendors, responding to the rise in software supply chain attacks that have targeted government systems globally.
🌟 Government's Stated Benefits
- Protecting public services from increasingly sophisticated cyber threats
- Enabling safe digital transformation across government departments
- Unlocking up to £45 billion in productivity gains through secure digitisation
- Maintaining public trust in online government services
- Strengthening the UK's position as a global leader in cybersecurity
This is the official narrative: more digital services → more risk → more central coordination → more resilience. The government presents this as a comprehensive solution that balances innovation with security.
⚠️ The Plan's Core Limitation: It Is Largely Reactive
Despite the confident framing, the measures are overwhelmingly reactive rather than proactive. This fundamental limitation undermines the plan's ability to address the root causes of cybersecurity vulnerability in government systems.
What the Plan Focuses On (Reactive Measures)
The Action Plan concentrates on improving response capabilities rather than preventing vulnerabilities from arising in the first place:
- Detecting risks: Better monitoring and reporting of existing vulnerabilities
- Responding to incidents: Faster coordination when attacks succeed
- Coordinating after problems occur: Improved crisis management capabilities
- Uplifting minimum standards: Patching existing systems to meet basic requirements
- Improving reporting: Better visibility into problems that have already occurred
- Enforcing compliance: Ensuring departments follow reactive security protocols
What a Proactive Strategy Would Prioritise
A genuinely proactive approach would focus on preventing vulnerabilities through fundamental design changes:
🛡️ Proactive Security Measures
- Architectural redesign: Building systems that are inherently more secure
- Data minimisation: Reducing the amount of sensitive information stored and shared
- Decentralisation: Eliminating single points of failure through distributed architecture
- Zero trust by default: Assuming breach and limiting lateral movement
- Secure by design procurement: Only acquiring systems that meet strict security baselines
- Reducing interdependencies: Limiting cascading failure risks
None of these appear as structural commitments in the plan. The government is strengthening the defences around the system, not the design of the system itself.
🚨 The Real Risk: Cross Service Access and Centralised Data
The UK's digital transformation agenda is built on principles that fundamentally increase systemic cybersecurity risk. While the Cyber Action Plan addresses operational security, it ignores the architectural vulnerabilities created by this transformation strategy.
The Digital Transformation Model
The government's "digital first" approach relies on extensive integration and data sharing:
- "Tell us once" principles: Citizens provide information once for use across multiple departments
- Cross department data sharing: Automatic information exchange between agencies
- Unified digital identity: Single credentials for accessing multiple government services
- Centralised citizen records: Comprehensive profiles combining data from multiple sources
- Shared platforms: Common infrastructure like One Login and shared data hubs
- Multi department access: Single databases serving multiple government functions
How This Creates Systemic Risk
Each aspect of digital transformation introduces vulnerabilities that no amount of incident response can fully mitigate:
💥 Systemic Vulnerability Categories
- Single points of failure: If One Login is compromised, multiple services are simultaneously affected
- Larger attack surface: More integrations mean more interfaces, APIs, and potential vulnerabilities
- Higher blast radius: A breach in one department can cascade across others through shared data
- Supply chain concentration: Small number of vendors underpin large parts of infrastructure
- Insider threat amplification: Centralised access increases impact of compromised credentials
Real World Examples of Cascading Risk
The interconnected nature of modern government systems means that individual breaches can have system wide impacts:
| Vulnerability Type | Potential Impact | Action Plan Response |
|---|---|---|
| One Login compromise | Simultaneous access to tax, benefits, health, and other services | Faster incident response, not architectural redesign |
| Shared database breach | Multiple departments lose access to citizen information | Better monitoring, not data minimisation |
| Major vendor compromise | Supply chain attack affecting multiple government systems | Ambassador scheme, not vendor diversity |
The Action Plan does not address these architectural risks. It assumes the existing model is sound and focuses on patching around it.
🔍 Why This Happens: Structural Constraints, Not Individual Failings
It's tempting to conclude that advisers "aren't fully knowledgeable," but the reality is more systemic. The focus on reactive rather than proactive measures stems from structural constraints within government policy making.
A. Policy Teams Dominate; Systems Architects Are Scarce
Government cyber policy is often shaped by risk managers and governance specialists, not deep technical architects:
- Risk managers: Focus on identifying and mitigating known threats
- Governance specialists: Emphasise compliance, reporting, and coordination
- Policy officials: Prioritise implementable solutions within existing frameworks
- Technical architects: Often consulted late in the process or not at all
This leads to policy heavy, architecture light solutions that address symptoms rather than root causes.
