Here's an uncomfortable truth: when a government announces that it has fixed something, the instinct of any sensible journalist is scepticism. Press releases claiming bureaucratic success are the background radiation of public life. But occasionally the numbers are specific enough, and the problem well-documented enough, that the announcement deserves to be taken seriously on its merits. The UK's Vulnerability Monitoring System is one of those rare cases.
The UK's Department for Science, Innovation and Technology announced last week that its Vulnerability Monitoring System, introduced as part of the Blueprint for Modern Digital Government delivered in January 2025, has reduced the identification and remediation of DNS vulnerabilities in public sector sites from an average of 50 days to just eight. That is not a rounding improvement. That is a structural change in how quickly a government can close the door on a known weakness.
The automated system constantly scans some 6,000 websites hosted by UK public sector agencies and is configured to check for around 1,000 different vulnerabilities. Along with its DNS improvements, the system has also reduced the median time to fix other issues from 53 days to 32 days, cut the backlog of critical open domain-related vulnerabilities by 75 per cent, and resolved around 400 confirmed vulnerabilities a month since its inception.
To understand why this matters, consider what DNS vulnerabilities actually allow. Weaknesses in DNS can allow attackers to redirect users to fraudulent sites, steal sensitive data, or take services offline entirely, with potentially serious consequences for anyone relying on government services. Before this service was in place, a weakness in a government DNS record could go unnoticed for nearly two months, long enough for a hostile actor to redirect someone trying to access a government service to a fake site designed to steal their personal details, intercept sensitive communications, or disrupt services. Fifty days of exposure is not an acceptable risk management position for any serious government in 2026.
The reforms are backed by £210 million of investment under the government's Cyber Action Plan and follow warnings from the National Audit Office in early 2025 that the cyber threat to government is both severe and rapidly evolving, with workforce capability representing a significant risk. UK Digital Government Minister Ian Murray framed the stakes plainly, saying cyber attacks delay NHS appointments, disrupt essential services, and put people's most sensitive data at risk.
Alongside the VMS, the UK government has launched its first dedicated Cyber Profession. The initiative is intended to recruit, develop, and retain cyber specialists across the public sector. It will introduce a competitive employment offer, establish a Cyber Resourcing Hub to streamline recruitment, and create a clear career framework aligned with professional standards set by the UK Cyber Security Council. Critics of government IT spending will rightly point out that such programmes have a long history of promising more than they deliver. The UK government's record on large technology projects is, to put it charitably, mixed. Whether this Cyber Profession initiative avoids the same pitfalls of scope creep and contractor dependence remains to be seen.
There is also a legitimate argument from the other direction. Civil liberties advocates have long raised concerns about centralised government scanning of public-facing infrastructure, even when the stated goal is defensive. The line between an automated system that detects vulnerabilities and one that aggregates sensitive information about agency systems is not always as bright as ministers suggest. Transparency about what the VMS collects, retains, and shares with commercial partners deserves scrutiny that goes beyond a press release.
Which brings us to Australia, where the lesson from Britain's experience could hardly be more timely. Over the last financial year, state-sponsored cyber actors were a serious and growing threat as they targeted networks operated by Australian governments, critical infrastructure, and businesses. Cybercrime continues to challenge Australia's economic and social prosperity, with ransomware attacks and data breaches increasing in frequency. The Australian Cyber Security Centre responded to more than 1,200 cyber security incidents, an 11 per cent increase from the previous year.
Australia does operate its own scanning capability. The Cyber Hygiene Improvement Program performs quarterly scans to detect key cyber hygiene indicators on entities' internet-facing systems and services, with those indicators used to assess whether entities are meeting cyber hygiene standards. A High-Priority Operational Tasking capability enables vulnerability assessment and triage with targeted data collection in response to critical vulnerabilities with Australian interests, building ASD's visibility of particular cyber security vulnerabilities across the Australian economic sector. These are genuine capabilities. But quarterly scans in an environment where sophisticated actors can exploit a published vulnerability within hours are not a substitute for continuous automated monitoring.
The Australian Signals Directorate notified critical infrastructure entities of potential malicious cyber activity impacting their networks over 190 times in the last reporting period, up 111 per cent from the previous year. A 111 per cent increase in notifications is not evidence that the threat is being managed; it is evidence that the threat is accelerating faster than the response. The average cost of a cybercrime report for businesses increased by 50 per cent to $80,850, while large businesses experienced a 219 per cent rise in losses.
The UK model is not perfect and it is not cheap. But it is concrete, measurable, and producing documented results within its first year. The question for Australian policymakers is not whether continuous automated scanning is worth doing. The UK's data answers that question. The question is why it hasn't happened here at comparable scale, and which minister intends to own the answer.
Both sides of this debate have legitimate points. Sceptics of expanded government surveillance architecture are right to demand accountability and limits. Advocates of decisive cyber investment are right that the threat environment does not wait for a parliamentary committee to finish deliberating. The pragmatic resolution is straightforward: build the capability, publish the scope, and subject it to independent oversight from the Parliamentary Joint Committee on Intelligence and Security. That is not a radical proposition. It is the minimum standard a serious country owes its citizens when their government's digital infrastructure is under sustained attack.