Councils and cyber security

A recent ransomware attack had major consequences for the NHS. Local authorities must take it as a wake-up call, writes Lauren Lucas.

Earlier this month, the NHS was the most high-profile victim of a global ransomware attack that hit tens of thousands of computers in nearly 100 countries. The ‘Wannacry’ software, which affected GP surgeries and hospitals across the country, blocked access to files on a PC, demanding a ransom for their release.

Although personal data was not breached, the incident had a major impact on patients, many of whom had appointments and operations postponed as a result of the ensuing backlogs. As the incident unfolded, it became clear that outdated technology was part of the problem, with research by software company Citrix suggesting that 90 per cent of hospital trusts were still using Windows XP. While a patch had been provided to protect users from the malware, many computers had not been updated, largely because of the age of machines. Rob Whiteman, chief executive of CIPFA said the difficulties within the NHS should serve as a “stark reminder for all government organisations”.

So how vulnerable is local government to similar attacks? The truth is, they are already happening, but have attracted less media attention because of their smaller scale and the relatively regional impact. Both Lincolnshire County Council and North Dorset District Council fell victim to ransomware attacks in 2016, the latter affecting over 6,000 files. It should be noted that in both cases the problem was swiftly resolved and no data was compromised, but clearly this issue is not going away any time soon.

Nor is ransomware the only challenge facing councils from international hackers. In January this year, Aberdeen City Council’s website was hacked by ‘Team System Dz’ for nearly three hours on a Saturday evening. The group, thought to be based in Algeria, claimed their actions were in protest against Donald Trump’s controversial travel ban on a number of largely Muslim countries.

This incident in particular shows how in an increasingly globalized world, councils can find themselves on the front line in international disputes at a time when the threat of individual and state-sponsored cyber attacks has opened up a new front in modern warfare.

Some local authorities are taking the lead in finding new ways to tackle cyber attacks. Leicester City Council has recently employed two new in-house ‘ethical hackers’ to help them improve their cyber security. Others are commissioning private sector security companies to do ‘penetration tests’ on their systems to identify areas of weakness. As Cllr Theo Blackwell’s recent publication for LGiU, Start of the Possible demonstrated, councillors are not ‘digital dinosaurs’ and many hold strong and positive views about technology. Examples of digital innovation are flourishing in leading cities and authorities such as Bristol, Leeds, Glasgow, Manchester, Milton Keynes, Essex and in several London boroughs.

But when it comes to cyber attacks there is still a long way to go for many authorities. Among the 809 councilors surveyed in the report, cyber security was only identified as the fourth most important digital issue for local authorities, after digital exclusion, service design and connectivity. Just over a third of respondents said their council needed more support with cyber security. There are indications that this is reflected in spending priorities: in 2016 Citrix undertook research which suggested 86 per cent of councils spent nothing on data protection and IT security training over the course of the year.

The most recent attack on the NHS should be a wake-up call for local authorities without a clear line on cyber security. But most of all it should flag the need for greater investment on the part of central government. As frontline services are squeezed, it becomes ever more difficult for councils to invest in back office functions and better technology. Whatever the colour of the new government, one of its earliest priorities must be a robust strategy on tackling cyber crime both at a national and a local level, before we see the next incident of ‘Wannacry’ proportions affecting public services.

Lauren Lucas is LGiU’s Head of Projects.