For the public sector, cyber resilience has never been more important

Local governments are better than ever at delivering services to their citizens efficiently. A large part of this progress is thanks to the adoption of innovative new technologies and ways of handling data.

Local authorities have risen to the challenges of growing populations, a changing workforce, and increased urbanization — but the very same innovations that enable their work also expose them and their constituents to massive risk.

Today, operational excellence — the goal of public officials worldwide — demands that they balance innovation with cyber risk by building cyber resilience.

Cities are on the frontline of a rising wave of cyber-attacks. The internet-connected technology used to power them and deliver services places them at high risk of a range of cyber-attacks.

According to one report, 2021 saw a sharp rise in the proportion of local governments hit by ransomware attacks — attacks increased by 70% in just one year, from 34% to 58% of those surveyed. And the value and volume of ransomware payments have increased, too according to that same report.

Cyber-attacks can have serious consequences for cities and their citizens. For example, on May 7, 2019, a ransomware attack struck the city of Baltimore, U.S. and froze thousands of government computers, in addition to crippling dozens of other citizen services.

The attackers demanded a ransom of approximately $80,000 worth of cryptocurrencies, which the government refused to pay, instead voting to take $6 million from parks and public facilities funding — used by everyday people — to help pay for "cyber-attack remediation and hardening of the environment."

In response to this growing threat, local officials are beginning to recognize the importance of cyber security, and are responding by creating such roles as the Chief Information Security Officer (CISO). With this new position comes the ultimate responsibility for the cyber security of local government, however those in the post often lack the power to actually implement and control an authority’s cyber security.

To ensure the digital security of any institution, the individual being held accountable for security must also have the authority to implement solutions, veto the procurement of vulnerable technologies and shape the comprehensive cyber resilience of the institution.

As organizations and cities set up the right accountability and governance structures, there is a natural progression to proactively develop, track and measure against a policy framework.

To this end, the 'Model Policy for Cyber Resilience in Local Government' takes the U.S. National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF): Identify, Protect, Detect, Respond and modifies for application in the public sector.

This adaptation keeps Identify, Respond and Recover, combines Protect/Detect into one function, and adds a new function: Sustain. Sustain is focused on maintaining essential service delivery while responding and recovering from an incident.

When cyber-attacks or disruptions occur, they must be contained rapidly and their impact mitigated. In such cases, both technical and non-technical alternatives are necessary to sustain critical services. For example, during potential or complete loss of information or operational systems, the architectural capabilities of digital infrastructure should be supplemented with planned scenario-based support for service continuity.

Significant crises should be followed-up with transformation initiatives to enhance cybersecurity capability.

Proactive measures like periodic penetration testing of digital infrastructure and applications are necessary to ensure robust cyber defense.

For example, the city of The Hague, in the Netherlands, organizes an annual hacking competition called ‘Hack The Hague,’ where the local authority invites ethical hackers to the public area of city hall to hack the live IT systems, applications, and websites of the city and its suppliers.

Hack The Hague has tremendous value for the city’s cyber resilience. The highly skilled ethical hackers force the city’s defenders to react in real-time and fix the vulnerabilities as quickly as possible. Having such an event out in the open fuels the dialogue about cyber resilience and increases the awareness and preparedness of the city, its employees and the citizens of The Hague.

During the 2021 edition, 206 international professional and student hackers from more than 20 countries found 125 vulnerabilities — of which some were critical.

Around the world, many countries, and the citizens they are responsible for, rely on complex and interconnected technological systems. These systems are not only digital, but they are also increasingly embedded in the built environment. Cities are deploying these technologies into physical locations and communities, making them obvious targets for cyber-attacks and presenting an immediate need to prepare cities and other local authorities for the eventuality that their critical infrastructure or sensitive data could be targeted.

Each city is unique. And as such, each must take its own approach to the cyber risks it faces, now and in the future. However, for an overarching direction, cities can rely on the principles and processes set out in the 'Model Policy for Cyber Resilience in Local Government': Identify, Respond, Recover, Protect/Detect and Sustain.

In doing so, they will ensure they maintain the cyber resilience that their essential role in society demands.