This time last year Lincolnshire’s IT systems were taken out for five days after a cyber attack. The council’s information management lead Richard Wills tells Gill Hitchcock why councils are a target and how good communications can keep systems safe.
Local government seen by hackers as a weak point for entry into government systems – Photo credit: Dreamstime
State-sponsored cyber attacks have been a regular feature on the front pages already this year. But despite the continuing controversy, the finding by US intelligence services that Russia hacked Democratic party emails is arguably nothing exceptional.
Nor will it be the first – or last – time a state will interfere in the workings of a foreign power. But should local government be worried about hacking of this nature? Is this a wake-up call for all levels of government?
Richard Wills, the executive director for environment and economy at Lincolnshire County Council, who is also responsible for the authority’s information management and technology, certainly thinks so.
“You might say ‘so what’, we are only a local authority and why would a foreign power be interested in a council?” says Wills. “But because we have pathways into government we, and organisations like us, are seen as potentially weaker points of access.
“We need to be alert to the possibility of state-sponsored espionage because we may be seen as a way of getting into somebody else’s system.”
According to Lincolnshire’s information governance team, there are around 15,000 attempts infiltrate its IT systems every day. Most of the time it fends these off.
But this time last year it wasn’t so lucky and the council was the one making the headlines after it became the victim of a ransomware attack that put its IT out of action for five days.
The trigger was simple. An employee clicked on an email attachment that turned out to be malicious – the damage was only discovered when staff were unable to access corporate files, with more than 47,300 being encrypted.
Adding insult to injury, the cyber criminal demanded $500 in the digital currency Bitcoin and threatened to increase the sum if the council didn’t cough up.
Lincolnshire acted quickly by closing down its systems, checking nearly 500 servers and 70 terabytes of data and alerting its internet protection services.
But Wills says the most important thing it did was avoiding the dangerous temptation to try and protect its reputation by hushing things up.
“If you don’t come clean you allow attackers to have a go somewhere else,” he says. “And I think we have a duty, certainly in the public sector, to protect the nation as a whole by being honest, because that’s the way to beat people who sometimes have a very malicious intent.”
Lincolnshire alerted neighbouring authorities. It informed the Cyber-security Information Sharing Partnership (CiSP), a joint industry and government initiative to exchange cyber threat information; and local and regional cyber-crime units, so they could use Lincolnshire as a case example.
It also reported the incident to the Cabinet Office’s Public Service Network team; the East Midlands Government Warning, Advice and Reporting Point – a community of local authority officers concerned with information security – and the police.
The council’s official report on the attack, published four months later, said that the effective use of the council’s Twitter feed helped to manage service demand while IT systems were down. Meanwhile supportive partner organisations, like the NHS and district councils, spread its message about the malware threat.
Wills says he thinks county councils more readily share experiences such as these, while cities tend to be more competitive – but that this can be problematic when it comes to security.
“Some organisations see everybody else as a competitor and in a way that is a vulnerability,” he says. “A competitive spirit has many positive values, but if you allow it get in the way of collaboration to protect us as a community of interest that is one of our vulnerabilities.”
The official report into the incident identified a number of areas that needed improvement. For example, it revealed clear gaps in business continuity plans, with no contingencies for total loss of IT beyond a relatively short period.
In addition, the council’s IT service provider had not delivered its obligation to liaise with service areas to ensure business continuity plans were aligned to current IT capabilities.
Although Wills is understandably cagey about revealing all the details of Lincolnshire’s cyber security measures he says that all desktops and laptops now have an extra software security protection, Zscaler, which does an inbound and outbound check every time an employee opens a link into a website.
All council staff with access to IT are also required to undertake an annual online information governance learning programme.
However, despite believing that the council has put every practical measure in place to prevent unauthorised access to data, Wills says citizens need to be vigilant too.
He encourages them to contact the council if, for example, they receive an email indicating that someone has information about them when they should not.
“What I would never be brave enough to do is absolutely guarantee that nobody will ever get hold of anybody else’s data,” Wills says. “Anyone who believes they have 100% protection is deluding themselves dangerously and so we are constantly on the alert.”
According to the association for digital professionals, Socitm, more than 60% of citizen interactions with government take place between citizens and local authorities – and with greater focus on digital this figure is sure to increase.
On top of this, says Wills, is the need for councils to prepare for the time when e-voting will be necessary to combat poor voter turnout.
“We have elections coming up in 2017… If we get as high as 60% participation I would be delighted. The probability is that it will be more like under 50%,” he says.
“The way to get more participation, I would contend, is to allow more online mechanisms for voting. But that is being prevented because of fears about how it could be manipulated.”
Wills says that people in his position “need a democratic system behind us to validate our powers” – and that online voting is one way to ensure greater democracy.
And that, he says, is the most crucial reason for every council across the country – from the board to those on the front-line – to get cyber security right.