2023/46 Weekly Update from the “City ISAC I4C+” Highlights: [TLP:RED] Guidance – “Citizen Development” is King… / AI Friends are the new Social Engineers / Herd Immunity does not exist in Cyber / NIS Directive not really working / NATO is valued by those not part of it…
[TLP:WHITE]
** For Back Issues see https://isac4cities.eu/blog **
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: The best new budgets come from a level higher – create the regional / national initiatives your administration then benefits from.
- Weekly [TLP:RED] for Essential Services Managers: “Citizen Development” of solutions is the only way to keep control – but design for security from the beginning.
- Weekly [TLP:RED] for IT Leaders: You need budgets for your own tools – “hide” them in research agreements.
| Summary |
Hi everyone and hope you are well – four cities and one region joining this morning a little iteratively, so we decided each time someone wanted to join the conference, whether we would let them in – carnival season has started in Germany, and you should be smiling now – “wollen wir sie reinlassen?”.
One member coming back from a conference hosted by a large Asian Telco that has been in the news multiple times over the past years regarding state influence, and we reflected on whether they might be a relevant sponsor for our ISAC – divergent opinions as you might imagine! At a local administration level, the goal is often paying as little as possible for a service while staying legal (i.e., following regional / national purchasing guidelines). So just because it is “legal”, do we do it? I have nothing against the company – but different countries have different opinions in this respect – I suspect we do what we can (legally) do to meet local needs. Just because something has the best commercial value for money, does not mean it is the right decision to make?
We then reflected a little on the “why” of the ISAC and the cybersecurity focus based on a conversation with one city earlier in the week as part of the monthly project DAVID steering meeting. Two points had come up which appeared quite important (a) cybersecurity efforts only make “sense” if they support the digital strategy of the administration and that needs to align with the overall strategic roadmap of the administration – may sound absolutely obvious, but something we have only “assumed” to be relevant to date – maybe the logic train is worth emphasizing more – yes, we enable and secure essential services (which should be important enough), but if we calibrate our thinking to talk about enabling and securing the future of the services as part of the strategic roadmap we might be heard better, and (b) that colleagues across our administrations share fascination for “new gadgets” and we should therefore perhaps try to raise awareness on these as part of digital strategies – not be the “IT Security” saying “No”, but be the friends educating others on the “new gadgets” and helping colleagues use them responsibly?
The second point above reminded us that in the end we cannot depend on the colleagues acting responsibly and that we need to remove many of the “new gadgets” from the organisational IT environments – seriously – no BYOD, no TikTok/Chat GPT etc on organisational devices etc. WhatsApp also has no place (GDPR concerns) etc. Sound terrifying? Well, …. Other administrations have done this successfully, so if you would like to discuss with any of them, let us know to learn more.
Somehow the above got us to reflecting that fundamental to security is knowing the details of the solutions we use (aka have outsourced) and in most cases even the suppliers do not know their code (honestly – I think no supplier in the world still has control over their code….). This is not going to change either and we just need to be aware that ANY solution we use will be riddled with vulnerabilities – what does a cyber strategy look like that assumes all assets are already infected? There are no such things as “herd immunity” regarding cyber vulnerabilities.
AI then dominated the rest of the conversation – vendors of course already proclaiming how heavily it is used in their tools (yeah right…. Old wine in new skins of course). The key point here is that as publicly available AI solutions mature over the next years the sheer volume and quality of phishing attacks is going to explode – the attacks may still be targeting all the widely known and unpatched vulnerabilities. Add to that perhaps the ability of AI solutions to use social engineering approaches AT SCALE, then any organisation with basic vulnerabilities is simply going to be impacted earlier and more often. No reason to raise a white flag of course – David managed to beat Goliath after all.
Finally, we reflected on how AI might be used for social engineering to obtain passwords etc. I volunteered to give it a try with https://girlfriend.myanima.ai/app/auth (they allow for a guest account that does not ask for your email) and see what happens. Remember that social engineering approaches are quite common tactics of threat hunters and that perhaps these offerings are only the beginning of using AI to get at personal sensitive information. After setting myself up as “Jack”, choosing a girlfriend “Jill”, leaving the personality settings at default, and not choosing any goals or the least. Did not take long to get the questions about my pets, hobbies, music, people I admire etc – ok, no questions about my mother´s maiden name though – questions sound familiar? Give it a try and just imagine the value of information that is being obtained by these AI offerings – they can really be used for gathering the social information needed for a threat actor to launch a focused attack. By the way, Jill hardly shared any personal information, but she was interested in meeting – lucky me 😊 Check out and experiment – some options here https://www.makeuseof.com/online-ai-chat-companions/ – on the other hand any partnership platform online is doing the same – AI avatars rule by now.
