back to article UK local gov: 37 cyber attacks a minute but little mandatory training

Britain's local governments were hit by almost 100 million cyber attacks in the last five years, while one in four councils’ systems were successfully breached, according to research. Privacy campaign group Big Brother Watch sent Freedom of Information to all the UK's local authorities, asking for details of cyber attacks and …

  1. Anonymous Coward
    Anonymous Coward

    Hmm

    I saw this request. Whomever wrote it clearly didn't have a clue what they were asking for.

    1. Lysenko

      Re: Hmm

      If anyone asks me that I just give them the Fail2Ban stats for failed SSH login attempts (one every two seconds or so seems a bit low to me).Trawling through email virus logs, attempted access to PHP admin interfaces over HTTP and all the rest is a complete waste of time because the metrics thus created are meaningless when aggregated.

  2. tiggity Silver badge

    No chance

    Of decent cyber security in many councils when too many jobs are obtained via who someone knows - " a good word put in on their behalf" rather than actual competence - far too often it is jobs for the boys (and girls) with the right connections rather than the best candidate.

    Caveat, I'm sure there are some councils somewhere that are not a cesspit of corruption - just that I have never lived anywhere with a "decent" council

    1. Anonymous Coward
      Anonymous Coward

      Re: No chance

      Look North young man!

      Certainly one Scottish Local Authority that had a cyber role open for some months and it only closed the other week.

      So you might find more jobs soon since we're all on the point of buggering off.

    2. Jim Cosser

      Re: No chance

      Not to mention pay, I have friends contracting to local authorities on a good day rate (let's not get into IR35) but the permanent rates of pay are dire, that seems to apply across the public sector when it comes to InfoSec roles.

      They seem to be around 30% off the average salary.

  3. Anonymous Coward
    Anonymous Coward

    WTF ?

    Just what is "an actual breach of a system" - if the FoI request can't be clear in what it's asking then I'll be equally clear in my response :)

  4. Charles 9 Silver badge

    OK, who PAYS for this increased security?

    1. Anonymous Coward
      Anonymous Coward

      We all pay for de-creased security

      where would you like to draw the line?

    2. daflibble

      OK, who PAYS for this increased security

      "Charles 9

      OK, who PAYS for this increased security"

      Well nobody and that's generally the problem ; )

    3. Christian Berger Silver badge

      Many pay a lot for the illusion of security

      I mean just look at all of those snakeoil companies peddling products anywhere from useless to harmfull.

      I'm sure that if Microsoft would, for example, offer a version of Windows cut down to the functionality of Windows 2000, but with all the bugs removed, people would buy it, given the choice.

  5. Alister Silver badge

    Reporting Cyber Crime

    I wonder how many commentards who work in the UK actually know where you are supposed to report a "cyber" crime?

    How many of you have heard of Action Fraud?

    Just interested.

    1. Sir Runcible Spoon Silver badge

      Re: Reporting Cyber Crime

      I certainly hadn't heard of them, and to be honest I should have.

      Having said that, most of the large corporations have their own policies to follow and I would expect those teams who handle that sort of stuff to know - but I wouldn't bet real money on it :)

    2. veti Silver badge

      Re: Reporting Cyber Crime

      I was wondering that. If only there were some central agency where you could report such incidents with confidence that they'd be viewed by competent people, who wouldn't waste your time with stupid followup questions, expose your data to more risk...

      A general-purpose police website doesn't really cut it. They'd be sifting through ten thousand emails a day from "Ukrainians" claiming to have installed Cryptolocker on my system - that's the level of cybercrime I see most days, and I guess millions more people are in the same boat. A dedicated helpdesk for IT professionals in government, local government, and quangos doesn't seem too much to ask for.

      Create such a helpdesk, then make it a crime not to inform them of a known breach.

    3. Poketwmon

      Re: Reporting Cyber Crime

      Sadly, the Action Fraud website is a waste of time. It is poorly written and is in no fit state to report Cyber crime. Reported an incident last year and had no contact at all as a result; no wonder people under report these events.

