As geopolitical tensions continue to rise, so do the very real risks of a ‘cyber cold war’. Russia declared the UK as enemy number one when it comes to targeted cyber-attacks, replacing the US, and this should be a serious cause for concern.
The UK’s public infrastructure stands in one of the most vulnerable positions, largely relying on legacy infrastructure that’s unable to keep up with the rapid pace of new, sophisticated and AI-enhanced attack methods. What’s more, recent research has found public sector organisations in the UK take an average of 315 days to fix half of their software vulnerabilities – that’s two extra months when compared to other industries. This has led to masses of security debt accumulating over time, leaving gaping holes in the sector’s cybersecurity protection. And the problem is only getting worse.
We must see this as a national emergency before the public sector organisations we all rely on are compromised and exposed to critical cyber threats.
The public sector problem
There is a huge disparity in the public sector between those fixing security flaws quickly and those that are struggling to tackle the load. We are seeing a growing divide between leading departments fixing 50% of flaws in just over three months, compared with laggards that are taking nearly a year to do the same.
But why does this disparity exist?
One of the problems is the skills shortage. As with most industries, the digital skills gap continues to be a problem, and the wider developer shortage is having a knock-on effect on security debt. There is a varying degree of budget and skill across different government organisations which, for an already time-poor security team, means an inconsistency in approach to security debt.
Another is the pressure to roll out new features to keep pace with the private sector, leaving many security fixes deprioritised unless they are deemed absolutely critical. More companies are sleepwalking into security debt because severity is not the main driver of flaw remediation. Lack of alignment across a fragmented industry means what is considered a ‘priority’ also often varies from organisation to organisation.
AI’s effect on security debt
Finding flaws is the easy part, but companies are drowning in security debt as they struggle to compete with a growing attack surface and increasingly sophisticated cyber intrusions. AI-generated code is silently compounding security debt across public sector supply chains.
Along with the evolution of sophisticated AI tools, cyber flaws have become increasingly complex and difficult to fix. Out of the 80% of public sector applications that had at least one flaw, 62% of them contained a risk considered most dangerous in line with the CWE Top 25. The scale of hacking has outpaced human capacity to respond, leading to an increase in flaw remediation time and, in turn, a greater exposure to exploitation and cyber threat.
As applications become bigger and incorporate more third-party components, the scope for potential flaws increases, making it more time consuming to remediate issues.
This exposure to breaches is set to increase as more teams adopt AI for code generation, despite the risks these models present. Our recent report found nearly half (45%) of the top 100 LLMs create coding with security vulnerabilities, there being no real improvement across newer or larger models. With almost 80% of public sector organisations having already accrued some level of security debt, the issue is only going to worsen without action.
Getting government cyber resilience back on track
But hope is not lost. There are ways that public sector organisations can overcome this problem of security debt and improve cyber resilience. With visibility and proper integration across the entire software development life cycle (SDLC), companies are now able to prevent net new flaws through automation and feedback loops. This can be achieved at scale with AI, using existing AI capabilities to boost fix capacity and speed.
The upcoming cyber policy measures set to be introduced later this year will be critical for the automation of flaw remediation. Legislation like the UK’s upcoming Cyber Security and Resilience Bill will be a long-term solution to help direct the entire supply chain on what needs to be fixed, whilst holding bad actors accountable.
With third-party flaws being one of the biggest contributors to security debt, it’s time companies thoroughly evaluated the third-party software with which they engage. Avoiding those riddled with flaws by using software composition analysis (SCA) can slash major issues across applications. True prioritisation is also essential – if everything is a priority, then nothing is. Working on the flaws that are most severe as soon as possible is a quick win for time-poor developers.
Securing the state starts with fixing flaws
In the public sector, modern cyber security is about addressing real risk with comprehensive visibility across systems and services. Whilst there are challenges like legacy infrastructure, tight budgets and the AI evolution to contend with, rethinking government cyber defence strategies is no longer optional. It’s essential for protecting critical infrastructure and restoring public trust.
John Smith
John Smith is CTO EMEA at Veracode. With over 20 years in Information Security, specialising in Application Security since 2004. John currently leads the EMEA solution architecture team, helping organisations improve software security and reduce risk. Previously, he was a Senior Solution Architect at IBM.
