• Case

  • Innovation

[Feature] Local authorities facing cybersecurity issues: what levers for action?

Published on 23 June 2022
Update on 26 September 2022
Download in PDF

Summary

Références :

Foreword

"Local authorities of all sizes have become targets of cyber-malicious acts in increasing numbers (blocked information systems, interrupted missions to serve their constituents, etc.). A digital security incident can occur at any time and in any community " (CyberMalveillance Platform 2021 Activity Report)

Since 2017, the national system for awareness, prevention and assistance to victims of cyber-malicious acts has been carried by the public interest grouping (GIP) ACYMA. This grouping brings together, in addition to the National Agency for Information Systems Security (ANSSI), the National Agency for Territorial Cohesion (ANCT) and the main ministries, actors from civil society (consumer or victim assistance associations, professional representations such as federations or unions, insurers, operators, software publishers) and representatives of local authorities.

The government, through the France Recovery Plan, has allocated 136 million under the supervision of the French National Agency for Information Systems Security (ANSSI), to increase the cybersecurity of public services and local authorities.

Two schemes are already in place: cybersecurity pathways and the incubation program for regional cyber incident response centers (CSRIT) which is aimed at the regions.

A new system, aimed at the smallest municipalities and communities of municipalities, completes the system: aid to local authorities will be channeled through digital sharing structures, which are the only ones authorized to apply for projects. the call for projects launched on March 24, 2022 by the ANSSI.

Références :

Contents

  • Communities: Ransomware tops the list of assistance searches on the Cybermalveillance platform
  • Unequal preparation of communities for risks
  • An awareness program for elected officials
  • Cybersecurity courses, as part of the Recovery Plan, for communities
  • Regional cyber incident response centers
  • A new scheme to support the acquisition and deployment of cybersecurity products and services in communities
  • The Senate encourages the pooling of resources on an intermunicipal or departmental scale

    • Références :

Communities: Ransomware tops the list of assistance searches on the Cybermalveillance platform

The platform Cybermalveillance.gouv.fr platform allows victims of cyber-maliciousness to request assistance and to learn about the steps to take. After filling out a questionnaire, the victim is directed to local service providers likely to meet his or her technical needs.

The Cybermalveillance platform recorded 173,000 requests for assistance in 2021 requests for assistance: an increase of 65% (the increase was +155% in 2020, all victims combined). 2% of these requests for assistance came from local authorities.

Références :

For local authorities, ransomware was in first place in 2021 in assistance searches: slightly up from 2020 (+5%). Likewise, phishing has risen considerably for local authorities, from 5th to 2nd place, an increase of +60%.

Online account hacking retains its 3rd place, albeit with +50% growth over the previous year. As for personal data breaches, they rise in 2021 from 9th to 4th place, up +75%.

In 2021, 2,100 local authorities and administrations benefited from online assistance: a volume that is globally stable compared to the previous year, which had been a year of very strong growth. The strong pressure of cyber-malware in local authorities has not weakened for two years now, concludes the platform.

activity report

Unequal preparation of local authorities for risks

6 out of 10 communities say they have implemented cybersecurity measures

At the beginning of 2021, France Urbaine conducted a barometer of digital maturity in metropolises France Urbaine conducted a survey in early 2021 of 12 metropolises, 10 agglomerations and urban communities, and 12 cities with a total population of nearly 18 million.)

According to the survey, "more than 6 out of 10 communities say they have implemented cybersecurity measures."

For its part, the FNCCR conducted a study in 2021 on the

Références :

"In 4 out of 10 local authorities, the subject of IT security is still not being addressed at the highest level and is not part of overall governance. In addition, barely half of local authorities are beginning to have a complete and up-to-date view of digital risks. The BCP (Business Continuity Plan) and DRP (Business Continuity Plan) have been fully implemented in only 3 out of 10 local authorities.

FNCCR: Only 12% of local authorities understand the challenges of cybersecuritycybersecurity issues in smart cities and territories." "

In the face of increasing risks, the authors of the study note

"a level of skills and resources vary significantly depending on the profile of the communities, but remain clearly insufficient. Only 12% of the structures surveyed are aware of concrete legal mechanisms to address cybersecurity issues." Cybersecurity issues are still not systematically integrated into the design of digital development and smart territory projects in the majority of local authorities. Thus, 84% of the communities surveyed do not perceive cybersecurity as a hindrance to the launch of smart projects, or do not have an opinion on the issue." The impacts seen or felt are not always easily quantifiable in terms of costs for communities. The impacts in terms of trust and reputation are thus unquantifiable, but can be very strong for a community." 

