As more local bodies introduce technology to reduce costs and improve community engagement, their vulnerability to cybersecurity breaches is increasing. As Patricia Moore reports, those threats are very real.
Are local authorities increasingly aware of the potential for damage from cybersecurity breaches? In late 2017, Paul Ash, head of the National Cyber Policy Office in the Department of the Prime Minister and Cabinet, said very little was known about the state of cybersecurity in local government. There’s general agreement that not much has changed.
Tony Krzyzewski, director, SAM for Compliance, says it’s important for councils not to end up focusing on responses to widely-published attacks while, at the same time, ignoring internal issues that can be considered to be a threat.
“An attack is usually externally originated, but there are many threats to the confidentiality, integrity and availability of council-controlled information or systems that can result from ineffective cybersecurity-related controls.”
Based on his current experience with local authorities, Tony says he would describe the threat level as high.
“I know of councils that have suffered from ransomware and others that have lost availability to core resources as a result of incidents. In the past year we’ve seen information held by councils being breached through third party application vulnerability and I have no doubt there are other incidents that have not made it into the national press.”
Lack of information on known breaches may be due to the absence of a Mandatory Data Breach Notification (MDBN) scheme, says Sunil Sharma, risk and cybersecurity lead at GHD Digital.
“Such schemes allow governments to collect key breach information that can be shared across industry and government to assist in strengthening cybersecurity programmes.”
And, according to Datacom’s Mark Matijevic, director, local government, another reason is that the CIO is frequently third tier in councils rather than second, so IT doesn’t have high visibility at executive level.
“Cybersecurity is often seen as a set of technologies that are implemented by IT rather than there being an understanding of the risk that applies to the whole organisation.”
As an essential infrastructure for local government it needs to be viewed this way, rather than as something incidental, he says. “Once IT infrastructure is viewed as essential it will have the same risk management processes put around it as do other essential services like roading and water.”
When it comes to getting cybersecurity as a topic at the top table in councils, David Eaton, associate director, cybersecurity at Datacom says it’s helpful to look at workplace health and safety as an example.
“That was driven by legislative initiative first and then it began to be seen as a topic that required executive-level engagement. With legislative changes coming next year I think this is what will happen with cybersecurity in local government. When this comes into force, councils will be on the hook for mandatory disclosure in the event of the breach of any data involving personal information.”
As one of the key repositories for citizen data, councils are a lucrative target for cyber criminals to access Personally Identifiable Information (PII) that can be sold on the ‘dark web’, says Sunil.
“Whilst ‘hacktivists’ may also be perpetrators of cyber attacks to make social or political points, nation state attacks on government entities and critical infrastructure are on the rise globally.” February’s hack on the Australian Parliament (perpetrated by what prime minister Scott Morrison called a “sophisticated state actor”) is an indication that rogue nations are looking to gain insights and potentially interfere with electoral processes to gain political advantage, says Sunil.
“New Zealand government agencies and some of our larger councils that hold citizen data and other critical information are not immune to such attacks in the future.”
Sunil says a lack of cybersecurity awareness programmes means council employees are an easy target for phishing-type attacks. “These entail hackers using seemingly legitimate business or authority email addresses to gain personal or business information.”
Look at the general statistics, says David; “Over 60 percent of vulnerability comes through email phishing campaigns. Phishing is the area of greatest risk for councils. So, developing the ‘human firewall’ is key. This is about continued training and monitoring.”
He also highlights the risks involved in not ‘playing out’ cybersecurity incidents – “running a cybersecurity scenario with their tech, ops and comms people. Councils need to think through questions such as who is qualified to speak? What will they say? Who will make the call to remove systems and/or services from the public?
“Many people believe a cyber incident is just an incident but the reality is that it can take months to resolve, particularly if the hacker has been inside a long time.”
Tony believes – and has been “saying it for years” – that the most important thing councils can do is get operational and cybersecurity basics under control.
“Without fundamental controls in place councils leave themselves vulnerable. Equally important is being able to measure the effectiveness of those controls and be willing to adapt process and operational priorities to ensure that the controls are being well implemented.”
Sunil says another challenge facing councils is their limited inhouse cybersecurity resources, often relying predominantly on an IT team which may, or may not, have the right skills to tie the organisational risks across to a pragmatic security programme.
“Local authorities need to raise the profile of cybersecurity with appropriate funding and have a clear strategy and vision towards a cybersecurity programme. This must also include more rigour to evaluate the maturity of their third-party providers.”
We can learn, he says, from “friendly nations and neighbours” and take proactive measures to make national cybersecurity a key priority, backed by appropriate funding and facilitating cross-industry and government collaboration.
While the solutions may not be simple, Tony notes it’s pleasing to see the level of awareness within councils has risen noticeably over the past year.
“The ALGIM Cybersecurity Programme was launched last November and over 20 percent of councils are now enrolled.”
And, he says benchmarking across participating councils is seeing the awareness level reaching up from the IT operations area to executive level where cybersecurity risk is now being seen as a major concern.
And in another positive move, reports indicate information systems managers are being given additional resources to help them work through the process of reducing cybersecurity risks, says Tony.
“In the past, managers have frequently been pushed back with requests for additional resources. But now, with awareness levels increasing, it’s clear that councils are seeing risk reduction as an investment rather than an expense.”
• Patricia Moore is a freelance writer. firstname.lastname@example.org
This article was first published in the May 2019 issue of NZ Local Government Magazine.