Straight talking from the Editor’s keyboard;
The Department for Science, Innovation, and Technology (DSIT) has launched the alpha Secure Connected Places Playbook for local authorities this month. Sounds handy. This new resource offers “practical and accessible support to improve the cyber security of their connected places, or ‘smart cities’, across the UK,” says the Westminster government.
Well let’s be blunt, it’s a much needed bit of guidance as the public sector record on cyber/data security is laughably weak, lacks clear strategy and rigorous security checks on in-house users, especially at local County/City/District Councils, or associated benefits, care, housing or similar agencies.
For example Hackney Council had to go back to pen and paper records, and spend over £12 million, after a successful ransomware hack back in 2020. The Council state they refused to pay the ransom, but vast amounts of data were obviously compromised or lost and then new systems had to be set up. These are not trivial amounts of money, or simple problems to resolve, they are total rebuilds from the ground up, so why are they happening?
Thorough staff training, at every level, in every department, is a good place to start and it means more than an online Playbook.
Example: Responding to an FOI request, someone at South Lanarkshire Council sent the NI numbers and names of people on different pay grades to a website specialising in holding the public sector to account. Of course the private sector is not immune to such mistakes either, but the issue of millions in taxpayer cash being spent to rectify problems created by a failure to impart knowledge, during the most basic of training seminars on data privacy, raise serious questions.
Then there is the problem of legacy IT systems, which insurance brands are often familiar with. In short, systems built 20-25 years ago are often a patchwork of upgrades, bolt-ons and fixes, which often leave the door open for hackers savvy with system upgrade protocols and key staff email addresses. This problem will grow as AI/machine learning systems relentlessly supercede existing software platforms over the next decade. More background on some of these end-of-life software problems at Sefton, Glocester and Bristol councils here by the way.
So is the long term answer taking responsibility for cyber and data security away from elected politicans and their local public sector officials and inadequately trained staff? Possibly, but then those who have tried palming off the problems onto third party contractors have come unstuck in the past too.
OUTSOURCING IS NOT ALWAYS THE ANSWER
The issue of outsourcing to major companies like Serco, Fujitsu and Capita also effectively puts many local authorities cyber eggs in two or three baskets. Some companies have shocking record on data management or accuracy. The Fujitsu scandal on faulty Post Office accounting systems springs to mind – people took their own lives after wrongful accusations, and criminal prosecutions, entirely based on false software data. It doesn’t get any worse than that in terms of cyber risk, does it? Yet still, nobody has been charged or convicted over this massive failure of IT systems and its consequences.
So no, the public sector needs to step up, accept responsibility and learn from the best cyber security companies active in the private sector.
HOW CAN THINGS GET BETTER?
Third party phishing attacks are one of the most common modes of entry by hackers, so once you have a system where multiple users, often working from home, are authorised to enter Cloud systems relating to benefits payments, housing data, medical records, planning applications and more, you have a recipe for data leakage.
I would suggest the basics are put in place before shiny new Playbooks are passed around at a weekend retreat, like it’s some whizz bang one-size-fits -all solution to cyber risks. Here’s the wish list;
Train senior staff to constantly learn from the best and transfer that knowledge
Standard exams and qualifications for those working in IT procurement, no amateurs.
Monitor remote teams effectively and closely, using automated software to change login credentials monthly
Swap team members dealing with 10K+ benefits claims or compensation every 12 months
Automate cyber audits every 6 months, look for unusual patterns in emails, login times, ex employee attempts etc.
SHOOT THE MESSENGER IS NO SOLUTION
The ideas listed above are free because mostly, they are common sense, but the reason that good work would often be undone is down to politics. Politicians at every level in the UK have found that simply denying “any wrongdoing” generally gets them off the hook, in most cases. From party cakes to motorhomes, polluted rivers to dodgy pub landlord contracts, the blame game is basically pass the parcel and deny everything: I wasn’t at that meeting…and if I was, I don’t remember anything about beers, quizzes and curry.
So when it comes to data breaches, the new public sector tactic is to blame the outside contractor.
Here’s one example recently where the Councils passed the buck onto Capita, although the press release makes no mention of how the data breach occurred. It could well be a Capita systems failure, an ex-employee taking data keys and passwords with them, or something which originated from within any one of several Councils, all logging onto the same Capita system. In short, we will probably never know and this is the root problem with cyber attacks, the blame game doesn’t solve the cultural problems within the user base; what we need is smarter thinking on tracking the problems much earlier in the attack chain.
What I mean by that is spotting smoke before it becomes a wildfire. For that we need a new culture of triple checking within the public sector on logins and authorisation at various levels of admin, plus more automated checking of user ID, weekend login times, plus associated people within that employee’s household when it comes to WFH. You cannot have a secure system if you have no idea who is literally looking over the shoulder of your key IT staff, can you?
Worryingly, the government press release makes a point of stating that local Councils were involved in formulating the new “Playbook.” The idea that non experts, and those with a vested interest in passing the blame, should define the parameters of everyday cyber risk, security or admin systems is flawed, at best. Here’s the word;
“Given the large amount data they collect, the interconnected nature of their systems, and the potential impact on local infrastructure, connected places can be attractive targets to hostile actors. This Playbook will help local authorities set a foundation to protect themselves against would-be cyber threats. Created in collaboration with a group of local authorities, the alpha Playbook provides practical cyber security support as communities increase their use of innovative solutions, such as automated traffic and waste management systems, and smart environmental monitoring.”
There is a fundamental problem of public sector, and private sector, failure post-Covid. Nothing seems to work in the UK very well anymore and there are a range of reasons for that. But if globalist politicians are serious about creating smart cities, where everyone is compelled to live in a designated zone, controlled and monitored by digital systems linked to CCTV, then they have to make the IT work seamlessly and securely. Otherwise some of the dissidents might figure out the 123binday passwords and escape their 15 minute prison, taking a couple of million in digital currency with them. Just saying.
Be the first to comment