To date, awareness of cyber risk among the local authorities surveyed is still uneven. This can be explained by several factors: observe the authors of the study. conducted a survey at the end of 2021 among local authorities of less than 3,500 inhabitants, which represent 91% of municipalities in France, in order to understand the digital uses, identify the risks / threats and understand the needs in this type of structure to provide useful and concrete responses.

  • The appropriation of the cybersecurity theme by the elected officials of local authorities is sometimes incomplete, because the subject is still perceived as purely technical and should only involve certain specialized actors;
  • Cybersecurity issues within a local authority are often dealt with in silos, with a lack of cross-functional vision between business units;
  • The work of acculturation and awareness of the agents of the communities to the risks of cyberattacks does not seem to be a priority in many communities;
  • Larger communities seem to have a better understanding of cybersecurity risk and, in general, small and medium-sized communities underestimate the risks, thinking they are "

The human factor is still too often blamed in local authorities, so it is necessary to work hard at all levels to raise awareness of cybersecurity issues: training, dissemination of best practices, a culture of vigilance on a daily basis, etc. This awareness-raising must be aimed at everyone in order to decompartmentalize the subject of cybersecurity, which is no longer the exclusive concern of technicians but of all those who use digital technology within the local authority. This awareness-raising must be aimed at everyone in order to decompartmentalize the subject of cybersecurity, which no longer exclusively concerns technicians, but all those who use digital technology within the community.

  • Cybersecurity is not integrated in anticipation as a major issue in smart cities and territories projects from the design stage.

Cybersecurity in local authorities of less than 3,500 inhabitantsCybermalveillance.gouv.frinvestigation

Among the major areas that emerged from the study:

  • 77% of the communities have a small computer park (less than 5 computers);
  • 77% outsource their IT management;
  • 65% think the risk is low or non-existent or do not know how to assess it;
  • Sharing passwords or mixing professional and personal uses are regularly practiced digital uses at risk;
  • of the barriers to digital security.

An awareness program for elected officials

Faced with the increase in cyber attacks against local authorities, Cybermalveillance.gouv.fr has created a working group dedicated to this audience, composed of ANSSI, Avicca, Banque des Territoires, CoTer Numérique and Déclic, and launched a awareness program for elected officials.

It consists of three steps:

Threats and essential reflexes for the digital security of communities: Cybermalveillance.gouv.fr answers the questions of two mayors on the main digital threats encountered by communities and their consequences, by providing advice on the first essential actions to adopt in digital security.Vigilance in the face of cyber attacks: The site publishes testimonies from municipalities that have been victims of various forms of cyber attacks, followed by advice to enable communities to better arm themselves and anticipate the risks.Awareness of digital risks: The cybermalveillance platform offers a series of resources for local authorities.

  • Awareness videos on digital risks
  • Three sheets: password management, elected officials/pro/personal use, phishing
  • Materials to summarize the first steps to take in case of a cyber attack
  • a quick self-diagnosis to help elected officials
  • practical guides in cybersecurity

    • Référence :

Cybersecurity courses, as part of the Recovery Plan, for communities

As part of France Relance, the Government has allocated €1.7 billion in investments to the digital transformation of the State and its territories. This plan includes a "cybersecurity component," led by the National Agency for Information Systems Security (ANSSI), which amounts to €136 million over the period 2021-2022."The cyber courses, ANSSI reminds us, are open to voluntary public entities, with an information system of a few dozen machines, a referent for information systems security and a commitment to use at least 5% of their IT budget for their cybersecurity."

The ANSSI has designed the courses so that they can be " industrialized " and entrusted to private service providers, with each entity benefiting from " consistent support and quality services".

Each course includes three phases: a pre-diagnosis of the structure's level of cyber maturity to properly calibrate the interventions, an "initial pack" including a security audit, awareness-raising actions and the design of a security plan. These actions are completed if necessary by a "relay pack" for the installation of additional hardware or software.

