The IT Nerd

The UK government announced that its new Vulnerability Monitoring Service (VMS), a centralized platform continuously scanning internet-facing public sector systems for known weaknesses, has sharply reduced the time to fix serious flaws and the backlog of unresolved issues.

The service, which monitors around 6,000 public sector organizations, has helped cut unresolved security issues by roughly 75% and reduced the median time to fix critical vulnerabilities from about 50 days to approximately eight days.

Officials said the VMS detects around 1,000 different types of weaknesses each month and provides specific guidance to agencies on how to remediate them. Alongside this capability, the government is launching a dedicated “Cyber Profession” initiative to recruit, train, and retain cybersecurity experts, including a Cyber Resourcing Hub and a Cyber Academy to support long-term defensive capabilities across the public sector.

The UK government said these efforts are designed to protect public services from cyber-attacks and strengthen national cyber resilience. The announcement outlined plans for structured career pathways aligned with Cyber Security Council standards and emphasized improved detection, prioritization, and response across departments.

Denis Calderone, CTO, Suzu Labs:

   “Scanning 6,000 public sector organizations and cutting DNS fix times from 50 days to 8 is genuinely good news. Find it, assign it, track it, close it. That’s how vulnerability management should work. Worth noting though that the 84% number is specifically for domain-related issues. Other vulnerability types went from 53 days to 32, so closer to a 40% improvement. Still real progress, just not quite as dramatic.

   “The part that should give everyone pause is that these vulnerabilities were sitting across the public sector for years and nobody knew. NHS trusts, legal aid, ambulance services. Turning on a scanner and finding this much is a win, absolutely, but it also tells you just how blind these organizations were before. You can’t fix what you can’t see.

   “And this is why it kind of bugs me that the government exempted itself from the Cyber Security and Resilience Bill it’s putting on the private sector. You have to wonder what the numbers would look like if they pointed these same scanners at their own departments with actual legal obligations behind them.”

Rajeev Raghunarayan, Head of GTM, Averlon:

   “Reducing median remediation time from roughly 50 days to single digits across thousands of public sector organizations is meaningful progress. It shows that when vulnerability management is treated as an operational priority, measurable improvements follow.

   “At the same time, modern attack cycles move quickly. Even an eight-day exposure window can be significant. The real takeaway is not improved scanning alone, but operational follow through. Most organizations already have visibility into weaknesses. The challenge is translating findings into prioritized, accountable remediation and consistently shrinking the time between discovery and fix.”

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “The UK government’s implementation of the Vulnerability Monitoring Service (VMS) marks a significant move from reactive patching to proactive, centralized security management for 6,000 public sector organizations. This initiative drastically reduces the average time to fix critical vulnerabilities from fifty days to just eight, effectively eliminating the window of opportunity that state-sponsored attackers and ransomware groups exploit for initial access. The focus on DNS vulnerabilities is a key strategic choice, as these frequently overlooked misconfigurations are the main method used for covert redirection and data interception.

   “Complementing this technical solution is the new “Cyber Profession” initiative, which includes a Cyber Academy and a Resourcing Hub in Manchester, aiming to tackle the persistent skills shortage that has historically hindered public sector cybersecurity resilience. Crucially, the VMS approach reorients cybersecurity from a reactive “firefighting” mode to ongoing risk management. By combining this technical capacity with a structured “Cyber Profession” development program, the government is also addressing the human resource deficit that often undermines sustained resilience.

   “While scanning tools are essential, they don’t resolve vulnerabilities on their own; skilled professionals and clear accountability are what truly fix them. Other governments would benefit from observing this model. This includes mandatory, continuous scanning of Internet-facing assets, coordinated centrally but executed by individual agencies. Talent development programs that establish cybersecurity as a viable career path can close security gaps more effectively than any regulation or budget increase.

   “When governments treat patching speed as a national security metric, attackers lose their advantage: time.”

