Because they handle a lot of personal and sensitive data concerning their citizens and since the continuity of public service is a major issue for them, cyberattacks are targeting more and more local authorities. From major cities to small town councils, how can these threats be dealt with? Situational analysis.
Some cybersecurity experts believe that the cyberattack on Baltimore City in the US in May 2019 represents a landmark event with regard to the cyberthreats facing local authorities. The high ransom and remedial action costs, the media coverage and the volume of posts affected meant the case made a deep impression. And it seems to have caught on, as examples have since multiplied on a global scale.
Cyberattacks and local authorities: an international threat
According to a 2020 study, 44% of ransomware attacks targeted municipalities. Ransomware attacks are becoming even more complex for victims. In September 2020, cybercriminals posted 20 gigabytes of data stolen from the French metropolis of Aix-Provence-Marseilles. These included the names of officers and their personnel numbers, and two files with 23,000 email addresses associated with the names. A leak of sensitive data that put the spotlight on a new form of intimidation, which consists in threatening to leak data in order to force the payment of a ransom.
And the threat is global. In July 2021, the administration of the Anhalt-Bitterfeld district in Germany was forced to bring its fax machines out of the cupboard after a cyberattack. In Italy, the entire Lazio region was affected in August, when a ransomware attack paralysed the regional data centre, notably rendering the anti-Covid vaccination booking platform unavailable. In the United States, there are countless examples. In September 2021, the Washington Post headlined Ransomware is wreaking havoc on US cities. From the Washington police department to the schools of Fairfax County, the trend seems to be well established and is even affecting prisons. In January 2022, a prison in New Mexico was targeted by a cyberattack, disabling cameras and automatic doors.
“There is an explosion of ransomware attacks,” confirms Vincent Nicaise, industrial partnerships and ecosystem manager at Stormshield. “This is especially true since some local authorities operate both traditional IT infrastructures and more sensitive IoT infrastructures, as the example of the cyberattack in New Mexico shows.” However, groupings of municipalities and other town councils are not known for their abundant cash flow. So why target them? For Philippe Loudenot, CESIN administrator, cybersecurity delegate on the Pays de la Loire Regional Council, and former Information Systems Security Officer (ISSO) in the social ministries, they are most often opportunistic attacks. However, since they constitute a direct threat to the proper functioning of public services, cyberattacks on local authorities deserve attention.
Public service undermined by cyberattacks
The reason why cybersecurity is so important for local authorities is that a cyberattack on them can have various consequences, each of which can be disastrous. Philippe Loudenot identifies five of these.
The danger to the continuity of public service, specific to administrations. Local authorities depend on their IT systems to administer a vast range of services, from school canteens to transport networks and social operations. Without access to their data, these services are interrupted or severely degraded.
The leakage, theft or loss of personal data is also a concern, as local authorities have access to sensitive data on their citizens. For example, in May 2021, cybercriminals released data concerning 1,000 officers of Grand Annecy in France, including their Covid test results and personal contact details, five months after an attack on the agglomeration grouping’s IT system. In August 2021, the French visa application website was also attacked in this way.
The loss of information assets is another risk specific to local authorities. In addition to data concerning their citizens, “local authorities hold a large amount of information,” says Philippe Loudenot, such as civil status, social, financial and taxation data, etc. If the integrity of this data is destroyed or compromised, the local authority risks losing part of its history.
The impact on the image of the local authority is also a major consequence. If citizens know about a cyberattack, this could have a negative impact on their trust in the local authority and its services. This is all the truer when local elections are being held...
Finally, the legal risk must be taken into account. In the event of a proven fault with respect to the protection of personal data, the local authority is exposed to sanctions by state authorities but also to legal proceedings undertaken by citizens themselves.
The stock market or public life
In terms of the distribution of threats, and according to a 2020 report by Clusif, a French association dedicated to IT security, 30% of local authorities declared themselves victims of ransomware. This figure should be taken with a grain of salt, as cyberattacks often go under the radar: more than half of the local authorities surveyed said they did not communicate on it. In 2021, the newspaper LeMagIt published a tally of the number of French cities affected by ransomware. In total, some sixty, including Mitry-Mory, Chalon-sur-Saône, the Eastern Lyons grouping of municipalities, Douai, Villepinte, Erstein, Istres and Annecy, were affected. As stated by the ANSSI in a dedicated guide, all local authorities and inter-municipalities are concerned.
The ransoms demanded can vary greatly, but the indirect costs of an attack must also be taken into accountPhilippe Loudenot, cybersecurity delegate on the Pays de la Loire Regional Council, and former Information Systems Security Officer (ISSO) at the Ministry of Health and the Prime Minister’s Office
The average ransom amount in the United States is $836,000, compared with €130,000 in France, according to the ANSSI. “The ransoms demanded can vary greatly, but indirect costs must also be taken into account,” underlines Philippe Loudenot. This is because the payment of a ransom is not the only loss that can be attributed to a cyberattack. Also in France, the city of Chalon-sur-Saône and the Grand Chalon agglomeration, for example, spent €550,000 on getting their IT systems back up and running after a cyberattack in February 2021. The local authority did not report any ransom payments, as the money was entirely directed towards remedial action, namely recovering the data and getting the system up and running again. In concrete terms, this resulted in the introduction of new procedures and the recruitment of additional staff in charge of network infrastructures, technical projects and security systems. Philippe Loudenot also mentions the costs related to the salaries paid to employees on lay-off, as well as the costs related to the communication operations required to keep citizens informed. Finally, since cybershit flies around in squadrons, possible sanctions may be considered if faults are found in the protection of personal data: “Even though the Commission Nationale de l’Informatique et des Libertés (CNIL - French National Commission on Information Technologies and Freedom) is more in the business of providing support”.
