What are the changes in how local authorities consider cybersecurity?

The awareness of elected representatives or management bodies is not yet equal to the challenges, since very often “the desire to offer new teleservices takes precedence over cybersecurity measures,” [1]which are perceived as constraints on use and not as added value.

The impacts are organisational, since the local authority can often no longer carry out its public service missions. This indirectly affects the image of elected representatives, but also the confidence of citizens in the digital services made available to them. The consequences can also be environmental (when the attack targets an industrial system, such as a wastewater treatment plant [2]), or financial (when, for example, it becomes impossible to collect revenues for parking spaces [3].

Each type of local authority covers complementary sectors of activity and holds data that can be monetised on the dark Web [4]. For example, municipalities manage civil status and schools; metropolises manage drinking water supplies and road traffic management; départements manage road infrastructure and secondary schools; and regions manage secondary schools and transport…. Of course, these are just a few examples. On the other hand, each entity manages its IT facilities independently and, when a cyberattack occurs, is left alone with its own IT department and CISO (where one exists).

In fact, the consideration of the cyber subject is highly variable from one community to another. Several factors explain this situation, as indicated in the CLUSIF’s 2020 MIPS (Computer Threats and Security Practices) report [5]. The first is the size of the local authority. For the smallest of them, the subject is not addressed, as they have an IS that is most often limited to the computer of the town hall secretary. They therefore naively think that they are not of interest to cybercriminals [6]. The CISO function begins to appear when an IT department exists, but paradoxically, the larger the local authority, the less visible the CISO function. There are at least three possible cases:

1. the CISO is also the CIO—a very uncomfortable position of judge and jury;
2. the CISO is attached to the IT department, and cybersecurity is perceived only from the technical angle (cybersecurity is therefore seen only from the prism of the IT department, which has no interest in highlighting the technical debt, for example);
3. the CISO is outside the IT department and can address the management bodies (which is rarely the case in reality).

As discussed at a round table held in the French Senate in October 2021 [7], two points deserve particular attention if we want to see change. Firstly, the CISO must be able to speak directly to senior management, but also to elected representatives (in some local authorities, the CISO is prohibited from doing so). Secondly, as a logical consequence of the previous point, it is essential to develop this function into that of Cybersecurity Director and to have this position report to the strategic level.

While waiting for these changes, local authority CISOs have started to take action. In 2019, the idea of creating a network of local authority CISOs was born from the observation that it is regrettable not to be able to provide help or capitalise on the unfortunate experiences of victims. This collective initiative was announced at the FIC 2020 [8] during a meeting between a handful of CISOs from French local authorities and representatives of the ANSSI. Over the months, the network has been structured around a coordination committee made up of representatives of the different types of local authorities (always in close collaboration with ANSSI), but also around tools that allow the sharing of information and best practices. This experience has become a real success, since about 160 members make up this network, which will soon acquire the status of an association.

Of course, cyberattacks affect not only French local authorities, but also their European counterparts [9]. The actions undertaken (guides, exchanges of IOCs and best practices, mutual aid, etc.) have made it possible to significantly improve the level of maturity and security of the ecosystem of French local authorities. Shouldn’t this successful experience be extended to entities in other EU Member States?