In July 2017 the London Borough of Islington was hit by a Distributed Denial of Services (DDoS) cyber-attack. This case study provides a summary of the events that took place and the steps the organisation took to manage the incident. There are key learning points for colleagues across the sector to take away.
In July 2017 the London Borough of Islington was hit by a Distributed Denial of Service (DDos) cyber-attack targeted at the council’s online portal for citizens called ‘My e-account’, a part of the website which allows residents to manage their services and payments through a personal online account. A DDoS attack is when a hacker overwhelms a system making it unusable for regular users. No data is stolen, but this type of attack can be extremely disruptive as key websites or services are put out of action.
The unknown hacker struck on a Saturday (striking on weekends is often a tactic of hackers targeting businesses and organisations like councils as it is assumed there will not be staff on site to respond quickly). Fortunately, key staff from across Shared Digital (Islington share their digital and ICT services with Camden and Haringey, with Camden being the host borough) were able to respond promptly, and within 24 hours Shared Digital agreed a solution with their internet service provider which would divert the attack into what is known as a ‘black hole’. During the initial 24 hours of the attack, all Islington’s web services were rendered unavailable by the attack – including internal internet access and staff email. With the ‘black hole’ in place, the majority of services could be reinstated, with only the e-account portal – as the target for the attack – disabled. Staff were able to work as normal by Monday morning.
The hackers seemed to stop the attack, perhaps realising they could no longer reach their target. With no further attacks by Tuesday morning, Islington took the decision to reinstate the e-account function. The hacker struck again. Shared Digital quickly reinstated the ‘black hole’, but the service was now disrupted again.
Using a ‘black hole’ to divert the attack away from Islington’s systems was only a temporary fix, but a longer solution was needed in order to fully restore all services. Shared Digital continued discussions with their internet service provider to find a more permanent solution which would enable the citizen’s portal to become fully operational again without risk of further attack. A cloud-based solution was identified and installed by Friday afternoon of the same week. This came with a significant annual cost to the council and required a range of updates to other parts of the council’s network.
During this 6-day period, residents experienced a more limited than usual service from the council. Islington were able to host important information and resources on other parts of their website, but the personal account function was still unavailable, leaving citizens unable to manage online payments for things like council tax. However, regular communications to the public meant they were kept informed about why this was and reassured that the council was working hard to fix the issue.
Throughout the week a gold response team, led by Shared Digital’s Chief Digital and Information Officer, Ed Garcez, kept in regular contact via WhatsApp. This comprised key technical staff, IT senior leadership, and service directors responsible for business continuity, and enabled quick and effective communication and decision-making independent of the council’s infrastructure. The team continually had to weigh up the costs of service disruption against the potential risk of further attack. The Chief Executive’s engagement with the team was immediate; Lesley Seary was kept regularly appraised of the situation and was proactive with her involvement in managing the response.
An Incident Report was subsequently presented to the council’s board.
A gold response team was quickly put in place, with easy lines of communication facilitated by WhatsApp. Key members of the team believe this agile way of working, in which every member of the team was clear on their role and the decisions they were able to take, saved precious time and saw the situation resolved as soon as possible. Having a formal process for key staff to be on call out of hours was a key factor in this.
The active engagement of the Chief Executive and service directors also meant decisions with cost implications – such as to purchase the cloud-based solution – could be taken without incurring significant delay. Given the fast-paced nature of the unfolding events, it was important that the costs and benefits of any decisions were communicated clearly and effectively to these decision-makers by technical colleagues.
Working closely with the internet service provider
After an initial 24-hour period, Shared Digital benefited greatly from the proactive cooperation of their internet service provider, who even provided staff on site. The internet service provider worked with them to find the ultimate solution to the issue and supported them to install this.
Islington’s Communications team were part of the gold meetings and WhatsApp group enabling them to get messages out very swiftly (immediately in one instance) to staff (especially frontline colleagues), elected members and residents as the status of systems changed. The Communications team received clear and comprehensible updates from the core response team in order to provide the right level of information to the public as well as helping to manage the reputational impact of the attack.
The shared service arrangement meant that though the attack was targeted at an Islington site, the council could call on the expertise and resource of staff from across Shared Digital. This improved resilience, and the increased numbers of staff enabled Shared Digital to work around the clock that week to resolve the issue. Having technically able staff on hand definitely saved precious time in understanding the nature of the attack and working to counter it.
Key learning points
- Quick decision-making is vital in a cyber incident as the longer the attack goes on the greater the disruption being caused. Having clear roles and responsibilities, including who makes the key decisions, is extremely important. In Islington, the roles and responsibilities of the core ‘gold team’ who managed the incident – and the chain of command – were well understood. Key figures were able to make quick decisions when necessary, including technical staff who were enabled to make rapid decisions where necessary.
- The engagement of the Chief Executive is very important. Lesley’s proactive engagement was extremely important and supported important decisions being taken quickly, particularly where this involved signing off costs or weighing up operational risks.
- A shared service arrangement can be valuable if it means there is a greater pool of knowledge and skill to tap into. In this case Islington was the council affected, but staff from across Shared Digital played a crucial role in working to resolve the issue.
- Councils should plan for how they will communicate with elected members and the public in the event of a cyber-attack. The proactive communications strategy employed by Islington Council was fundamental to maintaining the council’s reputation. Feedback from the public suggested they were largely sympathetic to the council and the steps it took to respond to the incident.
- Councils need to have tried and tested business continuity plans in place. In Islington, with citizens unable to perform particular business like make certain payments online, there was clearly going to be a big knock-on impact for the council, such as delayed receipt of payments and their administration, and extra pressure on other customer channels.
- Councils should maintain good communications channels and plan in advance how they would work with their provider in the event of a similar attack – especially given that the usual email channels and shared systems had to close down. Where IT management is outsourced, this will also be an important factor to understand and plan for. The positive working relationship with the internet service provider in Islington was vital.
- Consideration may need to be given to how procurement is handled in an emergency situation. It took Islington a day for procurement procedures to be satisfied before the solution could be installed that enabled all systems to be restored.
Some level of forensic analysis may be useful to understand the motivations of attackers. Islington logged the incident with the National Crime Agency and the National Cyber Security Centre but no follow up actions were taken. Islington made their own low-level investigations but were not able to establish the identity of the hacker. Knowing this might have enabled Islington to understand the hacker’s motivations, for example if the attack was in retaliation to a perceived failure in their services.