As of December 31, 2021, 626 facilities, for more than 990 candidates, had benefited from an e-learning pathway, with more than 54 service providers selected by the agency to lead them in the field.

Référence :

Regional cyber incident response centers

ANSSI is supporting seven regions in the implementation of a regional cyber incident response center. regional cyber incident response center.

These CISRTs (Computer Security Incident Response Teams) will be responsible for raising awareness and training local players in good cyber practices. They will then help to report cyber incidents. Their experts will help the victims to qualify the incidents in order to put them in touch with the most appropriate structures to assist them in their resolution.

"Relying on the economic and social development competence devolved to the regions, ANSSI is providing financial support via a grant of up to one million euros to each volunteer region and methodological support in the form of a four-month training program. This incubation will enable the regional CSIRTs to become rapidly operational in order to respond in a relevant and efficient manner to the needs identified, while fully integrating into the territorial and national ecosystem. Eventually, the objective is to network the regional CSIRTs within InterCERT France - the French network of CSIRTs - in order to create a cooperation and sharing group dedicated to their territorial challenges.

Références :

A new scheme to support the acquisition and deployment of cybersecurity products and services in communities

As part of the cybersecurity component of France Relance, ANSSI has launched a new device to support the acquisition and deployment of cybersecurity products and services in local authorities. This deployment will take place through the territorial structures in charge of the digital management of local authorities: digital service operators, mixed syndicates or management centers will therefore carry out projects for their members.

Beyond the cybersecurity course, this new mechanism is intended primarily to help the smallest municipalities and communities of municipalities.

Its goal: to support the acquisition, by the structures in charge of the digital transformation of the communities, of products and mutualized services for their members. These products and services must reinforce the level of cybersecurity of the beneficiary structures in a simple way and in adequacy with their immediate cybersecurity needs.

The system is accessible to sharing structures in charge of supporting the digital transformation of local authorities. Only public structures, associations or public interest groups can be subsidized.

Référence :

The Senate encourages the pooling of resources on an intermunicipal or departmental scale

The Senate's delegation for local authorities published on December 9 its report on a roundtable discussion on the challenge of cybersecurity. The report delegation's report highlights the extent of the cyber risk for all territorial organizations, as indicated by a map produced by the Cybermalveillance platform.

Location of assistance requests (Source: Senate 2022, Acyma, 2021)

Despite awareness campaigns, the awareness of elected officials is "uneven and insufficient" , observe the rapporteurs. " Due to a lack of time, but also of skills and qualified human resources, small municipalities are sometimes content to install an anti-virus system on an ad hoc basis, whereas cybersecurity must be constantly updated.

Noting that only large communities benefit from support from the ANSSI, the Senate Delegation recommends the pooling of resources on an inter-municipal or departmental scale. " In this context, pooling resources as close as possible to the local authorities concerned is a wise choice for pooling efforts, confronting shortages of qualified professionals and thus setting up collective protection. However, she points out " the psychological obstacles" that this pooling could encounter.

The Senate delegation concludes with a series of recommendations

  • " Raise awareness of cybersecurity issues among elected municipal and inter-municipal officials and their departments.
  • Applying the principle of subsidiarity to digital security policyTwo criteria must be taken into account when assessing the appropriate level of intervention: financial sustainability and the technical expertise required. This principle would allow small communities, identified as "weak links", to benefit from enhanced digital protection through pooling. The scale of relevance must be assessed in concrete terms according to territorial realities. It can be either an inter-municipal or departmental level. However, this recommendation presupposes that the psychological brakes related to the sensitivity of the data of the communes and the correlative fear of transferring them are removed.
  • Put in place plans or procedures for business continuity and recovery in the event of a digital crisis: Emergency measures to be taken, service providers to be contacted, notification to public authorities such as CNIL and ANSSI...).
  • Revaluate the functions of the CISO (Information Systems Security Manager) in local authorities of a certain size. The aim is to make this position a true "digital security director" whose functions should not be perceived as solely technical. The strategic nature of this function must be reflected in the remuneration offered as well as in the organization chart of the services (attachment to the General Management for example).

