Software resilience: LGA and Socitm response to call for views on software resilience and security for businesses and organisations

The Local Government Association (LGA) is the national voice of local government. We are a politically led, cross-party membership organisation, representing English councils. Our role is to support, promote and improve local government, and raise national awareness to the work of councils. Our mission is improving the secure use of digital technology by councils and communities.

The Society for Innovation, Technology and Modernisation (Socitm) is a membership organisation of more than 2,500 digital leaders engaged in innovation and modernisation of public services. Established for more than 30 years, our network combines to provide a strong voice, challenge convention, and inspire change in achieving better place-based outcomes for people, businesses, and communities.

Local authorities are faced with three main challenges relevant to this consultation:

• Local authorities deliver a range of services that require specialised software, and therefore have a unique set of software requirements. This means that councils are often faced with a lack of supplier options and a power imbalance between them and suppliers. This power imbalance sometimes results in suppliers not improving or sufficiently securing the software products on which councils and critical public services depend.
• The lack of transparency in software supply chains also presents councils with security risks that they are currently not able to adequately treat.
• When responding to a cyber incident that impacts local government and residents, the current regulatory environment appears to prioritise the interests of suppliers over the security of public services and residents.

To help councils overcome these challenges it is recommended that Central Government:

• Improve the transparency of supply chains, incentivise secure software development, and promote informed choice.
• Prioritise and support development of a standard for aspects of software development and distribution.
• Support SME market disruption.
• Through Crown Commercial Services, improve secure procurement practices for local authorities.
• Strengthen regulation that compels suppliers to share information about incidents and associated risks in a timely manner.
• Introduce secure mechanisms for sharing information about vulnerabilities and malicious code between local government, developers, distributors and researchers.

We welcome the opportunity to respond to this call for views. Increasing digitalisation presents significant opportunities for transforming public services and the citizen’s experience. Local government has embraced digital delivery, which means that software is now fundamental to councils and the essential services they provide.

Rapid technological innovation and advancement have come with increased vulnerability and risk, and cyber security is a priority for local government to protect essential services and the data of our residents. Yet, as councils seek to deliver services that are ‘secure by design’, there is rapidly growing concern about the security of the supply chain, and that cyber security practices are failing to keep pace with innovation and introduce risk to the sector. The software supply chain carries particular risks that are reflected in this response.

This response has been informed by engagement with the sector. We have picked out three important and interdependent themes that we urge the Department for Science, Innovation and Technology to carefully consider when determining how government best supports software security and resilience in the UK. These themes focus on challenges and proposed solutions in:

• Challenges with the supplier market
• Barriers to secure procurement
• Vulnerability management and incident response

Local authorities deliver a range of services that require specialised systems and software (e.g., planning systems, adult social care case management systems, ‘revenues and benefits’ systems), and therefore have a unique set of software requirements that impact product choice. In some service areas, only one or two organisations provide the specific systems that councils rely on, for example there are very few electoral systems available to the sector. Local authorities need confidence in the security and resilience of software and systems critical to local service delivery. Yet, this lack of provider choice and competition is creating barriers to building the cyber resilience of local government, achieving efficient outcomes, and value for money.

The current environment disincentivises suppliers to improve and update software products and respond to security concerns that councils as customers may have. For example, there are instances where key local government systems are built using unsupported, legacy software, and the lack of competition in the marketplace is preventing improvement.

This is a considerable issue for councils as the use of legacy components prevents councils from strengthening their cyber resilience; increases cost through the need to take alternative measures to mitigate risk (e.g. network segregation); prevents achievement of security standards such as Cyber Essentials or Cyber Essentials Plus; and introduces barriers to joint working with partners who expect software to be fully supported in adherence to Data Protection legislation.

The lack of transparency in software development practices by suppliers is also a significant challenge. Often developers and distributors are unable, or unwilling, to provide information about the different components and architecture that makes up the software they are selling. These conditions make it very difficult for councils as customers to make meaningful assessments about the levels of risk introduced through the products they use. The lack of transparency also makes it challenging for councils to manage their vulnerabilities and respond to incidents, covered in the last section.

Councils also face challenges in obtaining sufficient, evidenced assurance that software suppliers are testing their products (e.g., through CREST and CHECK accredited penetration testing), as suppliers cite commercial or security sensitivities as the reason for developers and suppliers not sharing.

In the absence of a standards regime, the burden is placed on councils to establish their own standards and methods of assurance to secure their systems and manage risk. Each of the 317 councils in England, and the councils in the Devolved Administrations that Socitm represents as well, must do this individually, which impacts productivity and places a further resource strain on the sector, when local government workforce pressures are already significant.

A policy environment that incentivises secure software development and distribution practice and supports supplier choice for purchasing authorities is critical. Intervention priorities should include government support and endorsement of a standard for software development and distribution. This would enable security, quality assurance, encourage consistency and facilitate improvement across the software marketplace. The absence of a standard perpetuates challenges around transparency and without a clear framework that signals what good looks like, councils struggle to determine how to effectively assess and manage the security of the software they use.

An improved articulation of good practice also presents opportunities for higher quality, secure innovation within local authorities through in-house software development. This ethos is being supported by the Department for Levelling Up, Housing and Communities (DLUHC). Through the Local Digital Fund and their Planning Software Improvement Fund, DLUHC are aiming to support a new, more modular, software landscape to encourage digital innovation and reduce reliance on inflexible and expensive technology.

