2024/17 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: We need to make cyber VISIBLE / Digital projects in the news are usually limited pilots / Sandpits for pilots are essential / Is AI just hyped-up machine learning? / Taking a test? Use AI and fail / SCRR Community Webinar: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”, 22nd May 2024, 10:00-11:30 CET / Upcoming webinar of “Accelerating NIS2 Compliance with Benchmarking and AI Support” – New Date Pending
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: When peers present high-profile projects – ask their senior technical staff for the “true” story, i.e., actual scope, limitations etc.
- Weekly [TLP:RED] for Essential Services Managers: Only trial software installed in your network.
- Weekly [TLP:RED] for IT Leaders: Meet the customers of your vendors and listen to their experiences.
| Summary |
Hi everyone and hope you are well – four cities joining from Belgium, Bulgaria, Estonia and Italy on Friday morning and we started off by reflecting that IT / security really is something “quiet” in the background if everything goes well. Sort of like electric cars – no sound really to be heard in comparison to a nice V8 muscle car from the past 😊 Making IT / cyber VISIBLE to everyone is definitely important but by default a challenge of course; some things I have seen is signs like “Last Major Cyber Incident 103 days ago” or signs for Threat Status (like Homeland Security for example). Maybe a traffic light symbol at the top of any email application would help as well?
We were then given some insights into an AI related project at one member and learned about a piloting environment they provide for innovative vendors, although the scope of those is typically quite limited – maybe more “proof of concepts”? In any case, the challenge of scaling out of pilots is an endless nightmare as we know in any case.
We also learned about “Test in Tallinn” (https://www.tallinn.ee/en/tallinnovation/testintallinn), which is described as an “Attractive environment for (green) technology providers to test their solutions (focus areas: mobility, energy efficiency, renewable energy) in city environment with an objective to gain experience and transform their products to global success using Tallinn as a testbed.” A nicely presented opportunity for many and let us know if you are interested in setting up something similar yourself?
We also reflected that some of the most prominent interest in AI is about image recognition and that in most cases it seems existing solutions just have a decision-making algorithm attached and are then called “AI”? The GDPR dimension of this is also not insignificant as we know, and at least one major region appears to be offering a GDPR compliant platform to it members – maybe a clever idea for local administrations since it might help reduce potential legal liabilities. This is relevant then for any remote camera work for example – drones, dashcams, bodycams, traffic monitoring etc.
In respect to AI, we also agreed that perhaps the biggest challenge is that users expect the answers generated to be correct – a cognitive bias of course, and a really problematic one. One colleague was recently asked to complete an online multiple-choice test – he used Copilot to generate the answers and failed the test miserably….
Another colleague then shared his frustrations at high click-through rates in a recent phishing exercise – a perennial challenge and let us also remember that it is becoming more and more difficult for users to identify potential phishing messages in any case (AI is not helping here either as we know). I asked AI to generate an image of this event and it came up with:
Also exciting is that the new ENISA project leader for Public Administrations (which is a new sector under the NIS2 Directive) has reached out to us to explore collaboration moving forward. We have been identified as a key stakeholder in the sector and one question they are exploring is “what are the key cyber challenges for public administrations, what type of information and best practices would be the most useful for them.”
Finally, FYI, remember the risk matrix work we looked at a few weeks ago? (https://isac4cities.eu/2024-15-weekly-update-from-the-mce-sig-city-isac-i4c-highlightsrisk-matrix-emerging-is-dos-ddos-rdos-protection-for-e-services-highest-priority-check-out-microsoft-cop). I had asked ENISA about the background of the severity assessment and received the following response “So, it seems we don’t have a concrete procedure that we can share for the severity. It is a combination of things that we take into account, such as the numbers of the affected customers, number of days or hours systems not available, or critical systems affected and/or involvement of supervisors or penalties.” For the moment therefore we will simply follow ENISA assessment – not sure what the alternative might be, since we do not have access to more details than in the circulated reports and we are trying to understand trending.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why it is important for public administrations to maintain an inventory of sensitive information? The AI responded as per below:
“Maintaining an inventory of sensitive information is crucial for public administrations for several reasons:
1. **Information Security**: It ensures that sensitive information is protected from unauthorized access, disclosure, alteration, and destruction¹. An inventory helps in identifying what information needs to be secured and the level of security required.
2. **Regulatory Compliance**: Public administrations are often required by law to protect certain types of information. An inventory helps in ensuring compliance with these legal requirements².
3. **Risk Management**: By knowing what sensitive information they possess, public administrations can better assess the risks to their information assets and implement appropriate safeguards¹.
4. **Incident Response**: In the event of a security breach, having an up-to-date inventory allows for a quicker and more effective response, minimizing the impact of the breach¹.
5. **Resource Allocation**: An inventory can help public administrations allocate their resources more effectively by focusing security measures on the most critical information assets¹.