Risk vectors and area of attack for local authorities
A rationale of support is needed at all levels, since the area of attack of local authorities is so large, due to several points of fragility. At the root of this fragility is a definite lack of budget allocated to cybersecurity issues: most French local authorities devote less than 10% of their budget to cybersecurity, the rate recommended by the ANSSI.
A first direct consequence is that the sources of infection are often linked to the human factor. There is nothing revolutionary here, as officers are regularly exposed to phishing. And the level of educational work carried out, between digital hygiene awareness and cybersecurity training, is still too low.
A lack of budget also opens up another potential entry point for cybercriminals, due to ageing workstations, which use obsolete operating systems that often lag behind with regard to updates. And the field to be covered and protected is constantly expanding: local authorities have equipped their officers with smartphones, tablets and laptops. These are all additional entry points, with these fleets of connected devices whose passwords are often insecure, sometimes displayed in offices, and which officers rarely change.
The IT (and operational) networks that local authorities manage are another point of fragility. This is due to the fact that systems are often flat, without network segmentation, and therefore susceptible to lateral attacks. A cyberattack on one of the local authority’s departments can therefore contaminate the others, “thanks” to their interconnection. And once implanted, malware can lie dormant for a while, before being activated at the most opportune moment by cybercriminals, as in Gloucester in the UK, hit in January 2022.
Another point of vulnerability is an internal malicious attack, says Philippe Loudenot, who talks about “an unhealthy curiosity that would cause an officer to access confidential information” or a disgruntled former officer whose access to IT systems has not been revoked.
Cybersecurity for local authorities: long-term solutions
Threatened from within and without, are administrations condemned to endure waves of attacks? While a certain amount of administrative red tape may prevent the adaptation and flexibility needed to better protect against cyber risks, solutions do exist. In France, cyberattacks on local authorities are the joint responsibility of the ANSSI and the cybercrime department of the national gendarmerie. In the event of ransomware, the recommendations of these bodies remain conventional, says Philippe Loudenot: “Do not pay the ransom, in order not to encourage future cybercriminals, file a complaint and provide us with information”.
However, the adage “prevention is better than cure” also applies in this case. Above all, what is needed is for local authorities to change their overall approach to cybersecurity. What is the goal? To achieve long-term protection through a series of measures.
Awareness-raising is the most obvious. “We need to bring everyone up to speed on basic digital hygiene,” explains Philippe Loudenot. Set up strong passwords, change them regularly, do not leave them lying around on post-it notes on your desk, be wary of the links you receive, etc. Simple (basic) reflexes that still need to be fully adopted, recognises Philippe Loudenot. “We’re still a long way off,” he states regretfully. “The discourse is truncated because it is mainly about threats and local authorities do not feel affected. We need to talk about the impacts. The knowledge that they will not be able to ensure the continuity of their public service affects everyone.” For the expert, the perspective must be transformed: “It is not a question of ‘if’ but rather ‘when’ a local authority will be attacked. What is being put in place? What alternative ways of working exist?” Vincent Nicaise also notes a delay in awareness-raising. He emphasises that as part of the France Relance (French Recovery) programme, the French State can pay for up to 100% of the diagnosis within a local authority, so that it can take stock of its level and its requirements. And to go a step further, many practical guides have finally been published by the government on the subject of the cybersecurity of public services.
The discourse is truncated because it is mainly about threats and local authorities do not feel affected. We need to talk about the impacts. The knowledge that they will not be able to ensure the continuity of their public service affects everyonePhilippe Loudenot, cybersecurity delegate on the Pays de la Loire Regional Council, and former Information Systems Security Officer (ISSO) at the Ministry of Health and the Prime Minister’s office
In addition to raising awareness, local authorities must also put in place appropriate protection solutions. Endpoint solutions to protect workstations, firewalls to secure networks, encryption solutions to ensure data integrity, the tools are diverse and varied. However, they do come at a cost. In France, the ANSSI has been aware of these issues for several years and had already proposed a substantial budget to support local authorities, to the tune of 60 million euros over 2021 and 2022. At the beginning of 2022, the first beneficiaries of the France Relance (French Recovery) programme will reach the end of the cybersecurity course (on the audit component) and should have access to the co-financing plan (up to 70%, in the context of the programme). Thus, 2022 should (finally?) be the year of secure systems.
Another effective approach is to set up a backup system. The French local authority of Chalon-sur-Saône is a good example of this: the automatic data backups carried out on D-1 enabled the local authority to restart its systems without any data loss following the attack in February 2021. An effective system that “should be systematically set up,” recommends Philippe Loudenot, “but this is far from being the case”.
On the French side, the emphasis is also on building a network of local expert advisors. This network will be supported by cybersecurity expert advisors, in order to remain up-to-date with respect to knowledge of the vulnerabilities and alerts issued by the ANSSI and the CERT-FR (Governmental centre for monitoring, alert and response to IT attacks). The creation of a of a regional CSIRT (Computer Security Incident Response Team) is under way, in parallel with the announcement of the creation of a network of territorial CISOs, announced during the 2021 FIC (International Cybersecurity Forum). Finally, it is also important to note that the public interest grouping cybermalveillance.gouv.fr has set up a CyberResponsible City label to distinguish cities committed to an action plan to fight against cyberattacks.
All these initiatives mean that “today, elected representatives are becoming aware that the cybersecurity of their local authorities is not a non-issue,” says Philippe Loudenot. This is a good thing, as there is a lot of work to be done.