Councils need to consider security in supply chains and use assurance frameworks, writes Mark Arcatinis, principal cyber security consultant at SCC Digital
The demands of cyber resilience on local authorities are becoming increasingly complex, not just in terms of technology and the methods adopted by cyber attackers, but in uncertainties over supply chains and assurance regimes.
The move to cloud systems, the opportunities and threats in the rise of AI, the possible vulnerabilities of suppliers, the shortage of in-house skills, the number of assurance regimes and the overall squeeze on resources in local government are all contributing to the complexity.
It creates plenty of headaches for IT and security teams, but there are government initiatives and possibilities in collaboration and consolidation that can help in dealing with the complexity.
A number of insights emerged from a recent UKA Live discussion on the issue, staged with SCC and involving Matt Wilton, deputy chief executive of Newcastle City Council, Geoff Connell, director of digital services at Norfolk County Council and chair of the Cyber Technical Advisory Group, Jenny McEneaney, senior improvement policy adviser for cyber at the Local Government Association (LGA), UKAuthority publisher Helen Olsen Bedford and myself.
Plan for legislation
It came soon after the UK Government outlined its plans for a new Cyber Security and Resilience Bill, the key features of which include expanding the remit of regulation to protect more digital services and supply chains.
This reflects the growing awareness of the importance of the issue. It has been highlighted by cyber breaches in the NHS and Ministry of Defence, and McEneaney said the LGA’s security support has been more focused on the role of suppliers. But while the bill’s focus is welcome it comes with questions over how to provide assurance along the chains.
It was pointed out that they have their own complexities around where data resides, the application of security and privacy controls, assurance frameworks to which the suppliers may be subject – all further complicated when overseas companies are involved – and that councils often ask suppliers similar questions in different ways.
It could be possible to address these issues through the terms and conditions of procurement, especially within the frameworks through which a lot of buying takes place. Connell made the point that councils should not all have to make their own efforts to get the same assurances and this could be addressed centrally.
It would also require a role for cyber security professionals in the procurement process, as the procurement specialists cannot be expected to understand the details of the relevant assurance. The two groups have to work together more closely.
There also has to be recognition that the technology emerging from the supply chain is evolving quickly and that this has implications for possible risks. Local authorities would need someone with a grasp of what each of their suppliers is changing in their technology - however, they do not have the resources to do this individually and it can only be achieved through pooling the expertise in a way that they can all access it.
Compliance questions
Similarly, dealing with the complexities in compliance – for sharing data with partners and achieving assurance – can also be difficult. In recent years many organisations have emphasised the need for assurance to use the Public Services Network, but there have been other frameworks such as Cyber Essentials and the Cyber Assessment Framework (CAF) to follow, and there can be problems when working with other bodies that have a different choice.
There has also been a view that the generic nature of these frameworks does not always match the specific requirements of a sector such as local government.
However, there is now a foundation for a more unified approach to emerge. CAF, developed by the National Cyber Security Centre, has won many supporters as a way to simplify and standardise security requirements; and now the Ministry of Housing, Communities and Local Government has introduced a version specifically for local authorities. Although it is a first iteration, it already has a high profile, it will be developed further and there are hopes that it will be widely adopted.
This raises the question as to whether use of the framework should be mandated. The idea appears to have support but is not currently in MHCLG’s plans, and this is likely to be the subject of a lively debate in the future.
CAF in the culture
The discussion also brought out notes of caution around the local CAF. McEneaney made the point it can do a lot "but not everything", and it has to be mapped against other requirements, which has so far proved to be a stiff challenge. And Wilton made the point that while “CAF is a great thing that will provide a lot of assurance,” it won’t be successful if people do not use it. It has to become part of the culture of local government to meet its full potential.
Underlying these factors is the need to acknowledge that local authorities can never be 100% secure, but they can strengthen their defences greatly through sharing resources, working together more closely, and making cyber security a board level issue with a widespread understanding of risk. The more they can do the latter, the more resources they can win and the better equipped they will be to manage the threats.
To see how SCC is bringing positive outcomes for its customers and discuss how SCC can support you and your specific cyber resilience needs. Reach out to Rebecca.tyler@scc.com
Catch up with the full UKA Live discussion: Cyber challenges in a complex world