6. **Public Trust**: Maintaining the confidentiality, integrity, and availability of sensitive information helps in building and maintaining public trust¹.
Overall, an inventory of sensitive information is a foundational element of a robust information security management system (ISMS) and is essential for the protection of sensitive data within public administrations¹.
Source: Conversation with Bing, 16/05/2024
(1) Information Security Awareness in Public Administrations. https://www.intechopen.com/chapters/59667.
(2) NIST Publishes Final Guidelines for Protecting Sensitive Government …. https://www.nist.gov/news-events/news/2015/06/nist-publishes-final-guidelines-protecting-sensitive-government-information.
(3) Maintain an Inventory of Sensitive Information – CSF Tools. https://csf.tools/reference/critical-security-controls/version-7-1/csc-13/csc-13-1/.”
| In the News |
- CISA and Partners Release Guidance for Civil Society Organizations on Mitigating Cyber Threats with Limited Resources https://www.cisa.gov/news-events/alerts/2024/05/14/cisa-and-partners-release-guidance-civil-society-organizations-mitigating-cyber-threats-limited
- Helsinki suffers data breach after hackers exploit unpatched flaw https://www.bleepingcomputer.com/news/security/helsinki-suffers-data-breach-after-hackers-exploit-unpatched-flaw/
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
One key service is about “Creating Intelligence” and related to “(Joint) Vulnerability Analysis (i.e., Penetration Testing and Dark Web Monitoring): With expert partners, we provide a wide range of vulnerability analysis services. We conduct especially (a) technical penetration testing, (b) remote social engineering hacking, (c) dark web monitoring, and (d) e-mail phishing campaigns.” – the unique piece is that sharing of results with peers can help prioritise needed actions more robustly and legitimate them more effectively.
Note that the date for our next webinar in collaboration with I-Trust with a draft title of “Accelerating NIS2 Compliance with Benchmarking and AI Support” will probably be moving into the first week of June – once confirmed we will let you know. The webinar focuses on helping local and regional public administrations to accelerate their journey to NIS2 compliance with the help of generally available AI solutions such as Microsoft Co-Pilot in combination with expert assessment questions that also allow for benchmarking across local and regional public administrations across the European Union. The webinar will be an open debate building on a presentation of the Enablor benchmarking platform from I-Trust and how it is used in practice by a public administration on its path to NIS2 compliance, a demonstration of how Microsoft Co-Pilot can be used to effectively explore the assessment questions and an open panel discussion with the presenters and the audience. The webinar will help public administrations master the growing challenge of achieving NIS2 compliance through benchmarking, simple AI and peer-to-peer knowledge sharing.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120 minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help. Stay tuned!
Note that we are also being invited to run a tabletop at the annual regional IT conference we did this at last year. Providing some intensive support to them shaping the overall agenda and reviving the “joint defence” agreement work for local and regional administrations in that area – sort of dropped off the table due to time-constraints but we will not give up!
| Project “Regions4Cyber” |
CRR Community Webinar: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”, 22nd May 2024, 10:00-11:30 CET.
ECSO, with Tuscany Region, Major Cities of Europe and EU City ISAC I4C+, would like to invite you to its 2nd webinar of its Cyber Resilient Regions (CRR) Community, with the topic: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe”. The webinar will take place on the 22nd of May, from 10am to 11:30am (CEST).
The webinar will focus on understanding digital resilience with a look at challenges and opportunities and the involvement of the Committee of Regions (CoR) and a broad EU audience, to foster discussion at the local/regional, national and European perspective.
The webinar will consist of a Keynote presentation by with guest speaker MEP Pehr Granfalk, rapporteur of the Committee of Region’s (CDR 2191/2023) – EU Cyber Solidarity Act and Digital Resilience Paper, followed by a panel discussion moderated by Gianluca Vannuccini, CIO of Tuscany Region.
Programme:
10:00 – 10:05 Welcoming remarks by ECSO
10:05 – 10:20 Keynote Presentation by Pehr Granfalk (MEP and member of the CoR), rapporteur to the CoR’s (CDR 2191/2023) – EU Cyber Solidarity Act and Digital Resilience paper.
10:20 – 10:25 Q&A
10:25 – 11:25 Panel: “From Security to Resilience: A look at digital resilience of local and regional authorities (LRAs) across Europe” moderated by Gianluca Vannuccini (CIO, Tuscany Region), with the panellists: Pehr Granfalk (Member of the CoR and second Vice-Chair of ECON), Luca Nicoletti (Executive, ACN – Agenzia per la Cybersicurezza Nazionale), Cliff Dean (CIO, North Keteven District Council, UK), (more panellists to be confirmed).
11:25 – 11:30 Closing remarks by ECSO
You can find the link to register to the Webinar here.
The Cyber Resilient Regions Community (CRR) initiative aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. Surveys, events, chats with experts and peers are among the activities promoted within the CRR initiative.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/