The UK government lately has been known to come up with some good ideas on the cybersecurity front. This is one of those good ideas because it forces those who are responsible for defending government networks to actually defend those networks in a way that reduces the attack surface.

Yesterday, the UK government announced “the largest reforms to policing since […] it was founded 2 centuries ago”, significantly in response to the rapid growth of online and cyber-enabled crime.

 “Crime itself is evolving. Criminals are operating with more sophistication than ever before, within this country, across our borders and in the online world,” Home Secretary Shabana Mahmood said in a statement.

Officials say roughly 90% of crimes now have a digital element, with online fraud accounting for 44%. 

The existing model is shared across 43 local police forces and is seen as poorly suited to tackle digital crimes that are often international. Under the plans outlined, the UK would create a new National Police Service (NPS), to handle serious and complex crimes, including cybercrime and large-scale online fraud intended to centralize capabilities and improve coordination, intelligence sharing, and investigative capacity for tech-driven crime.

The government plans to expand specialist digital skills within policing and establish clearer oversight for the use of AI and data-driven tools.

The reforms also emphasize technology and digital forensics, with investments in AI tools and centralized forensic services to address large backlogs of seized devices awaiting analysis. 

Michael Bell, Founder & CEO, Suzu Labs had this comment:

   “The 43-force model made sense when crime was local. It makes less sense when ransomware operators in Russia are hitting hospitals in Leeds while coordinating on Telegram. Centralizing cyber capabilities is the right structural response but the real constraint going forward is talent, not org charts.

   “That 20,000 device backlog won’t shrink through reorganization alone. The £115 million AI investment signals they’re planning to automate through the forensics debt rather than compete with the private sector for analysts.”

Denis Calderone CRO & COO, Suzu Labs adds this:

   “Well it’s bout time, honestly. You can’t fight international cybercrime with 43 fragmented local police forces. Criminals operate globally while police operate by postcode. When 90% of crimes have a digital element and 44% is online fraud, a National Police Service focused on complex digital crime makes sense. Cybercrime doesn’t respect constabulary borders.

   “That said, the 20,000 devices sitting in forensic analysis backlogs should terrify anyone. That’s not just a processing queue, that’s criminal cases going cold and victims waiting years for justice. Centralizing digital forensics could finally address this, but only if they actually fund it properly. Otherwise we’re just creating a bigger, more centralized backlog instead of 43 smaller ones.

   “Here’s where I get skeptical though. They want cybersecurity experts to join as Special Constables, but special constable numbers are down 73% since 2012. Why would a cybersecurity professional making six figures work part-time as a volunteer police officer?

   “The private sector pays better, offers remote work, and doesn’t require wearing a uniform. This recruitment strategy seems disconnected from the reality of the cybersecurity talent market. If they’re serious about bringing digital expertise into policing, they need to compete with private sector compensation, not rely on volunteerism.”

John Carberry, Solution Sleuth, Xcape, Inc. follows with this:

   “The UK government’s launch of the National Police Service (NPS) signifies a much-needed shift from a fragmented, Victorian-era system to a centralized, “cyber-first” defense strategy. Virtually all crimes now involve technology and online fraud is rampant, so isolated local policing struggles to combat borderless, tech-savvy criminals.

   “Establishing a National Police Service to consolidate cybercrime and major digital investigations promises enhanced coordination and intelligence sharing. This reform represents a significant technological leap, infusing £140 million in AI-powered forensics and suspect identification.

   “By aggregating analysis to a central location, this new system aims to overcome the current backlog of 20,000 evidentiary devices that delay digital investigations. Moreover, the mandatory “license to practice” requires all officers to possess a fundamental level of digital proficiency, indicating that technological skill is now a universal law enforcement requirement.

   “With 90% of all crimes leaving a digital trace, this restructuring enables the UK to combat crime at Internet speeds, rather than at the pace of local bureaucracy. Sustained investment, transparent governance, and the capacity to attract and retain cyber expertise are all necessary for this makeover to be successful.”

