FOI Is Arming Cyberattackers – Here Is How to Fix It

The tension between openness and security has long shaped public‑sector policy, but the rise of sophisticated cyber threats has tipped the balance. Freedom of Information legislation was crafted to shine a light on decision‑making, yet when applied to cyber‑governance it can reveal defensive playbooks, escalation thresholds, and system architectures that attackers can exploit. This paradox is magnified in the UK’s health and emergency services, where disparate FOI responses create a patchwork of visibility that confuses citizens and hampers coordinated risk management.

Recent analyses highlight three recurring patterns: a size paradox where well‑resourced organisations default to denial, an accountability displacement that pushes responsibility onto federated bodies, and a compliance theatre where formal metrics mask superficial board engagement. These dynamics are not merely bureaucratic quirks; they translate into tangible security gaps. When a fire service lists the number of cyber‑training sessions, it satisfies transparency but offers no insight into strategic resilience. Conversely, a large trust’s blanket refusal under Section 24 may conceal critical weaknesses, leaving the public unaware of systemic risks.

A pragmatic solution lies in calibrated transparency. By classifying cyber information into governance processes, aggregate outcomes, and operational parameters, policymakers can mandate disclosure where public interest outweighs gaming risk, while safeguarding details that would aid adversaries. Requiring explicit justification for any exemption would create an audit trail, elevate board accountability, and provide the Information Commissioner’s Office with data to refine exemption guidance. Such a framework not only protects national security but also restores the original intent of FOI—transparent, accountable governance—without handing attackers a playbook.