By Mike Manson, Chief Executive of ALGIM (Association of Local Government Information Management)
On a Wednesday morning at a small district council, the two IT staff are working through the never-ending to-do list when ransomware hits. Systems go down, phones start ringing, and no one is quite sure what to do next. It’s not a scenario anyone in local government looks forward to, but it’s a scenario that will have very different outcomes depending on the council that draws the short straw.
When we talk about security in local government, our first thoughts tend to go towards how well communities and councils are prepared to respond to severe weather events. Just as daunting, but less visible, is the reality of where we are with cyber security in local government – and our government knows it.
You might remember the media coverage from last year, when the National Cyber Security Centre joined international partners in calling out malicious activity by the group Salt Typhoon. Or, earlier this year, when the Manage My Health platform was hit by ransomware. The threat landscape has shifted, and our current voluntary approach to cyber security has gaps that are becoming harder to ignore.
The government is now consulting on what’s needed to enhance the cybersecurity of our critical infrastructure. ALGIM recently submitted on that consultation, drawing on survey results from councils across the country.
Cyber security: a priority for Councils
Unsurprisingly, the survey showed strong agreement across the board around the importance of cyber security. It’s clear that essential services need protecting, and that moving toward mandatory requirements is broadly the right call.
One of the clearest findings in our submission is the sector’s view on what counts as critical infrastructure and how that should be determined. Water services, wastewater, stormwater, and civil defence are viewed across all councils as needing mandatory requirements.
There’s also strong agreement that criticality should be assessed based on the consequences of service disruption, not on the size or structure of the organisation delivering it. A small district council running a drinking water network carries just as much risk for the community as a large city council.
Below that broad agreement, things get more nuanced, which is useful information for decision-makers.
Confidence, readiness, and funding resilience correlate closely with council size, the scale of the services they deliver and how much reform pressure they are already under. Larger city and regional councils tend to have dedicated ICT staff, established governance frameworks, and existing investment in security tools.
Small Councils stretched
For smaller city and district councils, it’s a different story. Many are working with minimal internal cyber capability – often a generalist IT role – and rely on third-party providers. Their concern is that they’re already stretched, and without additional support, new compliance obligations will have an impact on other duties.
For those already navigating water reform, capacity in the short term is limited. This places increasing importance on the timing and sequencing of any changes.
Governance has also popped up in the conversation. Most councils now report cyber risk increasingly showing up in their audit and risk processes, which is a positive shift.
But the conversation about personal liability for elected members and senior officers is more complicated. There are concerns around being held responsible for decisions that they haven’t made, essentially introducing more risk at a governance level without any more control.
Lessons from Oz
ALGIM’s Head of Analysis, John Hannan, recently dug into how Australia has approached this, and there are some useful lessons for us. Australia’s reforms did put cyber security on governance agendas and improved awareness of national threats. But the implementation also had unintended consequences for local government, utilities, and smaller operators.
Incident reporting requirements with unclear thresholds pulled focus away from response and recovery during live incidents. Compliance obligations landed on councils for systems operated by third-party providers – creating more paperwork instead of better security. And when transition periods ended, not everyone was ready for the quick shift to enforcement.
For Councils of all sizes
We believe that we have a genuine opportunity here. We all agree that there’s a need for change, and the data from our submission is clear about where the gaps are, and where the pressure points will land. With phased implementation, clear guidance, and targeted support for smaller councils, we can build a regime that’s both effective and achievable for all councils, not just the ones who are already doing things well.
Cyber threats are not waiting for us to get our settings right or waiting for us to line up the right change management programme. This is why the design is so important. If we get this wrong, it’ll eat into time that we are already short on, alongside being unnecessarily expensive, disruptive, and deeply unfair to councils who are already doing their best with what they have.
We’re headed in the right direction, and I feel that we know where we want to end up. We just need to make sure that the path to get there is one that every council can actually walk.