Local Government holds a vast amount of personal information on individuals. This information is used to pay benefits, protect the vulnerable and help them deliver essential services. All this information makes Local Government departments a key target for cybercriminals looking for opportunities to steal data, money and cause widespread disruption. To help Local Government understand the threat they face the Department for Communities and Local Government has issued a paper titled Understanding Local Cyber Resilience.
Although a relatively short paper, it highlights what are perceived to be the six key threats to Local Government IT systems. These are:
- Cybercrime: While the main goal is to monetise their attacks this is not just about defrauding councils. Stealing the details of residents, redirecting users to unauthorised websites purporting to act on the council in order to steal identities and payment data are just two examples. The paper also highlights the use of council networks as a platform to launch other attacks by using them as a vast, remote controlled, botnet. As council networks are often trusted, their traffic is less likely to be blocked in the early stages of an attack.
- Hacktivism: Local councils are often a target for such attacks based on local issues. Such attacks are not confined to directly controlled infrastructure but, as the report highlights, also include attacks on the social media accounts of council members. This allows them to spread misleading information using what is seen as an official channel.
- Insiders: This is a threat for all organisations irrespective of public or private, small or large. The report talks about how easy it is for an insider to gather large amounts of sensitive information easily due to their access and permissions.
- Physical Threats: This is more about disaster recovery and business continuity and it is included presumably to remind councils that they have to think about where they store their data. The report does use the phrase "local authorities are starting to share services and locations to provide resilience in a cost effective way" but stops short of using the word "cloud".
- Terrorists: Not the first group that come to mind when talking about cyber resilience of Local Government. The focus of the warning here is more around the use by terrorists of the skills of hacktivists when they have a common goal. What it doesn't talk about is the need for better protecting critical infrastructure from terrorists. Councils hold records of where all distribution lines for gas, power, oil, telephony, water and other services run. An attack by a terrorist could easily identify key areas of intersection that would enable targeted attacks.
- Espionage: As trusted networks, Local Government users already have access to central Government services. This means that they can be used to gain access to information about sensitive data. The paper fails to give any UK examples of an espionage related breach relying instead on an attack that took place in Canada.
One of the interesting points made in the paper is that it takes a long time to clean council networks so even the smallest attack may force services offline for hours or even days. The paper goes on to mention challenges such as reputational management, something commercial companies are worried about, and states that this is also a concern for councils.
To help councils adopt the right Cyber Security approach, the report directs the readers to the Communications-Electronic Security Group (CESG) guide titled 10 steps to Cyber-security. While initially written for businesses, the 10 steps apply to any organisation and include:
- Information Risk Management Regime - Assess the risks to your organisation’s information assets with the same vigour as you would for legal, regulatory, financial or operational risk.
- Secure configuration - Introduce corporate policies and processes to develop secure baseline builds, and manage the configuration and use of your ICT systems.
- Network security - Connecting to untrusted networks (such as the Internet) can expose your organisation to cyber-attacks.
- Managing user privileges - All users of your ICT systems should only be provided with the user privileges that they need to do their job.
- User education and awareness - Produce user security policies that describe acceptable and secure use of your organisation’s ICT systems.
- Incident management - Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur.
- Malware prevention - Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware.
- Monitoring - Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your organisation’s incident management policies.
- Removable media controls - Produce removable media policies that control the use of removable media for the import and export of information.
- Home and mobile working - Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure) and develop appropriate security policies.
Council IT teams are also encouraged to join the Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK in order to share information on threats.
While this has been published as a primer for Local Government the content applies just as much to private companies, especially those working with government at any level, It has been written primarily for a non-technical audience making it easy to understand. This makes is a good document for senior members of any organisation to read in order to get a quick understanding of some of the threats in the market.