2025/13 Weekly Update from the EU ISAC for Cities & Regions: Good read – World Economic Forum “Global Cybersecurity Outlook 2025” / Suppliers usually cannot be held accountable for breach damages / Can you filter emails from “<>”? / Deep fakes are a new dimension of social engineering / We need more legal competence
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 25): Ensure that any AI systems used in the administration are appropriately and formally audited by independent third parties.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 25): Forbid the use of AI chat features to avoid inadvertent GDPR infringement you will be held liable for.
- Weekly [TLP:RED] for IT Leaders (Repeat # 25): Any patches can trigger incidents with significant time-delays. Make sure you have thoroughly mapped services over at least an 18-month time-period.
| Summary |
Hi everyone, friends from Belgium, Estonia, and Italy joining this Friday morning along with our friends from ENISA.
Topic of the day was of course the US tariff decisions and how this is driving the EU desire to become more independent in many ways. This of course also covers the IT security space where the dependency on US based global players is huge and remediation a long way off. Most worrying perhaps the possible challenges to many contracts (i.e., data security) – the established order is being torn up for us as well and we need to think hard about whether the lowest cost supplier approach we often have in tendering is really what is needed strategically. Cost will always be a key drier though, so who pays for the extra costs of being strategically independent and protecting us from dynamics such as this? EU based solutions are typically most costly and less capable (and often actually have back-channel data exchanges into US networks. i.e., for security monitoring). We also agreed that overall these shifts are probably not a “blip” over a few years – there is something fundamental changing.
The above then also had us reflecting on the situation where one member´s organisation is buzzing with concerns regarding possible fines for not meeting national cyber legislation and agreed that in many cases it is actually out IT suppliers that need to be held legally accountable for damages – for that we however need to make sure the contractual fine print does not exclude that (well, usually does and if dealing with the large global suppliers it is nothing we can challenge).
One colleague then shared how they were suffering from a series of phishing campaigns based around having only “<>” in the FROM field of email messages and the inability to configure their security filters to identify and block such. Seems such a simple “trick” by the threat actor – directly leveraging weaknesses of the security systems – you may wish to check your own systems?
ENISA then shared some ongoing experiences with raising awareness of the deep fake threat – some amazing work being done by threat actors and the first step must be sensitizing colleagues to this threat existing and having the potential to impact them. We have all gotten used to training around phishing etc., we need to get to the same awareness level for deep fakes (video, voice, email etc.). Deep fakes are a new dimension of social engineering and although still only starting up, we need to act now to raise awareness since this will take time.
Finally, we discussed how challenging contract negotiations with suppliers can get, especially if we cannot match the legal expertise they bring to the table. We need deep experience to have a chance and unfortunately this is typically not available (or too costly). For one member, budget cuts in the administration are driving re-evaluation of IT service contracts where it is more than difficult to adjust contract pricings – the same is of course relevant when discussing who is responsible for damages after a security breach. As we shift from being IT “nerds” to supplier managers, respecting the need for new skills becomes critical and worth a discussion with our legal departments – IT (security) is its own world and we need to increase our abilities to work on the fine print.
Cheers,
Oliver
| In the News |
- See the World Economic Forum “Global Cybersecurity Outlook 2025” for an excellent orientation on global dynamics https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf
- Major Cities of Europe, in collaboration with the City of Issy-les-Moulineaux, is pleased to announce the joint 2025 conference under the theme of “Piloting Disruptive Innovation in Cities and Regions”, which will be hosted at the UGC Congress Centre from October 9 to 10. Integrated into the Greater Paris Metropolis, Issy-les-Moulineaux is one of the most innovative cities in France and has long been recognized as a leader in digital innovation, circular economy, and environmental footprint reduction. The event is co-organized with Issy Media, the public company responsible for communication and innovation in Issy-les-Moulineaux. The conference will be conducted in English and French, with simultaneous translation available. See www.majorcities.eu for more details.
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
The IBAS project continues and remember this sits on the Enablor platform serving a wider community. Enablor is currently supporting 3931 organisations with 4158 users and 10978 logins last year – a thriving community!
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional bench-learning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/