Legacy Apps at UK Agency Create Cyber Risk, Warns WatchdogNearly One-Third of Apps at Defra No Longer Supported, Says National Audit Office
About one-third of the applications used by the U.K. government agency responsible for agriculture and the environment are no longer supported, making the agency vulnerable to cybersecurity incidents, warns the national public spending watchdog.
The Department for Environment, Food and Rural Affairs handles 21 million customer transactions each year, including payment collection. Prior to centralizing its digital functions in 2014, components of the sprawling agency introduced their own digital applications to the point where legacy apps including locally maintained databases and spreadsheets now total nearly 2,000.
Of that number - 1,962, to be precise - 30% are no longer supported, says the National Audit Office in a report.
The agency embarked on a three-year, 366-million-pound IT modernization program earlier this year but officials told the watchdog they had asked for 629 million pounds. The smaller amount is sufficient to resolve some of the major operational and cybersecurity risks plus augment the automation of some processes. But it's "not enough to fund a broader digital transformation of all legacy services or reduce cybersecurity and resilience risks to an acceptable level," the watchdog wrote.
The department in 2020 submitted an estimate that it would cost 726 million pounds over a four-year period to replace legacy infrastructure with a target completion year of 2030. That spending amount put Defra second only to the Home Office in the size of spending needed to remediate its technical debt.
The department to date had avoided a major incident, but the consequences of an attack against an application that's impossible to update could be devastating. An outage of the agency's plant health certification service would provoke a weeklong halt to international trading in plants, seeds and organic materials. An app that supports livestock registration and bovine tuberculosis surveillance is "old, complex, highly customized and built on products that are mostly out of support."
A Defra spokesperson told Information Security Media Group that the agency is issuing guidelines for standardizing IT systems and migrating applications to cloud-hosted environment.