And Cybersecurity in Local Authorities?
Author: Julien Bui, CISO at Département du Morbihan
And Cybersecurity in Local Authorities? – Local authorities (municipalities, departments, regions) and their whole group are public administrations working at a local scale for their citizens.
They provide many services such as culture, education, sports, youth, as well as social and medico-social work. As to national scale, they are engaged in a profound digital transformation, particularly in dematerialisation projects of the services provided to citizens. Hence, they host many sensitive data (citizen’s personal data, strategic or economic data). This approach leads to a dependence on digital technology, which is inevitably attracting many cybercriminals whose local authorities have been prime targets for over a year now.
According to a CLUSIF (1) study in June 2020, 30% of local authorities have already been victims of ransomware: this type of attack – which is now accessible to everyone – is continually increasing. The role of cybersecurity within local authorities – whatever their size – is now a real concern and tends to an organisation’s priority.
In order to manage this digital transition, regulatory frameworks have evolved relying on the emergence of new laws such as the RGS (2), the LPM (3), the RGPD (4), etc. Their objective is to strengthen citizen confidence in digital services, guarantee the protection of personal data and the infrastructures that host them, but also to reinforce the security of vital activities and essential services provided by certain communities.
Because of the disparities in size, budgets and priorities between the different local authorities, the implementation – and control – of these regulations and the good practices linked to them is a real headache not only for the French government, but also for professionals in charge of information security.
For example, among the 35,000 French townships, many have no more than 500 people, while others have thousands or even more. Thus, we observe that the smallest towns do not have sufficient human and financial resources to consider IT security as a priority. It is obvious that security does not wait, and even less so, the cyber attackers. Only mutualisation can compensate this handicap linked to the size of local authorities and the resulting “limited capacity” for action.
It is necessary to establish a governance system that effectively mobilises the services and elected representatives (in the best case, an elected representative dedicated to digital topics should be appointed). These synergies allow for the making of strategic and budgetary choices in favour of cybersecurity for their local territory. It is also important to get closer to structures such as IN.CRT (5) – created at FIC (6) 2020 – which aims to be a platform for ideas sharing and to become a resource centre for local authorities. These structures also bring together elected officials and cybersecurity players for workshops, events, training and awareness.
The best case is to hire a Chief information Security Officer – a real “Swiss army knife” of security – with dedicated resources who will organise security according to a defined context, to monitor and to react in case of cyber incidents. The CISO’s first priority is to raise among top management his awareness and cybersecurity programs in order to demonstrate their benefits and not to be seen as a hindrance within the organisation.
He will still have to face certain difficulties such as strong interdependencies between operational departments and associated validation procedures; this is the organisational reality of these territorial structures. Even if it is a simple securing action to implement, different levels of validation are required, not to mention strong anticipation of planning deployment. In the case of security projects, validation is carried out by different levels of committees (monthly, quarterly, etc.), which add a time-consuming dimension to this global governance.
Another potential barrier is the acculturation level of numerous employees who will not see the need and the relevance of cybersecurity issues, even though they are essential. It is therefore the role of the CISO to promote awareness, to acculturate in order to avoid being restricted in his actions. He must be understood and seen as a facilitator of his subjects, particularly within this type of organization.
Finally, the last pain point concerns providers and partners: as local authorities do not have the same status as private companies, third parties do not give the same attention level to the public sector in terms of securing their environments and projects. As mentioned earlier, because of numerous disparities, a CISO working in administrations must be strong and patient regarding their service providers. Implementing secure projects and services could be a real challenge for them, especially when the internal organization is not cooperating either. Hence, it might be an additional brake on securing hybrid environments, still linked with technology evolution.
As for digital transformation, cyber security issues are recent for local authorities. With the French government’s support (recovery plan, grants, ANSSI) as well as independent structures (associations, institutes, universities, etc.), territories can finally operate to improve their information systems security.
It is important for the entire French CISO community to work together because they share the same issues and, with a few differences, the same priorities.
- Leading association for digital security in France (CLUb de la Sécurité Informatique Français)
- General safety reference, it sets the first French framework of digital trust for teleservices within the administration.
- Military Programming Law, it guarantees the protection of activities of vital importance – French Network Information Security directive adaptation
- General Data Protection Regulation, it makes public and private actors responsible for the protection of personal data.
- Forum International de la Cybersécurité
And Cybersecurity in Local Authorities?