Councils must not be ‘weak link’ in cyber security, Whitehall told
The government is being urged to involve local authorities in the development of the UK National Cyber Security Centre to ensure councils are not left behind in the push for increased cyber security.
Local authorities don't want to be the weak link in the public sector chain - Photo credit: Flickr, Brian Smithson
The National Cyber Security Centre, announced by chancellor George Osborne in November 2015, is set to open in October and will act as a hub of cyber security expertise.
The centre will bring together a number of government organisations with a role in cyber security, and a prospectus published in May saying that the centre would provide support to public and private sector organisations.
GCHQ is currently consulting on the plans, and local government bodies have said they are keen to make sure they are involved from the outset.
“We’ve plenty of experience of central government initiatives imposed on local government that have gone awry, simply because they haven’t involved local government from the outset,” said Martin Ferguson, director of policy and research at Socitm.
David Simmonds, a councillor for the London Borough of Hillingdon and the chairman of the Local Government Association’s improvement and innovation board, agrees.
“We don’t want a repeat of the Public Service Network situation,” he said. “There are valuable lessons to be learnt from that, particularly about how to engage with local government in order to co-design a solution.”
Both Ferguson and Simmonds want to see the UK take a holistic approach to its cyber security strategy that allows local government bodies to be involved in the design process.
They note that an increased emphasis on data-sharing across the whole of the public sector means all parts of the system are interlinked.
“Exposure to risk is wherever the weakest part is; we don’t want local government to be the weak link,” Simmonds said.
Meanwhile, Graeme McDonald, director of the Society of Local Authority Chief Executives, noted the importance of reputation, saying that ensuring local government is fully protected will benefit central government.
“Problems with local councils will put people off accepting digital from other parts of government and slow down things like data-sharing and integration of health and social care,” he said. “Reputational damage will impact on every part of the public sector, and beyond.”
McDonald added that he thought the government was still taking “quite a centralised approach” at the moment, but that this was understandable at the beginning of the process.
“They’re just trying to work out where they need to focus their energies - but they need to move on from that quite quickly,” he said. “Engagement with local government is starting, and we’re hoping to increase it over the coming months.”
Chris Greany, national coordinator for economic crime and the lead on cyber protection for the National Police Chiefs Council, is on the programme team for the centre.
He said that, although it was too early on in the design process to know exactly how various organisations would be involved, he thought the centre would have a better effect on local government than any previous schemes.
Greany said the centre’s main focus would be on active cyber defence – stopping threats before they get to your computer – but there will be a number of other streams and activities for the centre.
This is likely to include help when an incident occurs and providing advice to organisations on how to prepare for threats, which commentators would like to see simplified from previous information.
“A lot of the early cyber security advice was too complex for people to act on,” said Chris Hankin, director of the Institute for Security Science and Technology at Imperial College London. “Small companies – and this is likely to be true for local government, too - don’t have big IT departments and can’t implement some of the more complicated advice.”
Both Simmonds and McDonald said that it was important for GCHQ and the centre to remember that local authorities are a diverse group with different threats, resources and abilities to respond.
“It’s not about money, it’s about creating a framework that’s adaptable for local areas,” said McDonald. “Any applications and systems from government need to have the involvement of local government users early on to ensure they are applicable.”
Simmonds said that the centre should also work to develop straightforward guidance, practical tools and help services and market these directly to councils so they are aware of the support.
Meanwhile, Ferguson said he would welcome any training that the centre might be able to provide, noting that cyber security measures needed to be fully understood by both those at the operational and senior levels.
A spokesperson at CESG, the cyber arm of GCHQ, said in a statement that local government has a “critical role to play in cyber security and alongside other parts of the public and private sector can contribute to the design of the new National Cyber Security Centre”.
Digital agency recruits for senior manager to oversee use of personal data
Department insists improvements are being made in its response to MPs’ report
Leaders at the National Cyber Security Centre lift the lid on the impact of and lessons learned from the Triton malware assault
Government cybersecurity agency issues guidance telling users to act ‘quickly’