Council systems are likely to face an increasing number of cyber-attacks as increasingly sophisticated hackers seek to collect ransom payments or find a back door into central government systems, experts have warned.
LGC has learned of reports that Russian hackers have accessed council library systems. However, it is thought unlikely that local government would fall victim to something on the scale of the WannaCry ransomware that wreaked havoc in the NHS and other organisations across the world last month.
Geoff Connell, president of Socitm and head of information management and technology at Norfolk CC, told LGC it was getting easier and cheaper for cyber criminals to make increasingly complex attacks. Meanwhile, as councils increasingly share services, link up with the NHS, introduce mobile working and encourage residents to go online there are more opportunities for cyber criminals to launch attacks.
He said there had been examples of hackers sending emails to finance directors appearing to come from the council chief executive and instructing them to make payments.
“The threat of a cyber-attack is growing; it is a very real threat but we’re not in bad shape as a sector,” said Mr Connell.
However, he warned there was a risk budget cuts could leave councils more exposed to an attack.
“We have to invest in cyber security professionals and we have to be careful funding cuts mean people don’t stop investing,” said Mr Connell.
Mr Connell said the fact that local government was relatively well fortified against an attack was partly a result of “jumping through hoops” to join other networks including “ironically” the NHS network. Councils have also had to meet stringent cyber hygiene tests to be able to accept payments online and to join the central government Public Sector Network, which allows access to data held by HMRC and the DVLA.
However, this link with central government also makes councils more of a target for hackers.
Rob Whiteman, chief executive of the Chartered Institute for Public Finance & Accountancy, told LGC he was aware of a Russian hack into a council library system, although no wrongdoing was carried out.
“What we have to become accustomed to is [that] our systems are being hacked into… Councils themselves are not necessarily targets but hackers are getting into systems and having a look around,” he said.
Jos Creese, chief executive of Creese Consulting Ltd and a former chief information officer at Hampshire CC, told LGC there would be more incidents of varying types.
He said: “You have got different types of hackers: those in the UK trying to prove a point, international hackers trying to commit fraud or international hackers trying to find the back door to central government systems.”
Mr Creese said, in general, local government was better prepared than other sectors, including the NHS.
“I have no doubt there are some [councils] that will be struggling,” he said. “I’m pretty confident there will be incidents in the sector… the complexity of local government makes it much harder to ensure end-to-end security than in a private sector organisation.”
Mr Creese said councils needed to stop using vendors who did not keep their systems up-to-date.
While some councils still operate using Windows XP, the outdated system that left many NHS hospitals exposed to the WannaCry ransomware, Mr Creese said he has not seen any that have it embedded in their network in a way that would cause problems on the scale of those seen in the NHS.
Mr Creese said the NHS incident had acted as wake-up call and warned public sector organisations against simply viewing IT as a cost centre where money could be saved through automation and self-service.
“Whilst there are productivity gains you do have to make the necessary investment given the amount of reliance you will be placing on these systems,” he said.
There is much activity taking place to raise awareness and share best practice in local government.
Socitim has set up local groups known as Warps that bring together public sector IT professionals in an area to share information and spot risks. It is also encouraging the National Cyber Security Centre to create solutions to cyber-attacks that can be widely deployed, rather than every organisation having to develop their own.
Cipfa recently formed a group with the Local Government Association, Department for Communities & Local Government, Cabinet Office, and National Cyber Security Centre specifically aimed at raising awareness of cyber security among local authorities.
Rachael Tiffin, head of Cipfa’s counter fraud faculty, told LGC threats to cyber security is emerging as one of biggest fraud risks and the centre was getting an increasing number of requests for training and advice.
“It needs to be an issue on the top table; it needs to be led from the top down. It’s not just the responsibility of a person in IT,” she said.