   “When nine out of ten crimes are digitally enabled, a policing model that stops at a county border isn’t just outdated, it’s a gift to the modern criminal.”

This is a really good move to make sure that crime doesn’t pay. Because the opposite is happening and that’s not good.

The UK has unveiled the Government Cyber Action Plan, a key element of which is the creation of a new Government Cyber Unit which will coordinate cyber risk management, improve visibility of risks across government, and oversee incident response and recovery. The Plan is backed by £210 million in funding, aimed at strengthening cybersecurity and digital resilience across government departments and public services.

The Plan reads:  “To protect our critical national infrastructure, defend public institutions and maintain public confidence in essential public services, we must achieve a radical shift in approach and a step change in pace.” Its goals:

1. Better visibility of cyber security and resilience risk
2. Addressing severe and complex risks
3. Improving responsiveness to fast moving events
4. Rapidly increasing government-wide cyber resilience

The Cyber Unit will drive progress towards these strategic objectives by working with NCSC, departments, devolved governments, and suppliers, and will lead cross-government delivery in phases:

• By April 2027 – build a new model for government cyber
• By April 2029 – scale and leverage this new model
• By April 2029 and beyond – use the model to continuously improve government-wide cyber security and resilience

The Action Plan is published alongside the Cyber Security and Resilience Bill which defines expectations for suppliers and organizations providing services to government, and includes initiatives like the Software Security Ambassador Scheme to strengthen the software supply chain. 

Here’s input from cybersecurity experts on the Action Plan.

Ted Miracco, CEO, Approov (UK mobile security expert):

    “The UK government is right to invest £210 million to fix the ‘fragile foundations’ of its legacy systems. However, the plan leaves blind spots as it pushes for faster and more accessible digital services without setting concrete, mandatory rules for mobile devices or the data connections (APIs) they rely on. Currently, this plan groups mobile security under a voluntary Software Security Code of Practice and general Secure by Design goals. This is risky as the government acknowledges that ‘generative AI’ is a top-tier threat, yet it hasn’t established specific defenses for the mobile interfaces that AI tools will inevitably target next.”

Michael Bell, CEO, Suzu Labs:

    “The UK government published a cyber strategy that names the problem. They explicitly acknowledge that government cyber risk is “critically high” and legacy systems “cannot be defended by modern cyber security measures.” The new Government Cyber Unit brings centralized coordination for risk management and incident response, which addresses the fragmented responsibility that has left departments making security decisions in isolation. The four-year implementation timeline is ambitious for government, but the phased approach is realistic. What matters now is execution, specifically whether departments actually replace legacy systems and implement the security controls the strategy mandates.”

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

   “The plan being proposed is timely given today’s cyber threat landscape. Heightening geopolitical tensions worldwide, combined with the rapid advancement of artificial intelligence, are materially changing both the volume and sophistication of cyber attacks.

   “Threat actors continue to operate with increasingly greater capabilities, in an increasingly structured and organized space. Initial access vendors and ransomware creators now go as far as offering 24/7 customer support.  This increasingly hostile environment has shifted cyber risk from a primarily technical concern that fell on IT, into a persistent strategic pressure on governments and societies.

   “The line between the public and private sectors is also increasingly thin. Essential public services depend heavily on privately operated companies, meaning failures in one domain quickly affect the other. Treating private sector cybersecurity as a national security concern is therefore both forward-thinking and prudent.”

Approaching cybersecurity in this manner is a great move. Hopefully this is announcement that has substance behind it rather than being an announcement for show.

On Tuesday, the UK government published a Home Office-led consultation proposing a ban on the public sector and critical infrastructure organizations making ransomware payments with the hope of disrupting ransomware gangs’ financial models and gather intelligence to help law enforcement target their operations.

The Home Office said that expanding an existing ban on ransomware payments would help make critical services such as hospitals, schools, railways, and other essential public services less attractive targets for ransomware attacks.

