BACKED by over £210 million, the Government Cyber Action Plan published today sets out how the government will rise to meet the growing range of online threats — but experts warned it is “pocket change” and that “£210m sounds impressive until you remember the Jaguar Land Rover hack cost 0.5% of GDP”.
Driven by a new Government Cyber Unit, the plan is expected to rapidly improve cyber defences and digital resilience across government departments and the wider public sector, so people can trust that their data and services are protected.
It underpins UK Government plans to digitise public services. This, the Government claims, will make more services accessible online, reduce time spent on phone queues and paperwork and enable citizens to access support without repeating information across multiple departments.
This approach could unlock up to £45 billion in productivity savings by using technology effectively across the public sector.
Released as the Cyber Security and Resilience Bill has its Second Reading in the House of Commons, the Bill sets out clear expectations for firms providing services to the government to boost their cyber resilience.
Facing down the cyber threat
From energy and water suppliers to healthcare and data centres, the Government says strong defences throughout supply chains will help keep the water running and the lights burning – facing down the cyber attackers who want to grind the country to a halt.
Digital Government Minister, Ian Murray, said: “Cyber-attacks can take vital public services offline in minutes – disrupting our digital services and our very way of life.
“This plan sets a new bar to bolster the defences of our public sector, putting cyber-criminals on warning that we are going further and faster to protect the UK’s businesses and public services alike. This is how we keep people safe, services running, and build a government the public can trust in the digital age.”
But experts said the investment simply isn’t proportionate to the scale of the threat.
Remember Jaguar Land Rover
Colette Mason, Author & AI Consultant at London-based Clever Clogs AI, said: “£210m sounds impressive until you remember the Jaguar Land Rover hack cost 0.5% of GDP. That’s the real benchmark here. Not whether we have a plan, but whether this plan can actually plug holes faster than an army of attackers find them.
“The Government Cyber Unit is operating within a sprawling patchwork of national and international suppliers, contractors and legacy systems holding up every digital service. You can’t secure a leaky bucket by pouring in more money if you haven’t mapped and patched every crack first.
“Even with perfect visibility, no security protocol ever stops humans being phished or going rogue. Are we funding resilience that scales with threat evolution, or are we building yesterday’s defences for tomorrow’s attacks?
“Digitising services only works if the infrastructure underneath can handle pressure, not just from hackers, but from the humans already inside the system. Trust isn’t built with announcements. It’s earned when systems hold under repeated fire.”
“Pocket change”
Rohit Parmar-Mistry, Founder and AI Specialist at Burton-on-Trent-based Pattrn Data, also had concerns about the level of investment and the implementation.
He said: “The government is dangling a dazzling £45bn in ‘productivity savings’ while throwing pocket change at the security required to protect it. This is classic ‘boardroom fantasy’ maths: executives get addicted to the efficiency numbers on a spreadsheet but refuse to pay for the concrete foundation needed to support them.
“In my experience, you cannot automate your way out of structural inefficiency. Digitising a bad manual process doesn’t fix it, it just means you get bad results at light speed, now with added cyber risk.
“If this new Cyber Unit is just another layer of bureaucracy ticking boxes, it will fail. We need to stop selling digitisation as a magical cost-cutting exercise and start treating it as critical infrastructure.
“Security isn’t a feature you bolt on later to save money, it’s the cost of doing business. Don’t confuse a press release with protection.”
Human input essential
Meanwhile, Mitali Deypurkaystha, AI Strategist & Author at Newcastle upon Tyne-based Impact Icon AI, worries that “across cybersecurity, like many other industries, we’re quietly replacing junior roles with AI and automation”.
She continued: “As an AI strategist, I welcome AI as an assistant. But when it replaces people, it chokes the talent pipeline. Entry-level cyber roles used to be the training ground where judgement was formed. That’s how we grew mid-level professionals.
“Mid-level cyber is not technical work. It’s decision work. It’s interpreting AI outputs, making risk trade-offs under uncertainty and, crucially, explaining impact to non-technical leaders.
“These are precisely the things AI struggles with — and that humans are essential for. If we automate the bottom of the ladder for short-term savings, we shouldn’t be surprised when there’s no one standing in the middle to save us from complex cyber threats.”
