We are no longer facing cyber ‘threat’ – it’s real and present danger

As an industry, local government has become used to talking about cyber security risks as threats, but this is no longer appropriate – while ‘threat’ implies impending danger, the risks are real, present, and happening now.

We need to start thinking of cyber threat like the boiling frog analogy. It is happening to us so slowly that we are not really noticing it and may not until it is too late.

There are real and immediate risks being faced by local government both as direct targets and incidental collateral damage. An increasingly worrying issue is the risk posed by an attack from nation-state threat actors, a term which describes government-sponsored groups from other countries. Classically we have said that China wants your Intellectual Property, Korea wants your money, Russia is after political domination and Iran just wants revenge but, actually, they all want all four.

But why would local government be a target? If I were a state level actor, then local government would offer an attractive proposition. Local government is going to be easier to get into than national government but in many ways has a similar signature effect on people because of the services they provide, whether that is waste management or other essential services. If I am a hacker, I am always looking for areas where there is no unitary governance, and local government doesn’t look very unitary as a group of organisations. By comparison the nefarious actors are not siloed – many are talking to each other freely and openly on the dark web about the techniques they use and what works and what doesn’t.

Being collateral damage in an attack is also a possibility. This was demonstrated with the NotPetya malware attack developed by Russia to target business in Ukraine, but one of the worst affected companies was one caught in the crossfire – global shipping company Maersk based in Denmark. State level cyber weapons are in the public domain, and they are on the loose. Some of these are like weapons of mass destruction but they are more biological than nuclear so they have a life of their own and will attempt to move from ecosystem to ecosystem.

While local government is increasingly aware of its IT systems being at risk, Operational Technology (OT), which refers to technology used to monitor and control processes, has been less considered. However, this needs to change. Hackers are increasingly aware that OT often presents a vulnerable target and, secondly, systems are more integrated than ever before, increasing the likelihood that malware can move between IT systems and connected OT.

If you work in local government and don’t think OT is a concern, think again. OT that might be at risk of attack could include CCTV systems, traffic light systems, lifts, security-controlled doors, fire control systems, heating, lighting, air conditioning and more, whether this is targeted to cause disruption and danger or affected as part of an unrelated attack moving between unsegregated systems.

The good news is that these vulnerabilities can be addressed and protected if you act and stop sitting unaware in the boiling pot. This is a wicked problem and wicked problems are solved by teams, not individuals. While local government is starting to understand the level of risk it will need help working out what to do about it in a resource constrained environment. The CCOE with its breadth and depth of expertise can help.

Major General Martin Smith CB MBE

Major General Martin Smith CB MBE is Managing Director of Cyber Prism, a cyber security company which protects Operational Technology (OT). He also sits on the Advisory Board of the Cyber Centre of Excellence (CCOE), an organisation set up to act as a one-stop-shop to assist local government members through their cyber security journey.