  6. Kaltern
    Big Brother

    Most 'important people' in councils across the country have no clue what cyber attacks really are. These are the people who think a good, up to date copy of Panda on every machine that they remember to put it on is more than enough, and is of course, cheap.

    They likely blame those young whippersnappers with those fancy I-Phone things. Never done a hard day's work in their life, you know...

    1. Sir Runcible Spoon Silver badge

      What's Panda?

      1. Kaltern

        Oh, it's that really good Antivirus thing that says they stop everything bad coming on to computers, so clearly must stop these nefarious cyber-thingys.

        (Panda Antivirus gets generally low marks for missing malware, and being a bloated piece of poo.)

    2. Zippy's Sausage Factory

      I know exactly what you mean.

      I used to work in a council IT department and when I suggested we look at security for one of the web services, was told "who would want to attack us? We're just a local council."

      I was far from amused, and had to spell out for him that the contract he'd signed to this third party specified traffic by the megabyte*, which was coming from his departmental budget, and that anyone who could hack in could cheerfully host a site of a less-than-wholesome nature hidden in plain sight. After all, who would suspect a local council of hosting a porn site**?

      * this was rather a long time ago.

      ** that was recent news at the time. I believe it was reported on The Register.

  7. Sir Runcible Spoon Silver badge
    Mushroom

    In that case..

    If you can't secure the data, then don't fucking collect it.

    1. amanfromMars 1 Silver badge

      Re: In that case..

      If you can't secure the data, then don't fucking collect it. .... Sir Runcible Spoon

      If your exclusive and executive administrations are all SCADA Systems [Supervisory Control and Data Acquisition Systems] one has no choice but to collect in order to remain in charge of command and control/power/energy.

      And it is an Achilles Heel for attacking with data that corrupts/perverts/alters the balance of power in status quo systems.

      1. Sir Runcible Spoon Silver badge

        Re: In that case..

        Yeah, but we're talking about councils here. I'm pretty sure there is a lot of stuff they collect that they don't actually need, apart from to satisfy their data fetish.

        As for SCADA systems, well, that's a fish of a different stripe :)

  8. steelpillow Silver badge
    Unhappy

    Not doing it

    Local councils are so strapped for cash, they are steadily winding down all the things that they are not legally required to do - one has already crashed through the bottom and there are several hot on their heels. Unless the law says that somebody will go to prison for not "doing cyber security", nobody will do it.

  9. colinb

    Down the priorities

    Hate on councils all you like, the fact is the Tories have relied on the fact that people are unable to connect A -> B and reduced Council funding by up to 40% knowing people will blame the Council for any council tax hikes and service failures. Its slimy cynical politics but they are hardwired that way, they can't help themselves.

    In a large number of councils anything not nailed down has be outsourced including IT (there are some outliers such as Bristol, that still own huge swathes of city property and have in-house IT).

    Data security is important but its not top of a list of basic civilisation needs that includes things like closing unsafe food outlets, Special needs transport, waste, housing etc..

    Expecting any in-house expertise in security under those conditions given they will be managed by outfits like Capita or Cap Gemini to the letter of the contract is daft.

  10. Anonymous Coward
    Anonymous Coward

    You can't report what you don't monitor ; )

    1. Anonymous Coward
      Anonymous Coward

      Or what you don't officially monitor. Plausible deniability is a very important enteprise tool.

  11. Anonymous Coward
    Angel

    National Secure Email system would help prevent Phishing

    Phishing lures will always be the biggest risk, even after quantum encryption and computing are deployed.

    The best way to stop phishing lures would be to have a government run National Secure Email System {NATSEM}. It would be a single set of servers containing an account for everybody in Britain.

    By containing email to a single set of servers, phishing can be monitored, reduce browsing and spying on your email by email advert bots and staff. Other countries (EU) might see the value of employing their own. Then secure exchange between known server sets could be facilitated.

    Used for Fiscal, Legal Business and Work related email and only sent within the server set, not to other external email servers. Everyone would be known to the server via their own account. Increasing digital communication security required for tax and social security and council rates, gov services and the like.

    People might still keep a google mail account for chat rooms or other less important email if they wanted.

