Local authorities in the face of cybercrime

In its digital roadmap for the 2022-2027 term, Avicca—which brings together two hundred and thirty local authorities involved in digital transformation to facilitate the exchange of practices and act together on a national level—points to the threat posed by cybercriminals to local authorities, whatever their size and reputation. The association proposes a set of measures to strengthen the security of their information systems.

It reckons that one subject in particular remains uncared for: the lack of robustness and reliability of sensors and networks of the Internet of Things (IoT). For Avicca, the problem has a simple answer, whose implementation is more complex: the security of the entire chain—from sensors to supervisors—must be taken into account from the outset of projects (security by design).

As Ariel Turpin, its general delegate, points out, local authorities have no idea of the level of security of their sensors. It thus seems pointless to add more throughout the city, as this would only increase the fragility of the IS and make the city lose what could be gained in terms of economic optimisation or better vision and management of the territory. The association therefore suggests that a study be conducted—with various partners—on the IT security of the implementation chain of connected objects and that it be monitored specifically with regard to IoT sensors and networks.

65% of small local authorities do not judge the cyber risk correctly

Faced with the growing risks of cyberattacks, the players in the ecosystem share the same observation: there is an increased risk for « small » local authorities. This legitimate concern is confirmed by the study « Cybersecurity in local authorities with fewer than 3,500 inhabitants. » These represent 91% of local authorities. The survey was conducted among more than five hundred elected officials and agents by Cybermalveillance.gouv.fr, a platform managed by a Public Interest Group of fifty-six members, including Anssi, Avicca, and Cnil.

The study shows that 77% of local authorities have fewer than five dedicated computers, 77% outsource the latter’s management, and 65% think that the cyber risk is low or non-existent, or do not know how to assess it. Four main objections were raised by local authorities to the need for security: insufficient budget, lack of time, other priorities, or not concerned.

The study also showed a lack of perception of the regulations. Cybermalveillance.gouv.fr therefore collaborated with the Cnil to design a legal guide, which was published at the beginning of July. « It recalls the legal obligations of local authorities—and their public establishments—with regards to the protection of personal data, teleservices, and the hosting of health data, » explains Jérôme Notin, the site’s managing director. At the FIC 2022, the platform also launched an « Online Cyber Assistance » module allowing victims of a cyberattack to access a diagnosis directly on the websites that have integrated the service.

€60 million for the cybersecurity of local authorities

The above-mentioned study was conducted as part of the cybersecurity component of the ‘France Relance’ (France Recovery) plan. This plan devotes 60 million euros to cybersecurity for local authorities via cybersecurity courses, the co-financing of projects, and support for the creation of regional cyber incident response centres, or CSIRTs.

Since one of the selection criteria was to have a team in charge of IS security, Anssi realised that these measures did not necessarily benefit very small local authorities, so it subsequently rectified this. At the end of March 2022, it launched a scheme to support the deployment of cybersecurity solutions that are quick to install and in line with immediate needs in this area.

« This call for projects targets—as a priority—‘small’ municipalities and communities of municipalities via their pooling structures: public operators of digital services, departmental management centres, and mixed unions in charge of digital activities. It can also be aimed at tourist offices, mixed water or energy management unions, or CCASs (community social action associations), » explains Ariel Turpin. Among the families of products already eligible for subsidy are email security solutions, password managers, and secure backup solutions.

The gendarmerie as a local support partner

The gendarmerie is not to be outdone in its efforts to raise awareness among local authorities, the smallest of which often do not have an information systems director (ISD) and even less a chief information security officer (CISO). In 2021, with Cybermalveillance.gouv.fr, it launched the ‘Cyber Immunity’ system: nine questions to determine whether a local authority has a potential weakness in its IT system.

But its action does not stop there. To help elected officials who often have little or no training in cybersecurity, it announced at the ‘Assises Numériques 2022’—organised in June in Port-Marly by Seine-et-Yvelines Numérique—the launch of a basic pre-diagnosis tool. It is currently being tested in ten départements and is intended to be extended to the whole country.

« It consists of establishing an inventory of the protection of computer systems according to nine themes, and then drawing up a summary and appropriate recommendations, » said Colonel Barnabé Watin-Augouard, head of the Digital Proximity division of the gendarmerie’s cyberspace command (ComCyberGend), during the « Local authorities on the front line » conference at the FIC 2022. « The aim is to get elected officials and external service providers to ask themselves the right questions and then direct them to Cybermalveillance.gouv.fr. »

Pooling, a solution for small municipalities

For its part, Lille European Metropolis (MEL) has set up a pooled DPO and CISO scheme for municipalities in June 2019. Two CISOs have so far joined the service: Pierre Barrial at its creation, and Lionel Pratz a few months ago. Of the ninety-five municipalities of the MEL, sixty or so have already joined the scheme. « The design in 2021 of a charter for a municipality’s digital uses and data protection is a concrete example of our action, » explains Pierre Barrial. « Our objective is now to have it adopted by as many municipalities as possible. »

The MEL has also signed a contract with external service providers to support municipalities in their cybersecurity endeavours, in particular those that have been victims of cyberattacks. « We will be able to issue a purchase order to the service provider, with guaranteed intervention times, and we will act as intermediaries, » explains the CISO. « Because smaller municipalities do not always have the internal skills to determine their precise needs. »

The contract—which has been opened up to the ninety-five municipalities of the MEL and its satellites—will also be applied to other services. And the two CISOs are already facing a new challenge. « The NIS 2 directive extends its scope to essential operators, and in particular to local authorities, » says Pierre Barrial. « We will therefore have to inform them of the security measures to be implemented and support them. »