by Mark Brett, honorary visiting fellow, De Montfort University and director at NLAWARP
The cyber agenda has recently been brought to the fore in peoples’ thinking, partly through the continuance of high visibility cyber attacks and partly through the increased reporting of cyber crime.
The fact remains that local public services need to be able to continue through the impact of a direct cyber attack or the consequences of a close partner or delivery organisations being affected by an attack.
One of the key aspects of cyber is the fact it is intangible: cyber attacks are not restricted by physicality and the can be instant, travelling at light speed through electronic signals. The cost of sophisticated technology is always decreasing, and the provision of commercial public cloud infrastructure has brought the power of multi-million pound data centres to people’s laptops.
The challenges faced by local public services to counter these unwelcome visitors can partly be addressed by traditional resilience planning and guidance. However, the traditional approaches to threat and risk management are predicated on historical trends and occurrences. A number of factors suggest that a new approach is required:
- Local public services are often outsourced and can be inversely affected if an outsourced supplier is attacked.
- Re-organisation and moves towards service integration between authorities and organisations, significantly alters the threat profile and attack surface of those organisations.
- Criminal activity increasingly favours the cyber world where risks are seen as smaller and the gains greater. It is possible to steal data without removing the originals or leaving any traces.
- New technology or service developments create new opportunities. Electronic currencies like bitcoin enable digital transactions, but they can also be stolen and used to buy tangible goods or services.
We have for some time concentrated on business impact models to determine the level of resilience and integrity we build into systems, traditionally based on the need for confidentiality, integrity and availability. We need to learn from past experience, but at the same time think differently about the future. Different risk modelling methodologies, possibly based around services as well as people or places, are needed to reflect the realities of cyber risks, and we need to reconsider the deleterious consequences either delivered or affecting the cyber aspects of local public services.
Experience in planning
There is a lot of experience to call on – we planned for and managed events like the Year 2000 bug or the 2012 Olympics. We also plan for, and learn from, major incidents like the 7/7 attacks in London. All of these events had detailed and meticulous planning behind them, coordination protocols and resources of people and investment to make them safe.
However, in future there will be numerous smaller but nevertheless very damaging events that, whilst localised, will be debilitating to the services impacted and the communities they serve.
Perhaps the most profound issue is the need to think forward as to how we will continue to embrace digital services and maintain resilience. At the local level, digital leadership needs to re-focus some of these issues – they may seem to be abstract today but in the not too distant future they will be very tangible. More must be done to consider risk management based on potential harm and not just business impact, with greater use of modelling, planning and exercising consequence management.
Too often the cry is “That would never happen”, but what if it did? What would the consequences look like? What would it cost? What would the harm be?
This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.