    • Références :

Sources

[Feature] Local authorities facing cybersecurity issues: what levers for action?

Références :

Foreword

"Local authorities of all sizes have become targets of cyber-malicious acts in increasing numbers (blocked information systems, interrupted missions to serve their constituents, etc.). A digital security incident can occur at any time and in any community " (CyberMalveillance Platform 2021 Activity Report)

Since 2017, the national system for awareness, prevention and assistance to victims of cyber-malicious acts has been carried by the public interest grouping (GIP) ACYMA. This grouping brings together, in addition to the National Agency for Information Systems Security (ANSSI), the National Agency for Territorial Cohesion (ANCT) and the main ministries, actors from civil society (consumer or victim assistance associations, professional representations such as federations or unions, insurers, operators, software publishers) and representatives of local authorities.

The government, through the France Recovery Plan, has allocated 136 million under the supervision of the French National Agency for Information Systems Security (ANSSI), to increase the cybersecurity of public services and local authorities.

Two schemes are already in place: cybersecurity pathways and the incubation program for regional cyber incident response centers (CSRIT) which is aimed at the regions.

A new system, aimed at the smallest municipalities and communities of municipalities, completes the system: aid to local authorities will be channeled through digital sharing structures, which are the only ones authorized to apply for projects. the call for projects launched on March 24, 2022 by the ANSSI.

Références :

Contents

  • Communities: Ransomware tops the list of assistance searches on the Cybermalveillance platform
  • Unequal preparation of communities for risks
  • An awareness program for elected officials
  • Cybersecurity courses, as part of the Recovery Plan, for communities
  • Regional cyber incident response centers
  • A new scheme to support the acquisition and deployment of cybersecurity products and services in communities
  • The Senate encourages the pooling of resources on an intermunicipal or departmental scale

    • Références :

Communities: Ransomware tops the list of assistance searches on the Cybermalveillance platform

The platform Cybermalveillance.gouv.fr platform allows victims of cyber-maliciousness to request assistance and to learn about the steps to take. After filling out a questionnaire, the victim is directed to local service providers likely to meet his or her technical needs.

The Cybermalveillance platform recorded 173,000 requests for assistance in 2021 requests for assistance: an increase of 65% (the increase was +155% in 2020, all victims combined). 2% of these requests for assistance came from local authorities.

Références :

For local authorities, ransomware was in first place in 2021 in assistance searches: slightly up from 2020 (+5%). Likewise, phishing has risen considerably for local authorities, from 5th to 2nd place, an increase of +60%.

Online account hacking retains its 3rd place, albeit with +50% growth over the previous year. As for personal data breaches, they rise in 2021 from 9th to 4th place, up +75%.

In 2021, 2,100 local authorities and administrations benefited from online assistance: a volume that is globally stable compared to the previous year, which had been a year of very strong growth. The strong pressure of cyber-malware in local authorities has not weakened for two years now, concludes the platform.

activity report

Unequal preparation of local authorities for risks

6 out of 10 communities say they have implemented cybersecurity measures

At the beginning of 2021, France Urbaine conducted a barometer of digital maturity in metropolises France Urbaine conducted a survey in early 2021 of 12 metropolises, 10 agglomerations and urban communities, and 12 cities with a total population of nearly 18 million.)

According to the survey, "more than 6 out of 10 communities say they have implemented cybersecurity measures."

For its part, the FNCCR conducted a study in 2021 on the

Références :

"In 4 out of 10 local authorities, the subject of IT security is still not being addressed at the highest level and is not part of overall governance. In addition, barely half of local authorities are beginning to have a complete and up-to-date view of digital risks. The BCP (Business Continuity Plan) and DRP (Business Continuity Plan) have been fully implemented in only 3 out of 10 local authorities.

FNCCR: Only 12% of local authorities understand the challenges of cybersecuritycybersecurity issues in smart cities and territories." "

In the face of increasing risks, the authors of the study note

"a level of skills and resources vary significantly depending on the profile of the communities, but remain clearly insufficient. Only 12% of the structures surveyed are aware of concrete legal mechanisms to address cybersecurity issues." Cybersecurity issues are still not systematically integrated into the design of digital development and smart territory projects in the majority of local authorities. Thus, 84% of the communities surveyed do not perceive cybersecurity as a hindrance to the launch of smart projects, or do not have an opinion on the issue." The impacts seen or felt are not always easily quantifiable in terms of costs for communities. The impacts in terms of trust and reputation are thus unquantifiable, but can be very strong for a community." 