Guidance on good practice would strengthen and support more innovative sector-led projects that involve software development by providing a framework that facilitates trust and the sharing of tools and solutions. This would enable other councils to adopt and benefit from innovation in the wider sector.

We would also strongly encourage market disruption policy interventions to counter the lack of supplier choice. This could include:

• Enhanced standards and assurance for systems that are critical to local government and wider public sector activities.
• Central support and funding to enable small and medium-sized enterprises (SMEs) to break into and remain in failing marketplaces, such as ones where legacy IT dominates. This type of market disruption has the potential to influence and support improved software development practices and security more broadly, and to rebalance the power relationship that currently exists between some bigger suppliers and the sector.

Councils are independent organisations that individually procure software in accordance with their own procurement practices and processes. This is often a difficult and time-consuming process for councils due to the lack of transparency in the software market. As discussed, many organisations have found suppliers to be resistant to providing the information and evidence required to assess the security of software. In the context of constrained budgets and significant financial pressures, councils undertaking these tasks individually is an inefficient use of already stretched IT and cyber security specialists’ time.

Common approaches do exist, for example many councils procure technology through frameworks such as the G-Cloud framework run by Crown Commercial Services (CCS). Councils also sometimes procure through regional purchasing organisations, that deliver better value for money through joined up procurement. Whilst the local sovereignty of councils must be retained, more support for enhanced common approaches to procurement must be considered to rebalance the power imbalance between some suppliers and councils, and to strengthen the cyber resilience of the sector.

Frameworks provide a mechanism for quick access to the market, and support efficiency and value for money. However, many of these frameworks do not have sufficient security measures that provide assurances to councils as customers, and Crown Commercial Services expect each individual purchasing authority to undertake their own assessments to meet their own security assurance needs.

We’d welcome interventions from government to ensure that organisations are able to make better informed assessments about the risk introduced through their software supply chain. For example, procurement frameworks could support transparency and provide assurance by endorsing standards and having accreditation routes for software developers and distributors, enabling purchasing organisations to procure software from trusted developers and distributors. To counter the challenges faced in assessing the security of suppliers, such as a lack of regular security testing, consideration should be given to how CCS could assess this on behalf of councils procuring through their frameworks. However, councils would require assurance from CCS that this was done by security specialists.

A framework feedback loop that enables purchasing organisations to flag poor security practice could also support better informed choice and incentivise improvement as a condition for suppliers accessing these frameworks/markets.

The nature of the marketplace and the complexity of software means that councils can be constrained and, in some cases, do not have the right skills, tools and capacity to assess the security of software with the limited information provided by suppliers. We are supportive of the range of suggested policy measures suggested in the call for views, including guidance on best practice for software development, distribution and procurement, and the use of software by customers.

We’d welcome further enhanced support from Government for the sector to facilitate peer to peer learning exchanges and the sharing of good practice in developing robust contractual clauses, negotiating with suppliers, and contract management.

Software vulnerability management and incident response is a significant challenge for councils as customers. Limited visibility of the components used in software development makes it difficult to identify vulnerabilities and respond to incidents effectively. For example, when the Log4j vulnerability was reported many councils experienced challenges identifying the extent of their exposure, and it took some developers and distributors months to notify customers and issue updates. This highlights how the lack of transparency relating to the components of software hinders quick and effective responses, even when there is widespread awareness that a vulnerability exists, as was the case with Log4j.

Communication of vulnerabilities is a major barrier to security and resilience. Councils rely on suppliers to disclose information and often this can be hard to find, not shared in a timely manner or not shared at all. For example, local authorities can spend a lot of time searching for information about vulnerabilities across multiple threat feeds in a way that is not targeted. This time-consuming method of vulnerability management places the burden on councils and takes vital resources away from wider IT and security priorities. It also increases the likelihood of missed information therefore creating further unnecessary risk.

Insufficient communication from a supplier when responding to a cyber incident that impacts local government systems, networks and/or data is a worrying trend. There have been multiple cases where suppliers have failed to provide information in a timely manner that enables councils to manage risk to residents and services, and in the delivery of their statutory duties. Lead departments are unable to act as there are a lack of regulatory levers at Government’s disposal to compel action from suppliers.

This creates an environment where the commercial interests of suppliers are prioritised over secure public service delivery, and councils in some instances are unable to manage their risk and provide sufficient protection to vulnerable council residents.

This imbalance requires urgent policy intervention, and we are supportive of many of the approaches suggested in the call for views. For vulnerability management and incident response we believe the following action is of critical importance to councils:

• Improved standards and guidance across the software lifecycle that includes and promotes good practice for vulnerability management and incident response.
• Secure mechanisms for sharing information about vulnerabilities and malicious code between local government, developers, distributors, and researchers. Mechanisms that support these groups to work together and share intelligence would strengthen practice in the sector. For example, a central database that acts as an inventory of software components and facilitates vulnerability reporting would help councils to respond to risk in a better informed and targeted way.
• Government support for the development and promotion of tools that scan software packages and components for known vulnerabilities and indicators of malicious compromise would also be assistive. Ensuring that the cost of such tools is not prohibitive for the local government sector is important.
• Finally, there is a crucial need for strengthened regulation that compels organisations to act in the interests of protecting vital public services and resident data in the event of a cyber incident. This includes ensuring that customers are aware of any incidents and the risk posed as a result.

LGA: Jenny McEneaney, Senior Improvement Policy Adviser: Cyber, Digital, and Technology

[email protected]

Socitm: Martin Ferguson, Director of Policy & Research

[email protected]