Influential forum hosted by DCLG calls for more active role for local bodies with central support in facing up to cyber security threats
A group of cyber security experts and high level public and civil servants have highlighted the need for much stronger coordination between central and local government in facing up to information security threats.
A report published by the influential St George's House consultation forum calls on the Government to take in a number of issues as it works on a new National Cyber Security Strategy, including a need for common standards and guidance, a more focused role for local resilience forums (LRFs), and a holistic approach that recognises the blurring of boundaries between central and local government.
Local Leadership in a Cyber Society is based on a two-day discussion at St George's House hosted by the Department for Communities and Local Government in partnership with the National Cyber Security Programme, the BCS, iNetwork and the City of London. Participants included representatives from a number of central and local government bodies, including the Office of Cyber Security and Information Assurance, Solace and Socitm, along with senior police officers and cyber specialists.
Under the radar
The report comes as the Government is working on the new strategy and setting up a National Cyber Security Centre (NCSC), and argues that the national focus needs to recognise that there is a big need for cyber resilience at a local level. It is intensified by reports of plenty of 'under the radar' attacks on public authorities, and complicated by the restructuring of England's local government under the devolution agenda.
It says this creates the need for a more flexible and holistic approach at local level, but that it has to be supported by one of its major recommendations – for a national framework of shared principles, agreed standards and coordination.
The NCSC could play a significant role in this, providing a single point of contact between central and local government, and developing a governance model for strategic planning and bringing together organisations involved in the effort. It could also help in developing a mechanism to help local authorities identify and quantify cyber security risks.
Another central body, the Cyber Security Information Sharing Partnership (CiSP), could play a role in making councils better aware of cyber threats, notably through building a stronger relationship with the warning, advice and reporting points (Warps) where they share information.
Some shortcomings at local level are also identified, including the need for better management of intelligence on communities and cyber risks, and for more emphasis on the role of senior information risk owners – a position that does not exist in many local authorities.
Others involve poor housekeeping in managing cyber risk, such as the proliferation of council websites, no clear guidelines for the use of social media and a lack of common security principles.
In response, one of the big needs is to develop common principles and minimum standards, and to provide more locally targeted and role based guidance and training. It should also be a priority to ensure cyber risks are included on local risk registers to ensure senior officials and leaders are fully aware of them.
The other group of organisations that could play a more active role is the network of 38 local resilience forums, which bring together all the organisations with a stake in the issue. The report says there is an urgent need to determine what role they should play in promoting cyber resilience.
It also makes a familiar call to build a strong cyber aware culture in local authorities and among their partners, making use of the Cyber Resilience Model being developed by a DCLG team.
Overall it emphasises the need for a stronger partnership between central and local government, with the summary stating: “Central government needs to recognise local authorities as partners in delivering cyber resilience rather than seeing them as an end user of their products.
“Whilst likewise local authorities must collectively recognise the need to prioritise cyber resilience and to better engage with central government where they have the knowledge, expertise and capacity to lead on this agenda.”
Image: Report cover