If anyone needed convincing of the long term effects of a serious cyber attack they need only look towards the experience of Hackney Council.
It has confirmed reports in the local newspaper Hackney Citizen that the financial cost in 2021-22 of its recovery from the attack on its systems in October 2020 amounted to £12 million in direct spending. On top of that have been the costs, difficult to quantify, of disruptions to services and finding ways to maintain them, and the effect it has had on staff and residents.
Rob Miller, Hackney’s strategic director for customer and workplace, acknowledges the scale of the fallout but emphasises there has been a great effort to get back on track, and that in some areas the response has accelerated the modernisation plans that were in place before the attack.
“Something I’ve tried to be clear about, both in terms of cyber resilience and our response to cyber,alreay is how much it’s an entire organisation effort,” he says. “People across the council have done remarkable things to do our best to sustain things our residents need.
“Some of that is technical work, moving things to the cloud, recovering systems; some of it is really hard graft by people in our communities delivering services without their normal systems for extended periods.”
Key systems operational
He is reluctant to say the recovery is complete, emphasising that the complexity of the effort and how it relates to changes in the council’s digital estate makes it hard to foresee a situation in which it could declare mission accomplished. But most key systems are operational, with the return to normal of the council tax service and recovery of social care systems being completed in the past couple of months, and impacts of the attack have at least been mitigated all round.
There have been two major stages in the recovery.
“The first is the initial emergency stage in which there was an immediate focus on business continuity,” Miller says. “It was making sure, for example, that we could continue to make housing benefits payments, that our payroll for staff still worked, and communicating to residents with up to date information about our services. There was a huge amount of activity around that business continuity and emergency stage.
“Then in parallel with that was the technical work to assess the damage and work with cyber experts to support the criminal investigation, and to understand what we could recover and how.”
Then came the stage of the recovery of systems and services, which is where the council’s plan for a widespread to move to cloud systems – already in progress before the attack – have been crucial.
Cloud direction
“We have worked hard to ensure the money spent on recovery has moved us in the direction we had planned to move anyway,” he says. “Something that was very clear from the first moment of the attack was that progress we had already made in moving in a cloud direction had protected us from an even worse situation.
“It’s hard to say to people that it could have been worse as it felt very tough, but other victims of similar attacks have been without email, telephones and websites and been back to pen and paper. Because of our move to the cloud we could still email, keep residents up to date through our website, speak to people who called the contact centre; and we could still access many of our files and use video meetings as we had moved those services to the cloud.
“Our cloud move had been designed not to create dependencies on our legacy infrastructure. If we had chosen to use our old Active Directory to manage sign-on to cloud services they would have been inaccessible to us.
“Our decision to reduce dependencies meant that many key systems were still available.”
“A key point is that the move to the cloud was important, but the cloud is not magically secure, and the architecture of how you move to the cloud is every bit as important."
The recovery is still in progress but the council now runs very little on-premises infrastructure and has implemented the 'zero trust' security model it was already planning before the attack.
Google factor
Miller explained that in some cases this has accelerated the cloud transition for services, and adds that there has been “significant progress” in all areas, and that the council has continued its investment in Chromebooks as client devices and is using Google Workspace as its productivity platform.
It is also maintaining a close attention to cyber assurance within its supply chain.
“There are two aspects to that,” he says. “The first is that, in common with other local authorities, we have always sought to do substantial cyber assurance checks with our suppliers when commissioning services.
“At Hackney we took cyber very seriously long before the attack, invested in technology and moved to the cloud. That has taught us that if it can happen to us it can happen to suppliers even if they have a strong assurance position.
“We already had all of the expected assurance arrangements, plus others, in place. Since the attack we’ve been going further and working with our partners on how we can use our collective scale to go further yet.
“The other aspect is making sure we are removing dependencies between our different services. We already had a zero trust direction of travel before the attack and are absolutely clear that is the basis of the model we are working on now.”
Avoiding assumptions
Miller says Hackney’s experience highlights how organisations need to avoid any assumptions around issues such as the choice of client software, but to look closely at the possible implications for cyber security when they are making technology decisions. This is reflected in how its earlier moves to cloud systems prevented the fallout from the attack being even worse.
“This isn’t just for IT people across the sector, but people making decisions about service direction. The more we can challenge our assumptions around the systems we use, the more we can understand how fundamental that dependency is between the systems to deliver services and the underlying technology architecture to keep systems and data safe, the faster we can move.”
He also says the council is serious about ensuring that good practice in cyber security runs throughout the organisation, citing a longstanding policy under which if a new member of staff does not complete their security training within two weeks they are disconnected from the systems.
Rounding up, he emphasises two main factors. One is the all round commitment shown by Hackney’s staff in IT and service teams to maintain services and deliver the recovery, when they were already coping with huge demands brought on by the Covid-19 pandemic.
The other is that: “Our recovery has been as hard as we expected it to be, and as hard as other organisations have found it, but it has been consistent with the intention we set.
“We are using that recovery to accelerate our strategy of modernisation. We are not modernising because that attack happened, but delivering the shift to the cloud we had already begun, and where we have been furthest advanced with that strategy we were least impacted or not impacted at all.”