B. Political Incentives Reward Visible Action
Ministers can easily announce reactive measures that show immediate progress:
✅ Easy to Announce
- New cyber units and coordination centres
- Increased funding for incident response
- Enhanced monitoring and reporting schemes
- Ambassador programmes and industry partnerships
- Upgraded security standards and compliance requirements
❌ Difficult to Announce
- "We redesigned the data architecture over 5 years"
- "We reduced interdepartmental dependencies"
- "We removed a centralised database to reduce systemic risk"
- "We slowed digital transformation to improve security"
- "We increased costs to reduce long term vulnerabilities"
The political system naturally produces incremental fixes rather than structural reform because the former can be communicated and implemented within electoral cycles.
C. Vendor Dependency Shapes the Ecosystem
When the same companies build systems, advise on risks, sell solutions, and now act as "Software Security Ambassadors," there is a built in bias toward approaches that preserve existing relationships:
- Centralisation preferences: Larger contracts for fewer vendors
- Platform consolidation: Solutions that expand existing vendor relationships
- Incremental improvements: Updates that preserve current architecture
- Dependency preservation: Avoiding changes that would reduce vendor importance
This is not about individuals being unknowledgeable, it's about the incentives of the entire ecosystem pushing toward solutions that benefit existing stakeholders rather than fundamental security improvements.
⚖️ The Core Tension the Plan Doesn't Resolve
The Cyber Action Plan attempts to address a fundamental contradiction in government policy, but it cannot resolve the underlying tension between efficiency and security.
What the Government Wants
The digital transformation agenda prioritises integration and efficiency:
- More integration: Seamless data sharing between departments
- More data sharing: Comprehensive citizen profiles across services
- More centralised digital services: Single platforms serving multiple functions
- More automation: Algorithmic decision making and service delivery
- Lower costs: Economies of scale through shared infrastructure
What Security Requires
Robust cybersecurity demands separation and redundancy:
- Higher resilience: Systems that continue operating despite individual component failures
- Lower systemic risk: Isolated failures that don't cascade across services
- Reduced attack surface: Fewer interfaces and integration points
- Distributed architecture: Multiple independent systems rather than single platforms
- Higher costs: Redundancy and separation require additional investment
The Unresolved Contradiction
These goals are fundamentally in conflict. You cannot maximise both centralisation and resilience without major architectural safeguards and those safeguards are not part of the plan.
🎭 The Political Illusion
The Cyber Action Plan creates the impression that this contradiction can be resolved through better coordination and faster response.
But coordination cannot eliminate architectural vulnerabilities, and incident response cannot prevent systemic failures caused by excessive interdependence.
🛠️ What a Truly Proactive Approach Would Look Like
A genuinely proactive cyber resilience strategy would require fundamental changes to how government systems are designed, procured, and operated. These measures would be expensive, politically difficult, and technically complex but they would actually reduce systemic risk.
A. Architectural Redesign
Shift from centralised to distributed models where possible:
- Microservices architecture: Break large systems into smaller, independent components
- API first design: Standardised interfaces that don't require direct database sharing
- Federated identity: Multiple identity systems that can interoperate without central dependency
- Service mesh security: Built in encryption and access controls between system components
- Failure isolation: Design systems so individual component failures don't cascade
B. Data Minimisation
Reduce the amount of data held, shared, and retained:
- Purpose limitation: Data collected only for specific, defined uses
- Automatic deletion: Default expiration for personal information
- Local processing: Analysis performed where data is collected, not centrally
- Selective sharing: Only specific data elements shared, not complete records
- Anonymisation by default: Personal identifiers removed unless specifically required
C. Zero Trust by Default
Assume breach, limit lateral movement, enforce strict segmentation:
🔒 Zero Trust Implementation
- Continuous verification: Every request authenticated and authorised
- Least privilege access: Minimum necessary permissions for each function
- Network segmentation: Isolated zones preventing lateral movement
- End to end encryption: Data protected throughout its lifecycle
- Behaviour monitoring: Anomaly detection for unusual access patterns
D. Mandatory Secure by Design Procurement
No system should be procured unless it meets strict security baselines:
- Security first requirements: Technical security criteria as primary evaluation factors
- Threat modelling mandatory: Detailed analysis of potential attack vectors before procurement
- Open source preferences: Auditable systems over proprietary black boxes
- Vendor security standards: Suppliers must demonstrate their own cybersecurity practices
- Regular security audits: Ongoing evaluation throughout system lifecycle
E. Reduced Interdependencies
Limit cross department access unless absolutely necessary:
- Departmental autonomy: Services can operate independently when connections fail
- Redundant capabilities: Multiple systems can perform critical functions
- Graceful degradation: Services continue with reduced functionality during outages
- Isolated backups: Recovery systems that don't depend on primary infrastructure
- Manual overrides: Human processes for critical functions when systems fail
F. Long term Investment in In house Capability
Reduce reliance on external vendors for core infrastructure:
- Government technical teams: In house expertise for critical systems
- Open standards adoption: Avoiding vendor lock in through proprietary systems
- Skills development: Training programmes for government cybersecurity professionals
- Research partnerships: Collaboration with universities rather than just commercial vendors
- Strategic capability: Government ability to understand and control core digital infrastructure
These approaches are long term, unglamorous, and politically difficult but they are what actually reduce systemic risk rather than just improving responses to inevitable failures.
