Tom Bell is a City Councillor for Peartree in Southampton. He has a background in patent law and is currently a cyber security consultant for a Hampshire-based research company.
Across the full spectrum of government activity, technology is absorbing the processes and infrastructure which keeps the country moving. Since 2011, the Government Digital Service (GDS) has sought to promote ‘Government as a Platform’ – a concept whereby the government shares a common set of digital systems, technology, and processes which enable it to develop services fit for the digital age.
This has been a huge step towards leveraging the benefits which technology presents in order to make government more effective and more efficient. The Cabinet Office is clearly committed to standing by their ‘digital by default’ mantra and the transformation to digital at government level has considerable momentum. However, while central government is on the right path, local government needs to follow in its footsteps.
In July, the Government Digital Service, alongside the Ministry of Housing, Communities and Local Government, has published the Local Digital Declaration which provides local authorities with the guiding principles to help them to deliver digital services and platforms that meet the needs of local communities. This is something which I hope every council will soon be signed up to, because it provides the right guidance for transforming local councils to improve services right across the spectrum of council activities, and can facilitate efficiency savings for council budgets in the process. However, as more council services are transferred into cyberspace, the threat of cyber-attacks increases.
The Cabinet Office has recently awarded the Local Government Association (LGA) a grant to conduct a comprehensive stocktake of the cyber security strategies of councils across the UK. This is part of the Government’s 25 year National Cyber Security Strategy in recognition of the evolving cyber-threats faced by government, local authorities and businesses, and the need for a national plan to respond to this threat.
It signals that the Government is concerned that many councils across the country are not taking the necessary steps to secure sensitive data and to protect critical infrastructure from cyber-criminals and terrorists, so-called ‘hacktivists’ and foreign state actors.
This is because local councils present a unique cyber-security threat. The capacity for a malicious attacker to damage or to extract valuable information is particularly high with local councils, simply due to the sensitive nature of the information held. However at the same time, local councils are often not equipped with a commensurate cyber-security strategy. This means that there are unique incentives for certain attackers to target local government. Cyber-attacks on councils could expose them to the loss of personal data of thousands of residents; undermine procurement or legal proceedings by revealing strategic information; and even lead to widespread fraud or theft.
There is a near certain chance that councils will be victims of successful cyber-attacks in the future. If the necessary precautions are not put in place, it is only a matter of time before councils could suffer significant loss of revenue as well as damaged trust with the public.
This is why, alongside a £7.5 million injection from the Government to assist councils to transform online services, the Local Digital Declaration requires councils to “champion the continuous improvement of cyber security practice to support the security, resilience and integrity of our digital services and systems”. Through working for several cyber security companies on many public-sector projects, I recognise the risks and the necessary steps that must be taken in order to secure the digital services of local councils.
Here are three areas that councils should look at immediately in order to reduce the likelihood of suffering from a breach of IT security, as well to limit the damage of a successful cyber-attack.
Responsibility: As with every area of the council’s operation, it is important that there is a Cabinet Member who is responsible for the council’s cyber security. The Leader of the Council must accept ultimate responsibility, but where another elected Member has experience or interest in this area, there should be a clear scheme of delegation which puts responsibility explicitly in the hands of the front bench.
Prevention: An investigation earlier this year found that UK local authorities have experienced more than 98 million cyber-attacks over the past five years. This means that councils need to take the necessary steps to prevent cyber-attacks from being successful. Make sure every council employee undergoes cyber-resilience training; ensure your IT infrastructure is designed to be secure from the ground up; and commission professionals to conduct comprehensive cyber-security tests on a regular basis.
Response: Of course, most cyber-attacks are successfully defended against, however more than one in four councils was subject to a serious security breach in the last five years. Your cyber strategy must recognise that a breach is likely and you must design your IT system and response procedure in order to minimise the potential damage of a data breach.
It is important that local councils commit to the Local Digital Declaration in its entirety and work with the National Cyber Security Centre as well as the LGA to implement the right design principles in order to ensure cyber resilience. Whether you work in local government or are simply a good member of your local community, all must step up to the plate and hold our council leaders to account. What a shame it would be if all the hard work of Conservative councillors and activists across the country was put to waste by a careless attitude towards cyber security.