3 min

What are the changes in how local authorities consider cybersecurity?

The health crisis has accelerated the implementation of digital services offered by local authorities to citizens. Their use is only possible in an environment of trust, which is guaranteed by security. Unfortunately, the frequent cyberattacks suffered by local authorities over the last two years have shown weaknesses in cybersecurity measures.

Cyril Bras

Cyril Bras has been Director of Cybersecurity at Whaller since March 2022. He was previously the CISO for Grenoble-Alpes Métropole, where he initiated the creation of a CISO network for local authorities. He is also Vice President of the INCRT and is an IHEDN auditor for the 2nd national digital sovereignty and cybersecurity session.

View all posts

The awareness of elected representatives or management bodies is not yet equal to the challenges, since very often “the desire to offer new teleservices takes precedence over cybersecurity measures,” [1]which are perceived as constraints on use and not as added value.

The impacts are organisational, since the local authority can often no longer carry out its public service missions. This indirectly affects the image of elected representatives, but also the confidence of citizens in the digital services made available to them. The consequences can also be environmental (when the attack targets an industrial system, such as a wastewater treatment plant [2]), or financial (when, for example, it becomes impossible to collect revenues for parking spaces [3].

Each type of local authority covers complementary sectors of activity and holds data that can be monetised on the dark Web [4]. For example, municipalities manage civil status and schools; metropolises manage drinking water supplies and road traffic management; départements manage road infrastructure and secondary schools; and regions manage secondary schools and transport…. Of course, these are just a few examples. On the other hand, each entity manages its IT facilities independently and, when a cyberattack occurs, is left alone with its own IT department and CISO (where one exists).

In fact, the consideration of the cyber subject is highly variable from one community to another. Several factors explain this situation, as indicated in the CLUSIF’s 2020 MIPS (Computer Threats and Security Practices) report [5]. The first is the size of the local authority. For the smallest of them, the subject is not addressed, as they have an IS that is most often limited to the computer of the town hall secretary. They therefore naively think that they are not of interest to cybercriminals [6]. The CISO function begins to appear when an IT department exists, but paradoxically, the larger the local authority, the less visible the CISO function. There are at least three possible cases:

  1. the CISO is also the CIO—a very uncomfortable position of judge and jury;
  2. the CISO is attached to the IT department, and cybersecurity is perceived only from the technical angle (cybersecurity is therefore seen only from the prism of the IT department, which has no interest in highlighting the technical debt, for example);
  3. the CISO is outside the IT department and can address the management bodies (which is rarely the case in reality).

As discussed at a round table held in the French Senate in October 2021 [7], two points deserve particular attention if we want to see change. Firstly, the CISO must be able to speak directly to senior management, but also to elected representatives (in some local authorities, the CISO is prohibited from doing so). Secondly, as a logical consequence of the previous point, it is essential to develop this function into that of Cybersecurity Director and to have this position report to the strategic level.

While waiting for these changes, local authority CISOs have started to take action. In 2019, the idea of creating a network of local authority CISOs was born from the observation that it is regrettable not to be able to provide help or capitalise on the unfortunate experiences of victims. This collective initiative was announced at the FIC 2020 [8] during a meeting between a handful of CISOs from French local authorities and representatives of the ANSSI. Over the months, the network has been structured around a coordination committee made up of representatives of the different types of local authorities (always in close collaboration with ANSSI), but also around tools that allow the sharing of information and best practices. This experience has become a real success, since about 160 members make up this network, which will soon acquire the status of an association.

Of course, cyberattacks affect not only French local authorities, but also their European counterparts [9]. The actions undertaken (guides, exchanges of IOCs and best practices, mutual aid, etc.) have made it possible to significantly improve the level of maturity and security of the ecosystem of French local authorities. Shouldn’t this successful experience be extended to entities in other EU Member States?

B. Le Corre, “Victime d’une cyberattaque, les services de la ville d’Angers paralysés” [A cyberattack blocks the departments of the city of Angers], Brut, 21 January 2021. [Online]. https://www.brut.media/uk/news/victime-d-une-cyberattaque-les-services-de-la-ville-d-angers-paralyses-98ef8f15-267b-45a9-8413-10ca228d72c5. [Accessed on 14 January 2022].
D. Filippone, “Les stations d’assainissement d’Oloron-Sainte-Marie visées par un ransomware (MAJ)” [The wastewater treatment plants of Oloron-Sainte-Marie targeted by ransomware], Le Monde informatique, 30 September 2021. [Online]. https://www.lemondeinformatique.fr/actualites/lire-les-stations-d-assainissement-d-oloron-sainte-marie-visees-par-un-ransomware-maj-84347.html. [Accessed on 14 January 2022].
V. Bouvet-Gerbettaz, “Parkings : 80 000 euros de perte pour la Ville après la cyberattaque,» [Parking spaces: 80,000 euros of loss for the city after a cyberattack], Le Dauphiné Libéré, 09 December 2021. [Online]. https://www.ledauphine.com/economie/2021/12/09/parkings-80-000-euros-de-perte-pour-la-ville-apres-la-cyberattaque. [Accessed on 14 January 2022].
V. Bouvet-Gerbettaz, «Cyberattaque du Grand Annecy : quelles sont les données divulguées sur le darkweb ?” [Cyberattack of the Grand Annecy: what data has been disclosed on the dark Web?], Le Dauphiné Libéré, 10 May 2021. [Online]. https://www.ledauphine.com/faits-divers-justice/2021/05/10/cyberattaque-du-grand-annecy-quelles-sont-les-donnees-divulguees-sur-le-darkweb. [Accessed on 14 January 2022].
CLUSIF, “Études Menaces informatiques et pratiques de sécurité – Collectivités territoriales – Édition 2020 (MIPS 2020)” [Studies on Computer Threats and Security Practices – Local Authorities – 2020 Edition (MIPS 2020)], 30 June 2020. [Online]. https://clusif.fr/publications/etudes-menaces-informatiques-et-pratiques-de-securite-collectivites-territoriales-edition-2020-mips-2020/.
Marie de Crêts En Belledonne, “Communiqué Cyber Attaque” [Communiqué regarding the cyberattack], 13 February 2020. [Online]. https://cretsenbelledonne.alertecitoyens.com/e/?n=5f7028. [Accessed on 11 February 2022].
S. Barbary and F. Gatel, “Les collectivités térritoriales face au défi de la Cybersécurité” [Local authorities faced with cybersecurity challenges], Paris, 2021.
J. Cheminat, “Les RSSI des collectivités territoriales créent un réseau de partage” [The CISOs of local authorities create an experience-sharing network], Le Monde Informatique, 16 February 2021. [Online]. https://www.lemondeinformatique.fr/actualites/lire-les-rssi-des-collectivites-territoriales-creent-un-reseau-de-partage-81985.html. [Accessed on 11 March 2021].
Le Point, «Cyberattaque en Belgique : la ville de Liège victime d’un rançongiciel” [Cyberattack in Belgium: the city of Liege victim of ransomware], Le Point, 21 June 2021. [Online]. https://www.lepoint.fr/monde/cyberattaque-en-belgique-la-ville-de-liege-victime-d-un-rancongiciel-21-06-2021-2432063_24.php. [Accessed on 14 January 2022].
Send this to a friend