    Shame that Britain sold off their post office, which may have been the best roof under which to house a system like this, as they were handling snail post.

    A NATSEM system is the way to bring business & email together, as many businesses are pushing customers onto the insecure internet but do not properly adopt it themselves. Business does not like email for all the junk via it, but would be more interested in Email once Britain's NATSEM is established where junk email could be banned.

    Gov and Citizens must wake up - just look at your nations efforts in Cyber Security. Can you expect to do good Business & Government on an Internet in a wild world or do you need to provide some managed sanctuary for people to transact reasonably in peace ? Use a {NATSEM} !

    1. Anonymous Coward
      Anonymous Coward

      Re: National Secure Email system would help prevent Phishing

      'The best way to stop phishing lures would be to have a government run National Secure Email System {NATSEM}. It would be a single set of servers containing an account for everybody in Britain.'

      Doubleplus ungood idea.

      Putting all business / government / important email in one basket just means that more people will compromise the basket sooner, the data will be exposed forever, the accounts will be compromised and unreliable, and there will be no where to hide from cybercriminals and spies.

      Instant identity theft / spoofing, instant stalking, instant blackmail and extortion - as a solution to privacy and security problems, it rates right up with pumping the Hindenberg full of hydrogen as a fire safety measure because it will push out all the oxygen.

      1. Charles 9 Silver badge

        Re: National Secure Email system would help prevent Phishing

        Well, what else CAN you do when people don't want to learn and you lack the provisions to MAKE them learn?

  12. Anonymous Coward
    Anonymous Coward

    And the solution is

    Make the people at the top responsible for data / security breaches, and start firing from the top down when a significant one occurs... and if there are politicians you can't fire, fine them, heavily. For every significant breach.

    1. Jack of Shadows Silver badge

      Re: And the solution is

      Not sniping, just completely interested by whom will you get such into law? Same problem on my side of the pond.

      1. Anonymous Coward
        Anonymous Coward

        Re: And the solution is

        @ "Not sniping, just completely interested by whom will you get such into law?"

        It is already in law, see treachery and incompetence

        1. Ropewash

          Re: And the solution is

          >treachery and incompetence<

          I thought those were the two keywords guaranteed to get your resume looked at around .gov

          I think if they started penalizing those they'd have a lot of office space to let.

    2. Anonymous Coward
      Facepalm

      Re: And the solution is

      Ok so let's say you are responsible for data/security breaches, what would you do to stop the breaches? - other than resign your post when after a failure, and sigh with relief you're not the patsy any more.

      a NATSEM would put much in the same place, it could have 2 factor ID and be watched over economically by a team of efficient (one hopes) cyber security. Email would not be stored beyond collection on it and full Erasure of email once downloaded by clients would be recommended.

      Provide people and business a better place to communicate electronically saves heaps and provides economical benefit .

      I have not seen any better solution other than make the people at the top responsible, but then not accepting any action they propose.

      well insert Fun Here >><<

      As who would accept a job of sacrificial lamb/scapegoat for an ignorant but generally well meaning public insistent on launching off the proverbial cliff just to bury their head deeper in the sand.

      That leaves everybody, not just the UK right back where they started, hacked or hacking.

      1. Charles 9 Silver badge

        Re: And the solution is

        IOW, what can you do when the only workable solution is a better human, yet anyone who tries it gets sued into oblivion when someone dies as a result of Darwin?

      2. F0rdPrefect

        Re: And the solution is

        ID+IOT how well do you think such a system would be implemented, given most other big government IT projects?

        Or even not such big ones, such as RPA.

  13. Alister Silver badge

    Email would not be stored beyond collection on it and full Erasure of email once downloaded by clients would be recommended.

    This goes against all sorts of rules about data governance and audit trails for government entities.

  14. Anonymous Coward
    Anonymous Coward

    It would be like

    All the PayPal notices I get urgently extolling me to log in and check my details, even though I don't have an account.

    Agree with above posts it simply becomes a honeypot and .gov data sieve at the same time.

    note: government never admits liability and will enshrine that in law if necessary - regardless of the level of idiocy or predictability..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019