Published on 22/09/22

David Cowan is Head of ICT at Copeland Borough Council, one of the first local authorities to experience a significant cyber-attack. Here he shares some lessons learned and ways he believes the sector can help protect itself.

On a bank holiday weekend in August 2017, Copeland Borough Council was hit by a zero-day ransomware attack. Despite following ICT protocol by having strong and recommended tools in place, the nature of the never-before-seen virus meant it was able to penetrate the council’s anti-virus capabilities. Within days, most of its files had been encrypted with ransomware leaving the local authority completely offline and with an eventual recovery bill of £2.5m.

David Cowan, Head of ICT at Copeland Borough Council, regularly speaks with other local authorities about the attack. He says other councils often say they can’t afford to invest more resources in cyber security – both in terms of personnel and funds. Another barrier is that unless people have personally experienced a cyber-attack, they can’t imagine that it will happen or what it will entail. “The attacked knocked us completely offline and completely devasted us,” explains Cowan.

Simple considerations such as whether there is a business continuity plan and where it is stored are key. “Most business continuity plans done by local authorities would not survive a major cyber-attack and that is what happened with ours at Copeland. We had a plan that covered cyber, we used to regularly test that plan, in fact we had tested it two weeks before we got hit, but nobody could contemplate the real impact of what happens when all IT systems are taken away from you,” he says. “The plan itself, where is it? If it is on your network and you suffer a major cyber-attack it would be destroyed. You need a printed hard copy somewhere and other key documents available for the people who need them.”

Also vital, says Cowan, is ensuring you have trained and trusted personnel in charge of cyber security who can act without seeking permission. “There is no time in a cyber incident to go up the chain of command looking for permission to turn systems off. Every second I delay means more damage,” he explains, “It is not just very stressful it is a very fast-moving environment where you must be assertive, you have to know what you are doing and make the right decisions in a split second.”

Giving this control to the cyber professionals can be a challenge for senior leaders, he notes. “It is hard for some business leaders to get their head around the fact that ICT must turn off key communication systems, key social service systems, key everything. They are going to bounce you all the way back to pen and paper very quickly by removing some cables and flicking some switches. While turning off systems could potentially cause harm to individuals when not available, they must be turned off because there is a very hard choice of either turning them off in a controlled fashion to bring them back up faster, or if the attacker takes them off in an uncontrolled fashion you will be offline a lot longer. One way or another they are coming down.”

Cowan believes the time has come for ICT and cyber security professionals in local government to be regulated through a professional certification. In a similar way, he would like to see greater regulation around annual IT health checks. With the Public Services Network (PSN) third-party checks set to be retired, he fears annual IT health checks will no longer happen due to time and resource scarcity. While there are other schemes that will alert a council to vulnerabilities, such as Cyber Essentials Plus, ISO 27001 or an annual IT health check, Cowan stresses that they must be done to do the job: “Unless there is some kind of compulsion local authorities will not do it because they will say they have too little resources and the need to spend elsewhere.”

Cowan is an advocate of the AppGuard tool, which Copeland has procured on 320 laptop endpoints and is in the process of putting onto servers. Since its 2017 attack, Copeland further strengthened its defences, but was still being breached every few months when an attack would get past its users, although on every occasion was protected by multi-factor authentication. “We came close to the user giving them that as well,” he notes, “As much as we hear that the users are the last line of defence, and we educate them, they are just human beings who are horrified when shown they were duped.”

Having seen a demonstration of AppGuard, Cowan was assured by the technology: “I was convinced there and then that AppGuard does what it says and, more importantly, is the ultimate last line of defence. We still use everything else, we have various layers in front, and we still educate our users, but if all that fails I am convinced AppGuard would stop an attack.”

Also useful has been the managed Security Operations Center (SOC): “A lot of people look for what is called a managed SOC, a third-party organisation which is monitoring your logs for nasty things. The problem is that most of the time when those services detect something nasty, they notify you so you can fix it. That might sound great but when you don’t have the resources it is not a lot of use for someone to tell you that there is a problem on the network. What I have with AppGuard is a 24-7 managed SOC,” he adds.

It is clear cyber needs to be a priority and learning from others and sharing information is vital: “There is a real issue around prioritising sufficient spend around cyber. What happens is everyone assumes they are safe until they get attacked, consequently cyber protection tends to get under resourced and under prioritised before an attack succeeds,” he says. However, he stresses being cyber secure isn’t a choice, and while protecting the already stretched finances around services such as adult and children’s social care is important, if a cyber-attack took the related systems offline there would be no service to deliver. Urging local authorities to consider this question: “How would you cope looking after vulnerable children and adults with no system for months on end?” is the provoking thought Cowan concludes with.