Sometimes we have no choice. The “I agree” buttons that now pop up all over the web may give us a chance to stop companies gathering our data. But when it comes to government we are often forced to hand over our details or miss out on essential services such as healthcare, education or social security.
Yet, while national governments can pour vast sums into cybersecurity to protect all this compulsorily gathered data, local authorities don’t have the same resources or expertise. The campaign group Big Brother Watch found in 2018 that UK councils recorded over 98m cyberattacks over the last five years, with at least one in four councils having experienced an actual cybersecurity breach. So, how confident can you be that local government can protect the confidentiality of your personal information?
We recently worked with a UK local government authority to test its cybersecurity, producing a confidential report. Over the course of two months, our team gained unauthorised access and even modified the personal details of several (unknown) citizens. No hacking skills, specialist software or hardware were required. We only used social engineering techniques. These included scam “phishing” emails, leaving memory sticks with potentially malicious software in public spaces, and impersonating people over the phone using details available online.
Over 650 members of the council staff released their login credentials to us without realising by responding to our scam emails, which in some cases offered a chance to win an iPad. In giving up their details, these workers opened the door of the council’s information infrastructure to unknown, potential cybercriminals. When speaking to people on the phone, we found some staff who were open to releasing, though sometimes reluctantly, the personal information of local citizens.
The National UK government recognises that it needs to take stringent measures to safeguard information and protect citizens and their rights. As such, the National Cyber Security Centre is leading a series of countrywide initiatives to make Britain secure and resilient in cyberspace. For example, it is carrying out annual surveys, running an accreditation scheme and encouraging information sharing to raise awareness of cybersecurity issues among businesses. It is also encouraging initiatives such as the UK Cyber Security Forum, a social enterprise for small businesses actively working in cybersecurity.
Unfortunately, these efforts don’t seem to be having an impact at local government level. Councils and their services still rely on a diverse array of departments and agencies that hold large, sensitive, partly overlapping and intersecting datasets and responsibility for keeping them safe is often widely shared.
Cybersecurity is still perceived as a purely technical issue, and managers have a limited understanding of the human dimension of the problem. Human error or lack of staff awareness is still among the most common factors contributing to the most disruptive breaches. With many councils using more technology to maintain and even improve services while reducing costs, this provides ideal opportunities to cybercriminals.
Unsurprisingly, the Local Government Association recently argued that councils may not be giving cybersecurity the same attention as threats to physical infrastructure. And that councils still need educating on the risks and consequences of a cyber-incident, as well as how to deal with it when it happens. National government must help councils develop the leadership, governance, training and incident management skills that will enable them to ensure strong cybersecurity.
Technology is becoming an ever more important tool for encouraging citizens to engage with their local authorities, but it won’t work if people don’t feel they can trust councils to look after their personal information. What’s more, a data breach would break the psychological contract between citizens and government and lead to a loss of mutual trust.
Back in 2008, UK local government data handling was deemed a model for Europe. Today, the failure of local authorities to protect citizen data may well be the next big scandal waiting to happen.