Steve Mathieson is a freelance analyst, journalist and editor, covering IT, government and healthcare, often in combination, writing for publications including The Guardian, I-D Information Daily, editing Society of IT Management's magazine.@samathieson
Councils facing impossible choice between between spending on cyber security or delivering front-line services.
The event was a debate hosted by the Local Chief Information Officers Council, an independent group supported by Socitm.
The debate, held on 28 June in Birmingham, as part of Connected Local Government Live 2017 considered the motion ‘This House believes that given the cuts to public services and in particular local government, councils have to focus their resources on delivering frontline services and outcomes rather than invest in better cyber security and IT’
Geoff Connell, chief information officer at Newham Council until last summer and now head of IMT at Norfolk County Council speaking against the motion said: “It’s not one thing or the other. It’s not frontline services or cyber, it’s both.” Adding “It’s all part of the running costs. If you can’t afford to do it properly, you shouldn’t do it all.”
Speaking in favour of the motion Local Government Association programme manager Siobhan Coughlan said that local government has an estimated budget shortfall of £51 billion. “Put simply, since 2010 and austerity, local government has suffered 35-40% budget cuts,” she said.
Coughlan noted that the government has allocated £1.9 billion for national cybersecurity: “We’ve already been told that little or none of that is going to local government.” Meanwhile councils are limited in how much they can increase council tax and the recent Queen’s speech did not include mention of a previously-planned transfer of business rates to councils. Councils, which will have to spend more on tower block fire safety and are already drawing on financial reserves, will have to focus on delivering services.
Coughlan was supported by Socitm associate director Jos Creese, who pointed to the “completely unnecessary” spending on the ‘millennium bug’ in the late 1990s. He added that compared with NHS organisations, “we are better prepared already against incidents,” as the relative lack of damage caused by the WannaCry ransomware demonstrated. Suppliers would try to exploit WannaCry to sell more, but councils should focus on service transformation: “You do not design your car journey based on the security of your airbags,” Creese said.
But Mark Brett, programme director of the National Local Authority Warp, responded that some local authorities are failing “at a very low level” on security. “By protecting information we are protecting public trust,” he said, supporting Connell against the motion. Although some money spent on cybersecurity is wasted, it cannot be treated as an optional extra to IT projects, Brett added.
Questioned by the audience, both sides called for improvements to public sector IT security. Siobhan Coughlan said that the Bank of England sent fake security risk emails to its own staff, to see who clicked on them so it could target information at those who did not recognise the dangers. “We can replicate that kind of work across the public sector” at a low cost, she argued.
Jos Creese agreed that staff education is a key part of improved cybersecurity, but added that law enforcement should take a stronger role: “Ransomware is terrorism and should be treated as such,” he said. When local government was to blame this was usually down to bad practice such as a failure to update software patches or a lack of basic resilience rather than too little spending, he added.
Geoff Connell said that while spending on security was required, the public sector is working to put pressure on suppliers to do a better job. With the Crown Commercial Service and the National Cyber Security Centre, Socitm and others are working on a list of suppliers who fail to test their software against the latest patches and versions, so they can be pressured to do so.
Asked by the debate’s chair Dylan Roberts, chief digital and information officer at Leeds City Council, whether he would spend extra money on fixing tower blocks or IT security, Connell replied “you’re already spending the money” on IT systems that should produce efficiencies. In future, automation may allow this process to go further – but this will not succeed if the systems are not secure. “Ultimately, we must spend more on cybersecurity,” he said.
Connell and Brett seem to have won the argument as the audience voted against the motion by a large majority.