Published on 23/08/22

With cyber security an ever-present and growing threat to local authorities, a recent All Party Parliamentary Group (APPG) on Cyber Security heard from iESE and two other industry experts about the challenges facing the sector.

Dr Andrew Larner, Chief Executive of the local government consultancy iESE, presented to the audience which included MPs, Peers, academics and industry attendees, alongside David Woodfine, Managing Director of Cyber Security Associates and David Cowan, Head of ICT at Copeland Borough Council.

Dr Larner addressed the attendees first, highlighting the increasing cyber threat levels faced by local authorities. He told the APPG attendees that local authority is not meeting the current threat level, while the opportunity for threat is only going to significantly increase. “The point I made is that we are currently assessing the threat level against the digital and technology environment of the past, and actually we need to assess it against the environment of the future,” he explained.

The Operational Technology (OT) environment – technology that interfaces with the physical world such as traffic lights – is increasingly becoming connected to the internet, leading to greater risk that parts of the UK’s critical infrastructure are vulnerable to cyber-attack. While cyber security currently focuses mostly on the protection of data, a cyber-attack affecting OT has potential safety implications. “The future, which includes driverless cars, for example, is an environment that if you were a terrorist would be music to your ears,” explained Dr Larner.

The capabilities of the “traditional” cyber-attack on an organisation’s IT systems are also rapidly developing. “What is increasingly happening is that the complexity of attacks is increasing, and the complexity of the complex end is increasing,” explained Dr Larner. For example, a polymorphic attack changes its nature and what it does after launch. The SolarWinds attack, in 2020, saw a legitimate software update infected and passed on. “It was shocking that a legitimate update could be taken after the certificate was set, infected, and passed on, and that is relatively simple in comparison to the attacks that are now available. The chances of attackers trying to take out a local authority has risen and the chances of them succeeding has risen,” he added.

David Woodfine, Managing Director of Cyber Security Associates, then spoke about the threat posed by state-sponsored groups targeting public sector. He told the attendees: “The public sector and critical national infrastructure have always been prime targets for state-sponsored hackers. From a local government perspective, they are going to be a prime target and that is not just trying to take data or a ransomware attack now, it is also about trying to destroy data just to be disruptive. The term cyber disrupter is quite key now. The cyber threat is getting worse because the attackers are using more and more sophisticated tools.”

He also spoke about the need for greater information sharing between local government organisations. While the Cyber Security Information Sharing Partnership (CiSP) already exists for all cyber security professionals in both private sector and government departments to sign up to and share information confidentially, Woodfine believes there could be a role for a similar scheme just for the local government sector. “How do you get advance warning and how do we share information and not keep it to ourselves? How do we learn individually and help collectively?” he asked.

The idea of the development of a centralised cyber security capability was also raised by Woodfine, where cyber security is offered as a service which all local government organisations could use. “Rather than have their own bespoke cyber security plans and services, this would give local authorities the ability to reach into a single organisation to provide a single approach to managed services, to protection, training and policies,” he told attendees. “It is all about how we can stay one step ahead. We can’t do things in isolation, hence the need for information sharing and the single suite of capabilities.”

Lastly, David Cowan, Head of ICT at Copeland Borough Council, addressed the audience from the perspective of a local authority which had been victim of a serious cyber-attack in 2017. He talked about the need for collaboration and said that, as a sector, local government was generally not at the level of preparedness it needed to be.

The three expert speakers at the APPG on Cyber Security held in May were brought together by the local government consultancy iESE, an organisation which is not-for-profit and owned by local government. It offers a shared resource to help the sector modernise by introducing leading-edge best practice technology and ideas via its consultancy and digital arms.

To discuss your cyber needs with iESE, please click here to book a 1:1 with a member fo our team at a time and date suits you.