Current events illustrate the vulnerability of local authorities of all sizes to cyber risk.

Even in 2018, the French strategic cyberdefence review (Revue stratégique de cyberdéfense) emphasised the fragility caused by growing dependence on IT systems combined with the diverse sizes of municipalities. The accelerated digital transition among local authorities and the explosion of the cyber threat have now pushed this concern even further up the list of priorities.

Local authorities are an essential element of our society, representing a vital lever for the national cybersecurity strategy that we must all support and uphold.

Choice targets

All local authorities handle large amounts of data that may be personal, sensitive or strategic. Alongside the many public services they deliver and manage, local authorities collect, store and share significant quantities of data, without always knowing what or where it is. They are often lacking in specialist resources and ill-equipped to deal with the regulations in force and their responsibilities to protect their data and their IT systems. Cyberattackers are quick to take advantage of this fertile ground. The alerts that have come to light in recent months show that local authorities are now choice targets. Generally managing large operating budgets, they are seen by cyberattackers as having the means to pay considerable ransoms, as well as being very limited in terms of cybersecurity resources. It is therefore up to us to advise, assist and support them so that they can protect themselves and respond appropriately.

The inevitable digital transformation

The data we communicate to local authorities relating to the public services they manage (births, marriages and deaths, healthcare, education, transport etc.), together with the information they generate themselves, is collected, stored, used and transferred in cyberspace. More than ever before, public services are moving online, and this shift will receive a major national boost when the digital identity plan is implemented in summer 2021.

Called on to switch over to digital, a source of opportunities and progress, local authorities need to understand what awaits them, the circumstances in which they will find themselves, the threats to which they will be exposed and how to prepare, protect themselves and respond to attacks. Only then can they benefit from the oft-repeated positive impacts of digital technology for their citizens.

Problems identified

Among the major problems facing local authorities, the first is the lack of knowledge and skills in an area seen as being too technical, even by some of their subcontractors.

Next comes a lack of resources, both budgetary and human.

But no-one should be left behind. Fear of cyber risk could encourage some local politicians to pull back from the challenge, at the risk of being marginalised and exposed to a digital divide that will leave them disenfranchised. This response is not acceptable in a country such as France.

But although bringing individuals closer to local authorities by providing easier, safer access to data and well-managed digital administration is perfectly possible, it must go hand-in-hand with cybersecurity governance.

A successful, secure digital transition

Developing cyber resilience for local authorities and meeting the needs of citizens securely and transparently will depend on a number of pillars, including breaking down barriers and bringing the public and private sectors together.

Educating, informing, training and raising awareness for local politicians and local authority staff is another major area for development. The many initiatives in this direction already in place across the country send strong positive signals.

With regard to budgetary constraints and the regularly-mentioned lack of funding, the recovery plan should provide a response.

We therefore call on politicians to support the recovery plan and begin or continue their efforts in this direction. As well as implementing health-related, technical, governance, organisational and human measures, the regulatory and legal dimension is also essential to address digital risks appropriately.

The recovery plan will provide important support, but it will certainly not be a miracle solution.

The risk management described by ANSSI is essential, and must be based on agile, collaborative methods. Information sharing is strategic. Risky situations can rarely be grasped without external information, and can never be resolved alone. Protection requires risk assessments to be shared and circulated so that all the links in the chain receive the information. 

Convinced of this global approach to risk analysis for nearly 20 years, we continue to offer it through our library model. By compiling the information shared by the whole community (architecture models, cyber risk scenarios, repositories of security measures) within our reference libraries, our platform offers a relevant risk mapping for every context, arising from the experience of other users, which makes it possible to obtain realistic attack scenarios very quickly. Local politicians can access clear, contextualised, comprehensible, concrete information enabling them to understand the true danger situation in which they find themselves, the risks the local authority must address, their level of protection and the actions to take, with clear levels of priority.

To be effective and complete, security initiatives must address all technological levels, without forgetting either human or structural procedures.

The solution must therefore be part of a programme of continuous improvement and automation to be able to provide local authorities with up-to-date information.

Audit, mapping, information sharing and training are the first four pillars of improving the cyber resilience of local authorities in France. To ultimately take control of the risks, local authorities must take action now and commit to the fifth strategic pillar: implementing the action and continuous improvement plan.

As people grow more accustomed to digital solutions and the national digital identity plan is implemented, digital services will multiply. It is now high time to secure our local authorities’ IT systems.

“To build a safer, freer digital space, local solidarity is essential. Local areas provide fertile soil for shared cybersecurity. Local authorities are characterised by their closeness to their citizens. They are an essential lever in a strategy that places people at the heart of their cybersecurity,” Marc Watin-Augouard reminds us.

All articles