Long-term, monolithic government technology contracts are hampering cybersecurity efforts, according to a Cabinet Office technology defence body.
Technology contracts build in security from the beginning, but some are not well thought through and can, as a result, become dated and restrictive, Steve Marsh, deputy director of the Office of Cyber Security (OCS) said on Wednesday.
"The threat landscape changes rapidly," Marsh told the Commons Science and Technology Committee. "To react to that as change happens — it's not as good as we'd like it to be, because we're tied into contracts that people haven't thought about. On the other hand, we're very good at building security into systems."
Part of the problem lies in "opportunistic" terms in monolithic contracts, Marsh told the committee. "We could probably be better at procuring large IT systems," he said.
The problem also lies with the length of the contracts, Marsh told ZDNet UK on Wednesday. Security requirements change quickly, while contracts can run for years with the same terms and service agreements.
"Some contracts are quite long term, so when they are replaced the threat landscape is different," Marsh said. "In some cases, the original wording of the contract doesn't allow certain responses that we need."
The problem is not restricted to any particular contract, but applies across government, he added.
Government and UK IT systems in general face a number of different threats, Marsh told the committee. High volume, low-level fraudulent e-crime is the most common type of threat to systems and, along with more sophisticated attacks, has caused widespread economic damage, he said. High-impact attacks on critical national infrastructure, with a low likelihood of success, still bring substantial risks to networks, he added.
Neither Buying Solutions — the organisation that provides frameworks for contracts between the government and suppliers — nor the Cabinet Office had responded to requests for comment at the time of writing.