Local authorities in England will receive £85.8m to deal with cybersecurity, Rishi Sunak announced this week during the autumn spending review. Town halls across the UK are increasingly becoming targets for cybercriminals with the rise of smart city initiatives and online provision of public services. Over a period of five years, UK local authorities experienced 98 million cyberattacks, according to a report by privacy campaigning group Big Brother Watch.
Most of the budget allocated to digital and tech by the Chancellor will be directed to cyber, highlighting the UK’s need to keep a resilient cybersecurity infrastructure able to resist increasing online attacks.
This boost for local government cybersecurity has been welcomed by digital leaders in the sector. However, some think that in addition to the funding, central government needs to improve communication between national and regional bodies to bolster cyber resilience.
Local councils becoming attractive victims for cybercriminals
As councils take their services online, local authorities are increasingly becoming targets for cyber gangs. Between 2013 and 2017, 29% of the UK’s councils experienced at least one security breach, according to the Big Brother Watch study.
“The government is definitely waking up after a number of quite high profile and very serious cyberattacks,” said Theo Blackwell, London’s chief digital officer, adding that most citizens access public services through their local authority rather than central government.
“I’ve sensed for a number of years that when you say the word ‘digital’ to government, it thinks Government Digital Service or what it’s doing in Whitehall. It does not think about the municipal layer, and that’s where vital services are being provided, from collecting your rubbish, parking, housing repair, booking childcare, making payments.
“This is an issue for local government, not just Whitehall.”
In February 2020, the Redcar and Cleveland Borough Council in North Yorkshire was the victim of a ransomware attack that left 135,000 residents without access to online public services for nearly a week and cost the local authority over £10m. A few months later, London’s Hackney Council was targeted by a cybercriminal group that published the personal details of council staff and tens of thousands of the borough’s residents on the dark web following a serious ransomware attack.
This kind of devastating attack can leave already cash-strapped town halls in serious financial trouble, just one of the reasons why Kevin Gibbs, executive director of delivery at Bracknell Forest Council in Berkshire, welcomed the budget allocated to cybersecurity. He said that the public sector, and local government specifically, is no longer able to afford cyber insurance, making this money timely and needed.
“The [cyber insurance] quote we got as a council three months ago was eye-watering in cost and it has now doubled in that time period,” Gibbs told Tech Monitor. “Our broker has now said that we are no longer an insurable risk.”
Although some government agencies in the US have been paying ransoms for their data after cyberattacks, that is not something that UK local government would ever do, claims Gibbs, adding that new tools are needed in local government for cyber readiness. The report by Big Brother Watch found that at the time of the study, 75% of local authorities did not provide compulsory cybersecurity training and 16% did not provide any cyber training at all.
Gibbs added: “At the moment the response services are accessed via the insurance providers and now that they have withdrawn support to the sector, this investment must not only help us review and mitigate the risk of a catastrophic attack, but create the services that can be put on retainer so that the sector has recovery tools, easily available, at a price point that we can afford.”
Is the money enough?
Blackwell said that in addition to the budget allocated to cybersecurity, central government should also “get the basics right” and ensure that the National Cyber Security Centre (NCSC) has good links with local government to help it in the fight against cybercrime.
At present, the UK government does not have a central register of technologies supporting local public services, which presents an issue for cybersecurity, said Blackwell. Most of the local government market uses a relatively small number of technology suppliers, mainly big companies.
“The local government provides hundreds of services to residents and businesses, and there is no register of what technology that is. And that is almost like step one in cybersecurity,” Blackwell said.
Sunak’s budget includes a £2.6bn government investment in cyber and legacy IT over the spending review period, with an emphasis on improving the government’s cybersecurity. It also adds £114m to the National Cyber Security Programme, the UK government plan to make the country cyber resilient. Details of how the strategy will work have not been published yet.
Blackwell said that the fight against cybersecurity threats needs to include local authorities to be effective. Central government should be stepping up and needs to improve the communication between national agencies and local level bodies to boost support and resilience in the fragmented system of local government in the UK.
“I would say that an immediate priority for the government with this money, if it hasn’t devoted it already… is to know what the technology estate is of local public services,” concluded Blackwell. “It seems to me to be crucial for cybersecurity and data sharing and effectiveness in general.”