Where are we at with cyber-security in government? An article by Rene Millman in The Guardian[1] stresses that both central and local governments are increasingly at risk of cyber attacks. They should, he notes, be trying to constantly improve their systems and, perhaps most importantly, fostering an increased staff awareness about how to protect data.
While the chancellor in the UK has committed £1.9bn over five years to strengthen cybersecurity defenses, Millman underscores that the US has earmarked in 2017 alone 10 times the UK amount. The UK, Millman estimates, is earmarking almost twice the figure that France has allocated for 2016 to 2019.
Questions remain how this money will be allocated and whether it will be effective. Governments are searching for new ways to invest in expanding capabilities to engage in cyberwarfare. In the long run, however, it will be critical to develop offensive capabilities that are coordinated on a national and international level and combined with a well-developed defensive posture.
In the UK and elsewhere money is being allocated to central government agencies but doubts remain whether local authorities are developing enough protection. Typically, Millman quotes Andrew Rogoyski (former adviser to UK government on cybersecurity issues) that “with local government at the sharp end of austerity, cybersecurity spending is lower than it should be.” Local officials don’t necessarily perceive cybersecurity programs as a priority as they contend with decreasing budgets and increasing requests for public services.
Local agencies in many countries are initiating digital transformation programs that are gradually creating new savings and economies of scale plus providing services to citizens in new ways. What’s important is, according to Rogoyski, to ensure that “such changes are designed with security build in, rather than bolted on.” Mere compliance with regulations is not enough; there needs to be a transformation in the planning and implementation of new services.
Managing security issues wrong could result, Rogoyski cautions, in a loss of confidence in new services and many citizens reverting to legacy manual services; thus, pushing costs up and “responsiveness down”. Technology is rarely the sole problem. Activities regarding community engagement and outreach concerning innovation and issues of cybersecurity need to be encouraged by local government.
Looming on the horizon for local governments is the introduction of the General Data Protection Regulation (due to enter into force in May 2018). Local governments will face fines if they fail to demonstrate that the processes that they have put in place are capable of protecting personal information. Since many local authorities are small in size and lack the resources to initiate new programs, more needs to be done to encourage them to work together with other authorities in their respective areas on issues of technological change and innovation, particularly those regarding cybersecurity.
Often lost in the efforts to develop compliant security programs is that many standards are written, adapted, and implemented with a lag-time that means they rarely are in sync with current real-time attacks and techniques. All too often the primary issues are not technological but educational. Local authorities need to educate their employees and foster an awareness of what data protection means. People are the weakest link in local government both inside government and outside. Much can be done to eliminate many problems “simply by ensuring that local authority staff have been trained to understand the dangers of phishing and social engineering”.
As our project proceeds we would do well to remember the above enjoinder about technology and education. Technological change needs to go forward along with educational activities to foster increased awareness concerning possible cyber-security issues.
[1] Millman, Rene. https://www.theguardian.com/public-leaders-network/2016/nov/21/cybersecurity-public-sector-threat-data . 21 November 2016
John Forrester
Ancitel