Cyber attacks on local authorities: is the worst yet to come?

Since the start of the Covid-19 crisis, and particularly during the containment period, there has been an unprecedented increase in cyberattacks affecting French local authorities (regions, départements, communes, communities of communes, etc.). However, these are often overshadowed by attacks on healthcare establishments, due to their potentially dramatic consequences, as in the case of the attack on the Versailles hospital in Le Chesnay-Rocquencourt (Yvelines) in early December.

Our work on the vulnerability of French local authorities to cyber-attacks culminated in the first (and only to date) management science thesis defended in 2012, and gave rise to several subsequent scientific articles. This work was an opportunity to call for the implementation of a national public policy to support local authorities in securing their information systems (IS), unfortunately without much success.

Although we would have preferred to have been wrong about the developments envisaged, it has to be said that the subject has finally appeared on the media agenda since the Covid crisis, and has remained there ever since. Given France's territorial structure (45,205 local authorities in 2022), local authorities are of paramount importance, both in terms of their direct proximity to citizens and the services they provide. This is probably why more and more hacker groups are targeting them.

For the time being, cyber-attacks are mainly based on ransomware (malicious software that spreads inside an information system and encrypts all accessible data), with an exclusively pecuniary objective: the demand for a ransom, the payment of which is a precondition for sending (or not) a decryption code. This type of offensive proves to be extremely effective in the case of non-redundant backups.

Triple digital challenge

While we hope and pray for a genuine awareness of the challenges posed by poor IS security, we feel it is imperative to draw attention to other types of attack on local authority data, which we believe are all the more dangerous in that they are potentially cumulative.

By focusing too much on ransomware affecting their servers, we tend to forget that local authorities are intrinsically located at the intersection of three worlds (political, economic and societal), and that they face three major digital challenges on a daily basis: e-government, e-democracy and the dematerialization of calls for tender.

[Nearly 80,000 readers trust The Conversation newsletter to help them better understand the world's major issues. Subscribe today]

E-government has become a strategic tool for public service, going far beyond the provision of new means of communication to citizens. This state of affairs became even more evident during the Covid-19 containment period: it's easy to imagine the political and social impact that cyberattacks would have had, depriving citizens of a means of interaction that had become all the more essential as they found themselves unable to travel to carry out the slightest administrative procedure. The related IS must therefore be secured to ensure continuity of public service in the event of a major crisis.

The same problem applies to e-democracy. We recently highlighted the existence of a typology of interactions between local authorities and their constituents, depending on the digital medium used: strong interaction (direct exchanges between citizens and local authorities), moderate interaction (online surveys or dialogue on social networks) or weak interaction (occasional feedback from constituents).

The degree of severity of a cyber attack affecting e-democracy IS will therefore be directly correlated to the digital vector: potential loss or theft of personal information in the first two hypotheses, and loss of trust in all cases. Here again, the question arises as to the impact of such attacks on tools that have been put in place precisely to encourage greater participation in public life by citizens who are increasingly distrustful of democratic institutions.

Added to this is the possibility that IS dedicated to public tenders could also be targeted. Whether in terms of operations or investment, local authorities, like the vast majority of organizations, are obliged to call on external service providers.

The dematerialization of these procedures was undertaken precisely to ensure greater fluidity in the management of calls for tender, as well as to simplify procedures to enable small and medium-sized enterprises (SMEs) to respond to them with a reasonable chance of success. A digital offensive aimed at exchanges between bidders and the public sector would also have far-reaching consequences, not only in economic terms but also in terms of intrinsic credibility.

Defense players

In view of all the above-mentioned challenges, it is to be hoped that the section of the government's "France Relance" plan dedicated to the digital financing of local authorities will make it possible to significantly improve the security of local information systems. However, budgetary opportunity isn't everything, especially when potentially fundable projects are inevitably in competition with one another, and when the financial support available from the state is limited by nature.

However, it's important to bear in mind that when it comes to securing information systems, as we pointed out in our first book on the subject, published back in 2014, one of the essential conditions for success - if not the main one - is a strong political will, in the sense that the impetus must come directly from local authorities.

Our experience as academics specializing in this field, and as former elected representatives of a city of over 100,000 inhabitants, leads us to recommend the definition of a genuine public policy to support local authorities in securing their information systems. All the more so as, in the light of tactical lessons learned from the Ukrainian conflict, we are rediscovering the need to reinforce the operational defense of French territory, in which local authorities remain essential stakeholders.

Rémy Février, Maître de Conférences HDR en Sciences de Gestion - Security and Defense Research Team, Conservatoire national des arts et métiers (CNAM)

This article is republished from The Conversation under Creative Commons license. Read the original article.