🎭 The Software Security Ambassador Scheme: Promise vs. Reality
The plan's flagship Software Security Ambassador Scheme exemplifies the gap between reactive announcements and proactive solutions. While presented as innovative, it represents a continuation of the vendor dependent approach that creates rather than solves systemic vulnerabilities.
What the Scheme Promises
The government positions the ambassador scheme as addressing supply chain security:
- Vendor engagement: Major software providers commit to security improvements
- Best practice sharing: Companies demonstrate secure development approaches
- Early warning systems: Faster notification of vulnerabilities and patches
- Standards alignment: Common security criteria across the supplier ecosystem
- Industry leadership: UK positioned as global model for supply chain security
What It Actually Represents
The scheme institutionalises rather than reduces vendor dependency:
🔄 Vendor Dependency Cycle
- Regulatory capture: Companies that create problems become official solution providers
- Barriers to entry: Small, innovative suppliers excluded from "ambassador" status
- Concentrated risk: Fewer, larger vendors controlling more government infrastructure
- Innovation stagnation: Established players protected from competitive pressure
- Accountability dilution: "Partnership" relationships reduce accountability for failures
Alternative Approaches
True supply chain security would require structural changes to procurement:
- Vendor diversity mandates: Requirements for multiple suppliers in critical areas
- Open source priorities: Preference for auditable, transparent systems
- Smaller contract limits: Preventing any single vendor from becoming systemically important
- Regular supplier rotation: Avoiding long term dependencies on individual companies
- In house alternatives: Government capability to replace critical vendor functions
💭 Conclusion: Security Theatre vs. Systematic Reform
The Cyber Action Plan represents a meaningful uplift in operational resilience, but it does not address the deeper architectural vulnerabilities created by the government's own digital transformation agenda. The plan strengthens the response to cyber threats, but not the foundations of the systems being defended.
The £210 million investment will undoubtedly improve incident response, enhance coordination, and upgrade some legacy systems. The new Government Cyber Unit may prevent some attacks from spreading between departments. The Software Security Ambassador Scheme might encourage better practices among major vendors.
But these improvements occur within a fundamentally flawed architecture that prioritises efficiency and integration over resilience and security. The plan assumes that better coordination can resolve the contradictions between centralisation and cyber resilience, when in reality these goals remain fundamentally in tension.
🎯 Critical Assessment
- Action Plan improves operational security but ignores architectural vulnerabilities
- Reactive measures cannot address systemic risks created by excessive centralisation
- Political incentives favour visible announcements over long term structural reform
- Vendor dependency is institutionalised rather than reduced through ambassador schemes
- True proactive security requires fundamental changes to system design and procurement
As public services become more interconnected, the UK faces a choice: continue layering reactive controls onto centralised systems, or confront the structural risks head on through long term architectural reform.
The current approach resembles building higher walls around a house with a weak foundation. The walls may keep out some intruders, but they cannot prevent the building from collapsing under its own contradictions.
Real cyber resilience requires acknowledging that some efficiency gains are not worth the systemic risk. It means accepting higher costs for redundancy and separation. It means slowing digital transformation to ensure security keeps pace. It means choosing boring, distributed architectures over exciting, integrated platforms.
Until that shift happens, the UK's cyber resilience will remain dependent on patching, coordination, and rapid response, rather than true systemic security. The Action Plan represents security theatre: visible activity that creates the impression of comprehensive protection while leaving fundamental vulnerabilities unaddressed.
The question is not whether the plan will improve cybersecurity, it will, incrementally. The question is whether incremental improvements to a fundamentally flawed architecture can provide the resilience that digital government requires. The evidence suggests they cannot.