Public Sector Cyber Security shifts to DSIT in Machinery of Government overhaul

Responsibility for government and public sector cyber security has been transferred from the Cabinet Office to the Department for Science, Innovation and Technology (DSIT), Prime Minister Sir Keir Starmer has announced, in a move aimed at consolidating technology expertise and improving cyber resilience across Whitehall.

Making a statement to the House of Commons, Starmer said the change - effective immediately - will “strengthen technology resilience and policymaking across the public sector, by better integrating cyber security responsibilities and expertise into the Government Digital Service.”

The transfer marks a significant machinery of government shift and follows growing concerns around the coherence and effectiveness of cyber governance, raised most recently by the National Audit Office (NAO).

In its March 2024 report on government cyber resilience, the NAO found that “there is no single point of leadership and accountability for cyber security in government,” and that this fragmentation had undermined the Government’s ability to respond effectively to increasing threats.

“The Cabinet Office has responsibility for cyber policy, but delivery sits with departments, while GDS and CDDO both play roles in setting standards and monitoring progress,” the NAO observed. “The result is a system where oversight is spread across multiple bodies, with insufficient clarity over who is accountable for what.”

Bringing cyber security under DSIT, which already leads on wider science and technology strategy, is intended to address these issues by embedding cyber resilience more directly into the digital infrastructure of government. It also places the responsibility closer to the operational delivery of services via GDS, which DSIT sponsors.

The change comes as government faces mounting pressure to improve cyber maturity across departments. According to the NAO, just 6 out of 14 departments assessed in 2022 had reached a ‘minimum required’ level of cyber resilience, and only 2 had achieved an ‘advanced’ rating.

The report also warned of “overreliance on central government to drive change,” highlighting that many departments “do not yet have the capability, capacity or incentives” to make cyber security a priority.

Starmer’s announcement suggests a clearer line of accountability may now be established. However, the success of the transition will depend on DSIT’s ability to assert authority across departments and coordinate efforts at a time of growing risk.

In a separate change, the Prime Minister also confirmed that responsibility for defence exports promotion will move from the Department for Business and Trade to the Ministry of Defence (MoD), effective from 31 July. This shift, he said, would “develop a single defence export offer,” improving performance and aligning export activity more closely with MOD’s procurement and international engagement strategies.

Security and cyber exports will remain with the Department for Business and Trade, reflecting their broader commercial and international trade focus.

The reshuffle of departmental responsibilities comes at a time when the Government is under pressure to demonstrate greater strategic coherence in both cyber resilience and industrial policy.

The NAO concluded that “until government clarifies roles, responsibilities and accountability,” it will remain “limited in its ability to manage national-level cyber risks effectively.”

Whether these reforms deliver the coherence and leadership long called for remains to be seen.