Cllr Andrew Kolker (Dane Valley), highlighted the potentially “catastrophic” impact on Cheshire East Council should the organisation be the target of a Cyber Attack. This followed the recent CrowdStrike outage which instantly wiped out computer systems across the world. He suggested that the Council should organise ‘wargame’ simulation exercises to test how well prepared the Council was in the event of such an attack.
Speaking at Monday’s Audit & Governance Committee meeting, Cllr Kolker stated:
“I’d suggest that a full-on ransomware attack on the council would be catastrophic. You'd have to operate a council with no computers, no telephones except for mobile phones, and I would suggest that might be quite difficult, in fact, nigh on impossible.”
He highlighted the global vulnerability to cyber attacks and outages and the value of simulation exercises to test Council systems. He stated:
“(You could) have a hypothetical situation whereby the whole of the council's IT goes out and see whether you can run the council without any IT, and I'd suggest it would be extremely difficult.”
He also highlighted that Councils are expected to step in to support residents during crisis situation which could include supporting residents who, as a result of the attack, are unable to access their bank accounts to purchase everyday essentials such as food or fuel.
“You can imagine the impact that would have on our society,” said Cllr Kolker. “So, I think these are extremely important issues that need to be very, very carefully thought about by the council and how they would handle it.”
Officers at the meeting confirmed that simulation exercises are going to be implemented across the council and that they had already “…taken part in broader, emergency planning led scenarios along a very similar line.” So too that there is a back-up policy for computer failure providing a foundation “.. on which we can work should that happen”.
They confirmed Cllr Kolker’s concerns stating: “it is very difficult to be able to manage and deliver the full program of services which this organisation delivers, and we really need to be able to understand, criticality, proportionality, accessibility.”
Reference:
The Cyber Assessment Framework (CAF)
To provide a clear cyber security standard for the local government sector, MHCLG will be introducing the Cyber Assessment Framework (CAF) for local government from 2024.
The Cyber Assessment Framework (CAF) was developed in 2018 by the National Cyber Security Centre (NCSC). It’s designed to help organisation’s take a systematic approach to assessing the extent to which they are managing their own cyber security risks.
Lead government departments are required to adapt the CAF in a way that is appropriate for the public sector organisations within their scope. MHCLG is currently developing supporting documentation, guidance and templates to guide the local government sector through the CAF.
What the CAF will mean for councils
The aim of the CAF is to promote and introduce good cyber security and resilience in organisations, so that the impact of attacks can be minimised. This means cyber attacks can be more quickly detected, and are easier to recover from.
Once the CAF for local government has launched, councils will be responsible for undertaking the CAF and using the assessment to manage their own cyber security.
MHCLG will use the results to understand any risks or issues within the sector. We will then consider how these risks can be addressed.
https://www.localdigital.gov.uk/cyber/cyber-assessment-framework-for-lo….
