Skip to the content

The complexities of cyber security in local government

23/12/24

SCC Industry Voice

Get UKAuthority News

Share

Cyber security has long been a serious issue for local authorities, but since the turn of the decade there has been a sense of the threat intensifying, and of the landscape becoming ever more complex, writes Rebecca Tyler, who heads up local government lead at SCC.

New types of malware are constantly emerging, attackers are developing sophisticated new approaches to phishing, denial of service, the fabrication of website URLs and domain name system spoofing.

The National Cyber Security Centre (NCSC) has highlighted threats from state sponsored attackers, and a number of local authorities have fallen foul of cyber incidents, in some cases causing long lasting disruption.

Councils are aware of the need to erect strong defences, but are finding that advances in technology, the increasing use of AI, limited knowledge of vulnerabilities in complex supply chains and uncertainties over assurance regimes are all making it difficult to get a clear picture of the threat landscape and what needs to be done. They need more clarity.

This prompted a research project by UKAuthority Inform, partnering with SCC Digital, into the complexities of cyber security for local government today. It involved a series of discussions with digital leaders and cyber specialists in the sector and reader ‘quick’ polls, it has also drawn on both UKAuthority’s long term reporting on cyber issues and SCC’s expertise in the field.

Changes, shortcomings, weak points

Elements of the complexity include the constantly changing nature of cyber threats, the impact of rapidly evolving technologies such as the internet of things and artificial intelligence, shortcomings in cyber hygiene practice in many organisations, potential weak points in supply chains, and the increasing resources behind attackers.

Local government is also affected by more specific issues, such as the continual squeeze on its finances, difficulties in hiring and retaining skilled staff, internal competition for resources, the consolidation of some councils and uncertainty over which security assurance schemes it needs to comply with.

But the research identified steps that councils can take to strengthen their security posture.

One is to ensure there is someone with both a clear grasp of all the factors and the authority within the organisation to ensure it is a coordinated effort in which everybody plays a part - led from the top. This makes the case for the appointment of a chief information security officer (CISO) with the appropriate authority, and a brief to keep up a continuing dialogue with board level executives and heads of service.

This can ensure that technologies are being implemented to align with security policies, the appropriate processes are in place and that there is strong engagement with all staff about their responsibilities.

Other steps involve: acknowledging that there will always be some element of risk and assessing the board’s attitude towards how high it should be; seeking peer review for significant investments in cyber; prioritising the security standards to be followed; and continually looking at the security implications of new technologies.

Assurance regime question

The question of which assurance regime to follow has tested councils in recent years, but there is a feeling that a clear path is emerging with the recent launch by the Ministry of Housing, Communities and Local Government of a version of the Cyber Assessment Framework – developed with NCSC – specifically for local government. The existing sentiment in favour of the CAF and provision of some funding suggests that local authorities will be quick to take up the option.

There are also technical measures, including basics such as monitoring network activity, penetration testing and continually updating software with the latest security features, plus others that are now emerging. Multi-factor authentication is becoming more widely used, and there is growing interest in the zero trust approach to security – in which users and devices should never be trusted by default – and cyber deception techniques to catch out potential attackers.

There is also plenty of interest in security operations centres, which provide a range of security activities and are emerging as an option – often on an outsourced or collaboration basis – for many local authorities.

New possibilities, good and bad, are also opening up with the rapid evolution of AI.  

A big danger is that the technology can enable malicious users to increase their own capabilities without increasing their personal skills. There are AI systems with the capability to quickly learn and mimic human behaviour, which can give attackers the ability to run more sophisticated phishing operations that are more likely to breach an organisation’s defences.

On the plus side, however, AI provides the potential for a massive increase in the capability of an organisation to monitor its network traffic, take in intelligence from a wide range of sources and use it in its own defences. The technology can do much more than a human in a specified time, which gives councils the opportunity to expand their scope in watching for threats.

Legislation on horizon

Another significant development is expected with introduction of the new Cyber Security and Resilience Bill in Parliament in 2025. Full details and timings have yet to emerge, but there is an eagerness in the sector learn more and a sense of optimism that it will help in developing more consistent approaches.

Another important lesson to emerge is that there is no definitive solution. The cyber security risk will never be completely eradicated; new threats will emerge, and new responses will have to be developed. It will require a continual effort to watch, learn and manage the risk, going beyond the established technical measures into instilling a mindset for security among staff and along the supply chain.

But there is a sense that valuable lessons have been learned, and that the CAF for local government and new bill in Parliament will provide solid frameworks against which to secure the future. There is also an eagerness to harness the potential of technologies such as AI as tools to strengthen defences. Together they are creating a cause for optimism in the sector.

These issues are explored in greater detail in the white paper - The cyber complexities facing local government

 

Image source: istock.com/Greenbutterfly

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.