How councils can keep ahead of cyber threats

By Ian McCormack, NCSC Deputy Director for Government Resilience, and Emily Mayhew, DLUHC Cyber Policy Lead

Cyber security in local government is an exciting place to be right now. Collaboration is the watchword, and the sector has no shortage of supporters committed to helping councils become more resilient to online threats.
The public sector has made progress with cyber resilience in recent years but sadly, we know that cyber attacks do still get through, with costly consequences. These incidents show that more can be done across the sector, and this creates real opportunities for joint working, prioritisation, and problem-solving.
Standing shoulder-to-shoulder with councils is the National Cyber Security Centre (NCSC), the UK’s technical authority on cyber security, which works closely with the Department for Levelling Up, Housing and Communities (DLUHC) as well as their devolved government counterparts to support local authorities across the UK.
Through a range of activities and initiatives, we are helping councils meet the demands of a modern, secure, and resilient digital future. This means supporting them to put measures in place to boost their defences and to plan their response should they fall victim to a significant incident.

Cyber threat
As highlighted in the NCSC’s latest annual review, cyber criminals pose a significant threat to the UK public sector and successful attacks can have severe impacts on an organisation’s ability to deliver key services, its finances and reputation. Ransomware is one of the most acute threats the UK faces, and we urge all organisations to follow NCSC guidance so they can protect themselves.
Local authorities are no exception and recent high-profile incidents have highlighted the direct impacts but also the fortitude needed by staff to respond and recover in the longer term.

Actions and tools
Councils continue to build their capacity and capability but in the face of these evolving threats, there are some actions local authorities can all take to strengthen their cyber security posture right away.
Signing up for the NCSC’s free Active Cyber Defence (ACD) services is a great next step and many public sector organisations have done so and are enjoying the benefits already. There are a range of tools available which aim to help reduce the harm from commodity cyber attacks and build upon good cyber resilience.
This includes the Early Warning service, which has been well-received by council network defenders since its launch last year. This growing service helps UK organisations investigate cyber attacks on their network by notifying them of potentially malicious activity and, across all sectors, the total number of users almost doubled in the year to September 2022.
We strongly encourage councils to sign up for these tools and recommend keeping an eye out for the new internet scanning capability, which will help the NCSC better understand the sector’s vulnerability to cyber attack and improve council system owners’ awareness of their security posture on a day-to-day basis.

Good cyber resilience is not all about ‘tech’, however; it is also about people and improving understanding about cyber security so everyone can play a part in keeping an organisation safe. The NCSC has a range of advice to help with this.
Local authority CEOs have welcomed the Board Toolkit resources, including specific advice on ransomware, as well as Exercise in a Box, which helps organisations test how resilient they are to cyber attacks and practise their response in a safe environment.
These resources are designed to prompt discussion between Information Technology professionals and senior decision makers to help embed and sustain a shared understanding, and collegiate approach, to cyber security. Enabling clear and honest dialogue about threats, risk appetite, prioritisation and investment is key for effective risk management to help identify and address vulnerabilities.

Collective approach
We find the best approach to improving cyber resilience is a collective one. Cyber security is a team sport and government, law enforcement and sector representative partners are all on side to support local authorities. One of the key partnerships for the NCSC exists with DLUHC.
As the department responsible for overseeing local government in England, DLUHC has been instrumental in strengthening the sector and is working with local authorities to translate the ambitions of the Government Cyber Security Strategy into pragmatic, scalable and sustainable solutions.
The DLUHC Local Digital Team’s mission centres on helping councils build the digital public services of the future. Following the launch of the Local Digital Declaration in 2018 and more recently the Local Digital Fund, there has been a significant shift towards local government using more modern, user-friendly services based on flexible, secure technology. Alongside exploring the possibilities created by new technologies, the team is helping councils manage and mitigate the new and evolving risks that can come alongside them.

Progress and plans
Since 2020, more than 180 local authorities have put bespoke Cyber Treatment Plans in place to mitigate against security risks and vulnerabilities, with help from the DLUHC Local Digital team’s Cyber Support programme and more than £19m is being provided to fund interventions. The work has included a focus on ensuring councils have effective offline backups in place, in line with NCSC best practice, as this is a critical factor in how rapidly an organisation can recover from a ransomware attack.
DLUHC is also developing a clear cyber security baseline for local authorities, based on the NCSC’s Cyber Assessment Framework, which will give councils a comprehensive way to assess the extent to which they are managing cyber risks to their essential functions. It encourages users to reflect not only on technical aspects, but on governance, people, and process too.
The team has been working closely with ten councils this autumn to test how the framework should be applied within a local authority context. The project so far has explored questions around the scope of the assessment, the challenges, and opportunities for councils, and how to set a proportionate baseline. The project will also consider what reporting requirements and external validation should look like in the future. Updates and learning are being shared through the DLUHC Digital blog and events as this work continues.
DLUHC is also driving forward new initiatives to tackle more entrenched, common digital and cyber challenges across the sector, such as how to modernise critical services delivered by councils.
Over the next few years the Future Councils programme will explore these types of questions, and will enable councils to trial ambitious digital and cyber improvements across their organisations, reform key services, and influence organisation-wide factors that can unblock change for the wider sector. The first pilot cohort will be announced by DLUHC in early 2023.
More information can be found on the DLUHC Local Digital website or for those working in local government cyber security, we encourage you to consider registering for a place at the CYBERUK 2023, the UK’s flagship cyber security conference run by the NCSC which will take place in Belfast in April.
The theme of the conference is ‘securing an open and resilient digital future’ and it presents a terrific opportunity to collaborate and share ideas. It is through working together and making connections that we can help to keep councils, and the wider UK at large, safe online.