In addition to the ban, ransomware incident mandatory reporting has also been proposed aiming to boost UK law enforcement agencies’ access to intelligence on attacks and support international law enforcement operations targeting ransomware gangs.

“With an estimated $1bn flowing to ransomware criminals globally in 2023, it is vital we act to protect national security as a key foundation upon which this Government’s Plan for Change is built.

“These proposals help us meet the scale of the ransomware threat, hitting these criminal networks in their wallets and cutting off the key financial pipeline they rely upon to operate,” UK Security Minister, Dan Jarvis, commented.

Furthermore, the consultation will explore the implementation of ransomware payment prevention regime, offering victims guidance on how to respond to cyber incidents. It would also help block payments to known criminal groups and sanctioned entities.

The consultation will run for 12 weeks, ending on April 8.

Evan Dornbush, former NSA cybersecurity expert had this to say:

  “Something needs to change. The economics of cybercrime favor the aggressor. Until solutions can effect an increase in attackers’ costs and/or a decrease in attackers’ revenues, there is nothing to suggest the increasing rates of attack will diminish.”

I have said for a while that nobody should ever pay a threat actor who is holding their data hostage or is threatening to leak their data. Or perhaps both. It emboldens them to do more of this which is bad for all of us. This is a start, but more needs to be done to make sure that crime doesn’t pay.

UPDATE: Lawrence Pingree, VP, Dispersive adds this:

  “The benefit of this approach is that the reward for doing the ransom goes away. Australia did a similar mandate. I think it will likely have a positive effect on larger entities where the targeting often happens.”

This could be interesting, or go horribly sideways for the United Kingdom. I say that because they have a new proposed law called the Online Safety Bill. And if execs of tech companies don’t comply, this could happen to the:

Proposed UK laws could see top managers at tech companies be jailed if they fail to meet the demands of regulators. The laws, coming in the form of an Online Safety Bill, were introduced to Parliament on Thursday after almost a year of consultation. The UK government commenced work on the proposed laws in May last year to push a duty of care onto social media platforms so that tech companies are forced to protect users from dangerous content, such as disinformation and online abuse. 

Under the proposed legislation, executives of tech companies could face prosecution or jail time if they fail to cooperate with information notices issued by Ofcom, UK’s communications regulator. Through the Bill, Ofcom would gain the power to issue information notices for the purpose of determining whether tech companies are performing their online safety functions. A raft of new offenses have also been added to the Bill, including making in-scope companies’ senior managers criminally liable if they destroy evidence, fail to attend or provide false information in interviews with Ofcom, or obstruct the regulator when it enters company offices. 

The Bill also looks to require social media platforms, search engines, and other apps and websites that allow people to post their own content to implement various measures to protect children, tackle illegal activity and uphold their stated terms and conditions. Among these measures are mandatory age checks for sites that host pornography, criminalizing cyberflashing, and a requirement for large social media platforms to give adults the ability to automatically block people who have not verified their identity on the platforms. The proposed laws, if passed, would also force social media platforms to up their moderation efforts, with the Bill calling for platforms to remove paid-for scam ads swiftly once they are alerted of their existence. A requirement for social media platforms to moderate “legal but harmful” content is also contained in the Bill, which will make large social media platforms have a duty to carry risk assessments on these types of content. Platforms will also have to set out clearly in terms of service how they will deal with such content and enforce these terms consistently.

This legislation is being proposed with good intentions, but the devil is in the detail as always. For starters, differentiating between harm and free speech is fraught with difficulty. Some subjective test doesn’t really give the sort of certainty technology companies who might decide to take a cautious approach to what they allow on their sites that ends up stifling free speech, open discussion and potentially useful content with controversial themes. Not to mention the fact that some tech companies may simply pull out of the UK rather than deal with this bill. And then there’s the fact that there’s any number of ways to circumvent age checks and material that would normally not be seen in the UK under this proposed bill. In short, I think this is doomed to fail ultimately. But it will likely pass anyway and the havoc that it will cause will be long lasting as a result.