To date, awareness of cyber risk among the local authorities surveyed is still uneven. This can be explained by several factors: observe the authors of the study. conducted a survey at the end of 2021 among local authorities of less than 3,500 inhabitants, which represent 91% of municipalities in France, in order to understand the digital uses, identify the risks / threats and understand the needs in this type of structure to provide useful and concrete responses.

  • The appropriation of the cybersecurity theme by the elected officials of local authorities is sometimes incomplete, because the subject is still perceived as purely technical and should only involve certain specialized actors;
  • Cybersecurity issues within a local authority are often dealt with in silos, with a lack of cross-functional vision between business units;
  • The work of acculturation and awareness of the agents of the communities to the risks of cyberattacks does not seem to be a priority in many communities;
  • Larger communities seem to have a better understanding of cybersecurity risk and, in general, small and medium-sized communities underestimate the risks, thinking they are "

The human factor is still too often blamed in local authorities, so it is necessary to work hard at all levels to raise awareness of cybersecurity issues: training, dissemination of best practices, a culture of vigilance on a daily basis, etc. This awareness-raising must be aimed at everyone in order to decompartmentalize the subject of cybersecurity, which is no longer the exclusive concern of technicians but of all those who use digital technology within the local authority. This awareness-raising must be aimed at everyone in order to decompartmentalize the subject of cybersecurity, which no longer exclusively concerns technicians, but all those who use digital technology within the community.

  • Cybersecurity is not integrated in anticipation as a major issue in smart cities and territories projects from the design stage.

Cybersecurity in local authorities of less than 3,500 inhabitantsCybermalveillance.gouv.frinvestigation

Among the major areas that emerged from the study:

  • 77% of the communities have a small computer park (less than 5 computers);
  • 77% outsource their IT management;
  • 65% think the risk is low or non-existent or do not know how to assess it;
  • Sharing passwords or mixing professional and personal uses are regularly practiced digital uses at risk;
  • of the barriers to digital security.

An awareness program for elected officials

Faced with the increase in cyber attacks against local authorities, Cybermalveillance.gouv.fr has created a working group dedicated to this audience, composed of ANSSI, Avicca, Banque des Territoires, CoTer Numérique and Déclic, and launched a awareness program for elected officials.

It consists of three steps:

Threats and essential reflexes for the digital security of communities: Cybermalveillance.gouv.fr answers the questions of two mayors on the main digital threats encountered by communities and their consequences, by providing advice on the first essential actions to adopt in digital security.Vigilance in the face of cyber attacks: The site publishes testimonies from municipalities that have been victims of various forms of cyber attacks, followed by advice to enable communities to better arm themselves and anticipate the risks.Awareness of digital risks: The cybermalveillance platform offers a series of resources for local authorities.

  • Awareness videos on digital risks
  • Three sheets: password management, elected officials/pro/personal use, phishing
  • Materials to summarize the first steps to take in case of a cyber attack
  • a quick self-diagnosis to help elected officials
  • practical guides in cybersecurity

    • Référence :

Cybersecurity courses, as part of the Recovery Plan, for communities

As part of France Relance, the Government has allocated €1.7 billion in investments to the digital transformation of the State and its territories. This plan includes a "cybersecurity component," led by the National Agency for Information Systems Security (ANSSI), which amounts to €136 million over the period 2021-2022."The cyber courses, ANSSI reminds us, are open to voluntary public entities, with an information system of a few dozen machines, a referent for information systems security and a commitment to use at least 5% of their IT budget for their cybersecurity."

The ANSSI has designed the courses so that they can be " industrialized " and entrusted to private service providers, with each entity benefiting from " consistent support and quality services".

Each course includes three phases: a pre-diagnosis of the structure's level of cyber maturity to properly calibrate the interventions, an "initial pack" including a security audit, awareness-raising actions and the design of a security plan. These actions are completed if necessary by a "relay pack" for the installation of additional hardware or software.

