UK.gov ministers clam up on just how decrepit their IT systems are

Succession of secretaries serve up cut and paste answers on progress identifying "red-rated" systems

A parade of of UK government ministers has stonewalled a series of questions from Labour’s Matt Rodda about their progress identifying and remediating “red rated” systems within their departments.

“Red-rated” systems are those considered most at a “critical” level of risk under the Cabinet Office’s Central Digital and Data Office's (CDDO) Legacy IT Risk Assessment Framework, published in September, 2023.

Labour’s shadow minister for AI and intellectual property, Matt Rodda, has been firing questions at ministers, asking exactly how many red-rated systems their departments had managed to identify.

Rodda was treated to a flurry of answers yesterday from the Department of Defence, the Department for Work and Pensions, the Ministry of Justice, and the Cabinet Office.

However, while these capture a large swathe of government, with different ministers, secretaries of state, and permanent secretaries – and presumably, different IT systems - the answers were eerily similar.

James Cartlidge, minister of state at the MoD, replied, “It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within the Ministry of Defence’s IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.”

See also: One single HMG department is running 600+ unsupported applications

For the Home Department, minister Chris Philp, replied, “It is not appropriate to release sensitive information held about specific red-rated systems or more detailed plans for remediation within Home Office IT estate, as this information could indicate which systems are at risk, and may highlight potential security vulnerabilities.”

Though he added that the CDDO had a programme to support departments with legacy IT and that “Departments have committed to have remediation plans in place for these systems by next year (2025).”

The MoJ’s parliamentary undersecretary of state, Mike Freer, said…precisely the same as Philp. As did the Cabinet Office’s parliamentary secretary, Alex Burghart.

The MoJ was slated by the National Audit Office earlier this year over delayed IT projects and mounting technical debt.

So, eight months on from the CDDO highlighting the risks associated with legacy systems UK citizens can rest easy that the politicians responsible for addressing those risks have, at least, mastered the use of cut and paste. Broadly speaking.

For the DWP, parliamentary undersecretary of state, Paul Maynard referred Rodda to a previous answer explaining the department had identified no less than six red rated systems. There had been no changes since, Maynard added.

Why disclosing the DWP’s roster of red-rated systems does not present a security risk remains a mystery.

Separately, Chris Philp supplied a series of answers to questions from Labour’s Siobhain McDonagh about the Police National Computer.

These showed that there had been 111 planned outages since 2015, with 163 unplanned outages. Planned and unplanned outages peaked in 2015, at 22 and 48 respectively. However, last year they came in at 17 and 18, respectively a jump on the previous year. For the first quarter of 2024, they came in at 4 and 6 respectively.

Philp said regular security checks were undertaken on the PNC. And, he added, “PNC has a number of back up servers for resilience and mirroring to provide a Disaster Recovery capability from a secondary site.” There were “numerous” backup servers at both the primary and security sites, he said, though revealing the exact numbers “increases the operational risk to PNC.”

Get the latest episodes directly in your inbox