Legacy IT: Saving money by holding onto old tech is costing us all billions

Report demands that the government cleans up its act with technology or risk huge IT bills and damaging cyberattacks.
Written by Liam Tung, Contributing Writer

Nearly half the money the UK is spending on IT goes on supporting legacy IT systems – to the tune of £2.3bn a year.

That sum amounts to about half of the £4.7bn the central government spent on on tech in 2019, according to a new report from the Cabinet Office that highlights the cost of maintaining legacy systems or 'keeping the lights on'.

"A recent analysis by government security indicates that almost 50% of current government IT spend (£2.3b out of a total central Government spend of £4.7bn in 2019) is dedicated to "keeping the lights on" activity on outdated legacy systems, with an estimated £13-22bn risk over the coming five years," the report notes

SEE: Microsoft: Here's how to shield your Windows servers against this credential stealing attack

As the report highlights, the technical debt that tax payers are lumbered with includes important operational services that are provided by out-of-date legacy systems often built on obsolete technical platforms or using programming languages that are no longer widely supported.

Beyond costs, the report acknowledges increased cybersecurity risks and being unable to introduce new government services because "worthy but dull" is more attractive than risking spend on new IT systems. 

"Some departmental services fail to meet even the minimum cybersecurity standards, and the inability to extract usable data from these legacy systems," the study notes. 

It also singles out the Home Office, which has the biggest tech budget, noting has "not been able to retire any of their twelve large operational legacy systems."

The report comes as the National Cyber Security Centre (NCSC) – a part of spy agency GCHQ – has raised alarm bells over ransomware and data breaches. Recently appointed NCSC CEO Lindy Cameron in May called on boards to promote CISOs to the same level of top legal counsel and finance officers following recent software supply chain attacks. 

The UK is also taking a stab at boosting government online services through the new Government Digital Service (GDS) department, which is looking to improve online tax return services. 

The UK still hasn't figured out how to implement something like Sweden's BankID system, which provides an effective nationwide web- and smartphone-based identity scheme through the nation's banks that's used to sign payments for and sign-in to websites of telcos, all government agencies, and even small businesses. 

SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analysts

The report calls out agencies for not having a systematic way of reviewing operational metrics, such as uptime, the number of attempted cyberattacks, and system efficiency. 

Surveys with agency digital chiefs also turned up procurement problems and "frustration around the level of duplication" and a lack of information-sharing between departments. 

And the government's efforts towards gathering data for better decision-making is basically being wasted. 

"Our investigations suggest that many government departments are investing significant sums in collecting and storing often very large datasets but making little use of this data to influence action of decision making," it notes. 

Editorial standards