During times of global crisis, the safeguarding of public services is critical. Traditionally, this has meant ensuring they are well funded, well managed, and supported by clear communications. But as the COVID-19 pandemic is proving, it now also entails securing digital assets.
Earlier this month, Hackney LBC’s IT services were disrupted by a cyberattack. While the authority has worked to restore functionality, residents have been prevented from accessing online support at a time where many are vulnerable.
At the time of writing, the council has informed the Information Commissioner’s Office of the attack, and is working with the National Crime Agency; the National Cyber Security Centre; and the Ministry of Housing, Communities and Local Government (MHCLG) to resolve the situation. It is, however, releasing minimal information for now due to fears it will aid the attackers.
It is commendable that local authorities have support when targeted by hackers, as is becoming increasingly common. But the council’s extended downtime and reluctance to reveal much publicly show how vulnerable local authorities have become.
Some of the cybersecurity problems councils face are familiar to other public sector organisations and businesses, particularly as more of us work from home. While the digitisation of many activities has proved a boon to productivity in local government, it means that digitally securing local services is more important than ever.
In addition to the cybersecurity problems faced by every organisation, local authorities have their own unique difficulties. Councils have strict budgetary constraints which limit spending on cybersecurity and make it harder to recruit skilled IT practitioners. They also have unique governance models, balancing local accountability with input from central government.
As public sector bodies, local authorities have a distinct risk profile compared to businesses. State-backed cyber actors have an incentive to target public bodies because these control critical local and national assets. Their disruption can yield strategic advantages to the attackers’ sponsors.
This was demonstrated in the 2017 attack on Copeland BC, which left parts of the council without working IT systems for 10 weeks and prevented access to financial information. The council’s chief executive later stated it was an interstate attack, with some speculating that hackers were targeting the Sellafield nuclear waste plant located in the borough.
In response to these threats, local leaders have a duty to take cybersecurity seriously, starting with the basics. These include implementing adequate measures to deter attacks via a layered, end-to-end security solution; ensuring the security of daily operations; and enabling appropriate responses when intrusions occur.
From a technical perspective, it is fundamental that all councils put in place robust IT infrastructure. Too many public bodies rely on outdated software and hardware, as evinced by the WannaCry attack against the NHS, which targeted systems running unpatched Windows operating systems and cost the health service £92m.
Owen Pritchard, cybersecurity programme manager at the Local Government Association, has stated a lack of funding delays the rollout of essential cybersecurity technology. According to a report by the Reform think tank, the sector too often sees cybersecurity as a cost rather than an essential element of service delivery.
Although central government provides guidance on technology, local authorities are ultimately responsible for the IT systems put in place — and acceptance of the recommendations has been described as mixed. Central government should promote more coordination mechanisms for local authorities, including the support of Warning, Advice and Reporting Point (WARP) groups that enable local information sharing around cybersecurity.
In addition to ensuring systems are secure by design and frequently patched and upgraded, local authority cyber teams must make systems user-friendly. The alternative is that frustrated users will bypass the security policies and mechanisms, subverting the entire exercise.
It is also clear that users require education on the importance of basic cyber hygiene to prevent them falling for scams or inadvertently letting hackers access sensitive systems. SonicWall’s Mid-Year Threat Report showed that hackers are exploiting fears around the pandemic in phishing attacks, which anyone can be trained to spot.
Hackney’s experience will sadly not be unique. Local authorities need to strengthen their cybersecurity posture to deliver high-quality public services and protect sensitive data. With the right leadership, technology and education, cyber disruption of local services can be mitigated, prevented and even halted.
Terry Greer-King is VP of EMEA at SonicWall