Local Governments Become Unwitting Malware Vectors
- By Lachlan Colquhoun
- June 18, 2023
The bigger the government is, the bigger the target they are for cyberattacks, but at the same time, the bigger their budget for cyber security.
At the lower end of the scale in Australia are 537 local government authorities, which maintain some of the nation’s most critical infrastructure assets and are also at the most risk of cyberattack.
Increasingly, these local government authorities are monitoring their assets with remote sensors and moving into the world of IoT, but at the same time, they have very little in the way of a cybersecurity posture.
These organizations maintain roads, bridges, water services, and waste collection, which are used every day by a population of more than 20 million Australians.
Disrupting these services would play havoc with the economy's smooth functioning and present as an easy target for increasingly sophisticated “bad actors”.
Call for help
In recognition of this, Linda Scott, the Australian Local Government Association president, has called for more cybersecurity support for the sector after a series of recent attacks.
The ALGA has asked for AUD10 million in funding to assess “local government’s preparedness to deal with cyber-attacks and data breaches.”
The organization is also seeking the appointment of a dedicated chief information security officer to tighten procedures across the sector.
“Local councils are being targeted by ransomware and other phishing cyber threats with the intention of service disruption and stealing valuable information for monetary gain”
The call came after Isaac regional council, which covers an area north of Rockhampton and south of Mackay in Queensland, confirmed it had experienced a security breach in early April.
Isaac chief executive Jeff Stewart-Harris said the council’s IT systems had been shut down to protect against data theft in the wake of the malicious attack, which was identified as ransomware.
“At this stage, we do not have any evidence of large data uploads out of our system; however, this is still being fully investigated, so it can’t be guaranteed,” Stewart-Harris said.
Isaac Council is working with Dell Incident Response and Recovery Services and the Australian CyberSecurity Centre to understand the breach and implement security solutions going forward.
Stewart-Harris also called on federal support for the local government sector, saying that without more support, councils were at risk of further data breaches with the potential for community-based data to be compromised.
Other councils known to have experienced breaches include Warrnambool in Victoria, targeted in 2022, and two other Queensland councils, Noosa and Toowoomba.
Limited and vulnerable
Consulting group KPMG dealt with the issue in a December 2022 report, noting that councils are “extremely vulnerable” and had “only limited explicit policies and procedures and controls in place.”
“Local councils are being targeted by ransomware and other phishing cyber threats with the intention of service disruption and stealing valuable information for monetary gain,” the KPMG report said.
At the same time, KPMG noted that local governments hold significant amounts of sensitive and valuable data about their community and staff that must be held securely.
“Greater digitization of local government services, particularly in light of the need to respond rapidly to the COVID-19 pandemic, has further heightened the volume, breadth and sensitivity of public data that local governments hold,” the report said.
It noted several other examples, such as an attack on a Victorian local council in August 2021, which forced the council to disable many online services, including online payments, the ePlanning system and its call center for over two weeks. It was forced to operate under ‘manual processes’ during this time.
Also, a city council in South Australia was hit by a ransomware attack in December 2021, resulting in the encryption of its servers, which consequently caused substantial service disruption.
KPMG noted that few local governments had substantial IT budgets, “which means they have fewer specialized resources to safeguard against sophisticated attacks.”
“All local governments give attention to the development of critical infrastructure assets such as sewage, water, utilities, playgrounds, schools, and community care facilities while attention for privacy and security of sensitive information often has little to no funding, despite underpinning all strategic and operational areas,” the report said.
“Since many basic cyber security controls are not in place, millions of community and staff members’ data will be left exposed if not fully secured.”
Australia has a Security of Critical Infrastructure Act as part of its legislative response to cyber security. The Act is intended to escalate the priority on cybersecurity and provide a framework for managing risk and upping the security obligations of public institutions.
Currently, however, the legislation does not cover the local government sector, an omission that could potentially leave around 70% of public infrastructure assets and related services at significant risk of disruption.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].
Image credit: iStockphoto/Giulio Fornasar