As of December 31, 2021, 626 facilities, for more than 990 candidates, had benefited from an e-learning pathway, with more than 54 service providers selected by the agency to lead them in the field.

Référence :

Regional cyber incident response centers

ANSSI is supporting seven regions in the implementation of a regional cyber incident response center. regional cyber incident response center.

These CISRTs (Computer Security Incident Response Teams) will be responsible for raising awareness and training local players in good cyber practices. They will then help to report cyber incidents. Their experts will help the victims to qualify the incidents in order to put them in touch with the most appropriate structures to assist them in their resolution.

"Relying on the economic and social development competence devolved to the regions, ANSSI is providing financial support via a grant of up to one million euros to each volunteer region and methodological support in the form of a four-month training program. This incubation will enable the regional CSIRTs to become rapidly operational in order to respond in a relevant and efficient manner to the needs identified, while fully integrating into the territorial and national ecosystem. Eventually, the objective is to network the regional CSIRTs within InterCERT France - the French network of CSIRTs - in order to create a cooperation and sharing group dedicated to their territorial challenges.

Références :

A new scheme to support the acquisition and deployment of cybersecurity products and services in communities

As part of the cybersecurity component of France Relance, ANSSI has launched a new device to support the acquisition and deployment of cybersecurity products and services in local authorities. This deployment will take place through the territorial structures in charge of the digital management of local authorities: digital service operators, mixed syndicates or management centers will therefore carry out projects for their members.

Beyond the cybersecurity course, this new mechanism is intended primarily to help the smallest municipalities and communities of municipalities.

Its goal: to support the acquisition, by the structures in charge of the digital transformation of the communities, of products and mutualized services for their members. These products and services must reinforce the level of cybersecurity of the beneficiary structures in a simple way and in adequacy with their immediate cybersecurity needs.

The system is accessible to sharing structures in charge of supporting the digital transformation of local authorities. Only public structures, associations or public interest groups can be subsidized.

Référence :

The Senate encourages the pooling of resources on an intermunicipal or departmental scale

The Senate's delegation for local authorities published on December 9 its report on a roundtable discussion on the challenge of cybersecurity. The report delegation's report highlights the extent of the cyber risk for all territorial organizations, as indicated by a map produced by the Cybermalveillance platform.

Location of assistance requests (Source: Senate 2022, Acyma, 2021)

Despite awareness campaigns, the awareness of elected officials is "uneven and insufficient" , observe the rapporteurs. " Due to a lack of time, but also of skills and qualified human resources, small municipalities are sometimes content to install an anti-virus system on an ad hoc basis, whereas cybersecurity must be constantly updated.

Noting that only large communities benefit from support from the ANSSI, the Senate Delegation recommends the pooling of resources on an inter-municipal or departmental scale. " In this context, pooling resources as close as possible to the local authorities concerned is a wise choice for pooling efforts, confronting shortages of qualified professionals and thus setting up collective protection. However, she points out " the psychological obstacles" that this pooling could encounter.

The Senate delegation concludes with a series of recommendations

  • " Raise awareness of cybersecurity issues among elected municipal and inter-municipal officials and their departments.
  • Applying the principle of subsidiarity to digital security policyTwo criteria must be taken into account when assessing the appropriate level of intervention: financial sustainability and the technical expertise required. This principle would allow small communities, identified as "weak links", to benefit from enhanced digital protection through pooling. The scale of relevance must be assessed in concrete terms according to territorial realities. It can be either an inter-municipal or departmental level. However, this recommendation presupposes that the psychological brakes related to the sensitivity of the data of the communes and the correlative fear of transferring them are removed.
  • Put in place plans or procedures for business continuity and recovery in the event of a digital crisis: Emergency measures to be taken, service providers to be contacted, notification to public authorities such as CNIL and ANSSI...).
  • Revaluate the functions of the CISO (Information Systems Security Manager) in local authorities of a certain size. The aim is to make this position a true "digital security director" whose functions should not be perceived as solely technical. The strategic nature of this function must be reflected in the remuneration offered as well as in the organization chart of the services (attachment to the General Management for example).

    • Références :

Sources

Labo Société Numérique

Labo République Française Agence nationale de cohésion des territoires
[Feature] Local authorities facing cybersecurity issues: what levers for action?