Ransomware: LGA response to the Joint Committee on the National Security Strategy inquiry - December 2022

The Local Government Association (LGA) is the voice of local government − not just of councils but of local government in its widest sense. As the national membership body for local authorities, we provide the bridge between central and local government, and we help councils deliver the best services to their local communities.

Our core members are English councils in full membership and Welsh councils in corporate membership through the Welsh LGA. Our Associate members include fire and rescue authorities, police, fire, and crime commissioners (PFCCs), national parks authorities, and town and parish councils through their membership body National Association of Local Councils (NALC).

We exist to promote, improve, and support local government. We are politically led and cross-party, and we work to give local government a strong, credible voice with national government and across the political parties. Supported by our team of experts covering every area of local government activity, we influence and set the political agenda on the issues that matter to our members so they can deliver local solutions to national problems.

Our extensive range of improvement programmes are sector-led and peer-based. Using expertise drawn from the sector, we build the capacity of councils to improve, so they can drive sustainable growth, deliver better public services, and empower communities.

Councils have information-sharing arrangements with organisations across the public sector. The information security policy space is congested, cluttered, and confusing. Councils need a single assurance regime enabling them to share data with their various public sector partners confidently. The LGA considers the development of the Local Government Cyber Assessment Framework by the Department for Levelling Up, Housing and Communities (DLUHC) as the best opportunity we currently have to deliver this. 

Understanding supply chain cyber risk is beyond the scope of any single council. More work is needed to help councils manage their risk in this space. There are circumstances where stronger central government direction and guidance for local government on supply chain risks is required.

There is an insufficiently effective cyber insurance market for local government, and a lack of clear delineation of financial risk ownership between central and local Government: both need to be addressed.

The relationship between risk ownership, assurance, improvement, and support needs to be better defined.

It is not currently illegal for a council to pay a ransom to cyber criminals. A change to legislation should be considered.

The twin issues of Legacy IT and limited budgets necessitate further central government investment. Similarly, as many senior leaders and middle managers do not view data/information as an asset in the same way as people or money are – and this has a direct impact on the resilience of the services they lead – more investment in training and education is needed.

Ransomware remains the most significant cyber threat to local government. Ransomware incidents threaten both a councils’ ability to deliver essential services to communities, and their financial resilience. Despite extensive work undertaken to ensure local government is as resilient as possible to cyber-attacks, the risks posed by ransomware attacks are still increasing.

No single cyber incident is the same, with attackers using different methods of attack and extortion. Attacks against local government generally target data, which is then encrypted with ransomware, and effectively held ‘hostage’. Attackers then typically demand a ransom in cryptocurrency to grant access to the files. They may also threaten to publish or sell the data if the payment is not made.

Some affected councils have never recovered data and files encrypted by attackers.

In England, more than one million people work in local government, delivering hundreds of essential services to local communities. Due to the pivotal role played and the significant amount of sensitive data held, ransomware attacks remain a significant risk.

The LGA works closely with the Cabinet Office, DLUHC and National Centre for Cyber Security (NCSC) to support councils to continuously improve in this area. Part of this means recognising that 100% cyber security is not possible. As such, the LGA works to not only minimise the risk of a cyber-attack, but also to prepare for an incident in order to reduce its impact if and when it occurs.

Councils are service providers, public sector service coordinators, leaders of place, and multimillion pound organisations.  They have become more digitalised in all these roles. The COVID-19 pandemic expedited digital transformation, and the use of emerging technologies has continued to change how councils work and what citizens expect of them. However, with increased digitalisation, councils’ cyber vulnerabilities have increased. In a context of increasing global cyber threat, this means the cyber risk to local government is increasing.

Councils often rely on external suppliers to deliver devices, products, and services, and have an annual spend of over £70 billion in procurement in England alone. Local governments’ ability to reduce the risk of a cyber-attack and maintain cyber resilience also depends on the cyber security of the organisations in their supply chains. Procurement is an area associated with significant cyber risk. Embedding cyber-resilient practices into the council’s supply chain structure is integral to creating a solid foundation to prevent and mitigate the effects of cyber threats. The LGA developed resources and an e-learning course based on the NCSC’s 12 principles of supply chain security for the local government context to support councils in this area. However, there are circumstances where central government direction and guidance for local government on supply chain risks is needed. For example, where there are security implications from companies with strong ties to the governments of ‘hostile’ states.

