2025/4 Weekly Update from the EU ISAC for Cities & Regions: License contracts – READ THEM! / Whitelisting can solve problems quickly / e-identity is the “glue” for protection of fragmented landscapes / Open source often contains commercial embedded systems / For your contribution Socitm Public Sector digital trends 2025 research and supporting artwork
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 16): The Head of IT should be on your leadership team.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 16): Regularly review your application landscape and security concerns with IT – usually IT struggles to maintain a robust overview of the applications and this gets you on the radar screen.
- Weekly [TLP:RED] for IT Leaders (Repeat # 16): Third-party compliance needs (i.e. to banks) include minimum IT standards that can be leveraged for prioritizing cyber investments.
| Summary |
Hi everyone, colleagues from Croatia and Italy joining this Friday morning, and I hope no-one tried to join but was not let in since I was having significant Internet problems and had to switch to using my mobile device as a guest. Beats me what caused this since my connection is usually fast and reliable– on the other hand the parallel backup of my other mobile phone to the laptop might not have been helpful. Which sorts of reminds me how after incidents many data bridges can become jammed and manual intervention for prioritising traffic is needed -> a good reminder that not only the resolution of a (cyber) incident is critical but restoring performance after that can be a really challenging activity as well.
One colleague then shared how a global solutions provider contacted him this week regarding the usage of Virtual Box where apparently one account has services enabled that needed to be paid for separately. Seems that you can get free accounts where there are additional services enabled that cost money and can be used without advance payment / subscription? I had a comparable experience this week as well and the solution was to read the details of contracts carefully – ever read the terms and conditions of Google, Facebook etc? The ones you usually just accept by default – you might find them rather surprising! READ THE LICENSE AGREEMENTS AND BE WILLING (AND ABLE) TO DECLINE…
Ah yes, have you ever encountered the situation of an IP not being blacklisted but being blocked? And then whitelisting it, and it is no longer blocked? Strange things happening in a colleague´s world it seems and learning point was that you can either spend huge amounts of energy figuring out why an IP is being blocked, or “just” whitelist it and move on… Come on, we have better things to do than try to sort out the mess that many security providers are.
Not sure how we then got to discussing how many services nowadays can only be paid for by credit card, but the administration of one colleague does not provide credit cards (although it could) – employees use their private credit cards and get re-imbursed. Not sure who runs the re-imbursement process, but probably quite a manual effort. In principle this seems ok, however let us remember that if we are trying to control the spread of IT solutions outside of the IT remit – this does not help. And as we know, third party solutions are typically very cyber insecure and not open to making relevant improvements.
One point raised by a colleague related to current efforts by national authorities to survey administrations regarding whether they are providing any NIS2 relevant services with the offer to support protecting such if needed. It is always a little dispiriting to be reminded how little we know about what we do, hey ho… One aim of that effort is to identify participants in developing a national NIS2 compliant service offering that other administrations are then asked to move into. Makes sense of course, however due to the fragmented and diverse nature of the IT landscape of our local/regional administrations I do wonder whether there are not more effective ways to protect ourselves? Especially since this process will take a very long time and leave a lot of administrations behind. Though, the “glue” of all efforts seems to revolve around e-identity solutions based on national identity cards – seems to be a very wide movement and therefore definitely worth exploring. Reminds me of credit cards being the “glue” of the travel industry – connecting many different organisations and services -> following this train of thought it might be well worth looking at accepting the fragmented nature of IT landscapes, and focusing on protection of interfaces?
Finally, an interesting point came up around many national projects apparently requiring vendors to develop open-source solutions and make those the property of the national administration. Some clear benefits here, however I do wonder who is going to review and manage that code? Open source is a concept that appears straight forward initially, however when you begin digging into the details it becomes very complicated – especially in an age where developers will continuously draw on other open source without understanding the relevant licensing details. As a side not, it is not unusual for commercial companies to buy open-source solutions, tweak them slightly and put hellaciously expensive license agreements into the background. Your “open source” may have core features that are not open source (embedded commercial software) and will lead to significant financial consequences later down the line. If you want open source, then audit what you get carefully!
Cheers,
Oliver
Insights from AI
The idea that open-source solutions may contain commercial elements is often overseen. I asked CoPilot “can open-source software contain commercial terms?” The AI responded:
“Yes, open-source software can contain elements with commercial terms. Here’s how:
Dual Licensing: Some open-source projects use a dual licensing model, where the software is available under an open-source license but also offers a commercial license with additional features or support.
Open Core Model: This involves providing a core version of the software as open source, while offering additional proprietary features or services for a fee.
Commercial Support and Services: Companies may offer commercial support, consulting, or customization services for open-source software, even though the software itself is free.
Embedded Commercial Software: Some open-source projects may include or require commercial software components or dependencies that have their own licensing terms.
These approaches allow developers and companies to monetize their open-source projects while still contributing to the open-source community.”
| In the News |
- Socitm UK https:/ /socitm.net/ (the Society for Innovation, Technology and Modernisation) has launched its annual Public Sector digital trends 2025 research and supporting artwork. That research will cover UK, Europe, with the collaboration of Major Cities of Europe members , and also countries overseas like US, Canada, New Zeeland and others with the collaboration of LOLA https://www.lola-ict.org/ (Linked Organisation of Local Authority ICT Societies). This is a link to the research. As digital transformation continues to reshape our world, local public service leaders are facing unprecedented challenges and opportunities. In response, Socitm’s report and research offers a roadmap to reimagine service delivery with innovation, technology, community and place at its heart. To inspire bold action and proactive strategies, the report poses 10 critical questions every public service leader must address. These questions challenge leaders to step ‘beyond borders’, whether they be cultural, administrative, organisational or structural. We warmly encourage the members of Major Cities of Europe to collaborate to this joint initiative with Socitm and LOLA and respond to the research. You will get a copy once published.
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| ISAC Baseline (IBAS) Project |
Note that the launch event for participating cities and regions is being planned for late January / early February. This will include basic navigation and data entry to arrive at first individual and comparative results against the benchmark data. See https://isac4cities.eu/public-administration-isac-baseline for more details on this opportunity.
The ISAC benchmark platform offers a unique opportunity for public administrations to benchmark themselves against not only regulative requirements but also other local governments around Europe. Benchmarking data from European municipalities are now available in the ISAC Baseline Program providing participants with insight into how similar organizations perform and comply with legislation. Assessing the organization’s security level gives insight data on compliance with both legislation as well as automated mappings to security frameworks such as ISO 27001-2, CIS 18 and NIST CSF. The enablor platform can be used within your own organization and is a shortcut to collaborating with similar European organizations. If you are a region, you can also “sponsor” membership for your cities to create regional benchlearning groups. If you are a nation, then you can sponsor membership for your regions and cities as well of course.
Key value proposition? In the many discussions leading up to the launch, we see that the key value of participating is (a) access to a massive amount of detailed “real stories” on successful implementations across the NIS2 spectrum, and (b) significantly reduced efforts for reporting. If needed, we can also provide administrative support for transferring existing data into the enablor platform.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/