Local authorities are autonomous organisations independent from each other and central government. As cyber-attacks tend to be isolated, there is resilience associated with the diversity of technology and discrete systems within the local government sector. However, councils share data and access to systems with various agencies to deliver essential services. These multiple intrusion points can increase vulnerability, especially if these linkages are not well known. It is vital that information flows between organisations are understood, owned by key managers in the organisation, and subject to technical scrutiny by staff with sufficient security knowledge. Where authorities rely entirely on a third party to deliver their services, assurance must also be sought regarding their security stance, approach to managing incidents, and arrangements for business continuity.

When councils are connected to other departments and agencies, these are usually governed by information-sharing agreements and assurance regimes to mitigate the risks posed. For this reason, a single assurance regime must exist between local government and its public sector partners. Councils currently face an often cluttered, confusing, and contested standards space. This burden can grow as departments migrate off the Public Services Networks (PSN) and consider future assurance arrangements. The government must adopt a coordinated approach to cyber assurance in local government, avoiding unnecessary duplication. Numerous standards would not only increase the workload but may also increase the cyber threat, making it more complicated to comply with cyber-resilient best practices. The LGA sees DLUHC’s development of a Local Government Cyber Assessment Framework as a critical opportunity to deliver this and is supporting the department to ensure it delivers for the sector.

Councils are facing significant financial pressures, with rising inflation and increasing demand for services (90% of which are statutory). Cyber security demands continuous investment to address vulnerabilities associated with legacy IT and manage and mitigate new vulnerabilities that may arise from increasing digitalization. If the investment is not continuously prioritised, there are concerns that councils will fall under the ‘cyber poverty line’, and no longer invest in what should be regarded as essential security measures. It is crucial that funding continues to be made available for sector-led improvement with local accountability and collective responsibility at its heart.  

In 2021, the Local Government Association delivered security testing to a representative ten percent sample of local authorities. This has helped build a better understanding of common vulnerabilities in councils, make operational recommendations, and come to seven strategic conclusions for local government leadership that help protect against ransomware and informs our improvement support offer to councils:

• People, processes, and technology: vulnerabilities stem from people and processes as much as technology
• Investment: underinvestment in any of the above comes at an increasing cost and risk. New vulnerabilities arise, so ensure old vulnerabilities do not linger.
• Cyber leadership: decision-makers and scrutiny bodies must have the cyber knowledge and understanding they need.
• Risk management: technology cannot be completed ‘de-risked,’ but risks can be managed.
• Workforce: cyber security is a whole workforce issue. Everyone must understand their role in protecting the organization and residents.
• Readiness: expect a successful attack and to be impacted. Plan and exercise response and recovery.
• Prioritise cyber security–related change programmes: the impact of a successful attack on services will exceed the frictional effect of change.

In the wake of an attack, the Local Government Association strongly advises against paying ransoms given the impact this can have on the broader cyber security of the local government sector and the UK. As these are criminal actors, there is no guarantee that councils will get access to data and devices if the ransom is paid, and the network may still be infected. According to Deloitte Insights research (2020), in a survey of 1,200 cybersecurity professionals, less than half of those who paid the ransom regained access to their data. The LGA is unaware of any local authority paying a ransom even when the financial implications and impacts of ransomware attacks have often far surpassed the original demand, with one incident costing a council up to £ 12 million. However, a poorly functioning cyber insurance market for local government and a lack of clear delineation of financial risk ownership between central and local government, coupled with the fact that it is not currently illegal for a council to pay a ransom to cybercriminals, suggests that it is not beyond the realms of possibility that one could. 

DLUHC is the lead government department for the local government sector as set out by the Government Cyber Security Strategy. In implementing the strategy, DLUHC is considering how to apply and adapt the NCSC’s Cyber Assessment Framework in the most appropriate way for local government. DLUHC is currently undertaking a pilot with eight councils in England (including one shared technology service) to consult local government in its development. The migration of departments off the PSN is an opportunity for developing a single assurance model that would govern the information security relationship between local government and central government in the delivery of services. This would prevent duplicative standards councils must meet and reduce the reporting resources required to ensure councils are compliant.

Currently there is no legislation in place that criminalises the payment of ransoms. Central government’s position of not paying ransoms does not currently extend to local government, except in cases of funding terrorism. By reducing the intent of adversaries by having a well-publicised position of not paying a ransom and ensuring that no-one does through legislation, the cyber risk is reduced. This must also be coupled with a clear delineation of financial risk ownership between central and local government and a more effective cyber insurance market for local government.

Owen Pritchard, Head of Programme - Cyber, Digital and Technology

Local Government Association

[email protected]