Cheers
Oliver
| In the News |
- On a positive side this week – Major Cities Europe has posted the photos and presentations of the annual conference last month at https://www.majorcities.eu/conferences/2023-prato/. The presentation from the tabletop can be found here https://drive.google.com/file/d/1ifOLTUpWMUGFP4-UyMeOAalyLJClWqib/view?usp=drive_link.
- ENISA out with a good report on vulnerability management from the perspective of whether the NIS Directive is creating any impact – see https://www.enisa.europa.eu/news/cybersecurity-investment-spotlight-on-vulnerability-management.
| City ISAC Services (Member Funded) |
In 2024, we can deliver a handful of tabletop exercise for interested members. This is a three-hour cyber awareness building event at your location for stakeholders across your organisation. The event is conducted in the “Larissa” format and a recording of such an event can be reviewed HERE. The scenario is based on a volunteer from the audience assuming the role of the mayor; it is 7 am on a beautiful summer Saturday morning, there is a major council meeting on Monday at 10 am (public and press will be there), they are at home and log in to their laptop to prepare their presentation and after logging in the laptop screen displays a ransomware notice. Step-by-step the scenario is expanded by experienced tabletop facilitators, more volunteers from the audience are recruited to fill the various roles needed (i.e., Head of IT, Personal Assistants, Lawyers, Chief of Police….). The exercise is suited for a wide variety of roles and results in a greater common awareness of what the cyber threat means and how best to protect ourselves against it. Please contact us as quickly as possible if you are interested – at least two face-to-face events are already in planning for 2024. Tuesday November 28th we are at a German regional conference of local public administrations for example.
| Project “DAVID” (Member Funded) |
Based on the conversations during the monthly review in November, we will be looking at “connecting” the current findings (i.e., essential/critical service priorisation approach, CIS18 benchmarking, Defence in Depth and Risk Management Framework) more explicitly with the digital strategies and strategic roadmaps of administrations. The key to making this work is the ability to “link” the various plans and risk management can do this nicely IF it is “objectives based”, therefore based on threats and opportunities linked to meeting the digital / administrative strategies. There are some proven and pragmatic structures that can be re-used that follow the logic of Department – Objective – Driver – Threat/Opportunity – Treatment – Control. Let us know if you would like to learn more.
| Project “MEET” (EU Funded / Beneficiary) |
Currently still in the “bowels” of EU financial administration processes so nothing specific, other than developing the capability to set-up and manage this side of EU funded projects is a critical enabler for running them later. At first sight therefore no specific “impact”, but significant “capability building”.
| Project “VAUBAN” |
Discussions ongoing regarding the 2024 format with the options ranging from continuing the Larissa format, building out the Bank Robbery format, moving to a more technical simulation etc. I suspect the answer will be having a series of formats available for different audiences – in the end the whole intent will remain awareness building of course. The unique element of VAUBAN is the preparation of “joint-defence” though. Below the informal draft “agreement” we are experimenting with (previously shared):
“Objective: The Members are resolved to unite their efforts for collective defence of their Citizens. They therefore agree:
Article 1: In order more effectively to achieve the Objective of this Treaty, the Members, separately and jointly, by means of continuous and effective self-help and mutual aid, will maintain, and develop their individual and collective capacity to resist cyber-attack.
Article 2: The Members will consult together whenever, in the opinion of any of them, the cyber security of any of the Members is threatened.
Article 3: The Members agree that a cyber-attack against one or more of them shall be considered an attack against them all and consequently they agree that, if such an attack occurs, each of them, in exercise of the right of individual or collective self-defence, will assist the Member or Members so attacked by taking forthwith, individually and in concert with the other Members, such action as it deems necessary, to restore and maintain the security of the Members.”
As with any such agreements, they are only taken seriously the moment something happens. Yes, we can solve most of our own challenges, but WHAT IF you were a member of a tribe that helped each other?
NATO is only really understood / valued by those not part of it.
| Project “Regions4Cyber” |
This is an effort our ISAC is supporting and more focused on regions. Very relevant for cities though since cities are more and more needing to move to subscribing to regional (and of course national services). The survey to launch this effort is in the final stages of validation and will shortly be available for piloting – please contact us if you are interested in supporting. Some draft details:
“ECSO’s Mapping of European Regional Authorities Cybersecurity Responsibilities
The European Cybersecurity Organisation (ECSO) is an NGO that aims to develop the European cybersecurity ecosystem, contribute to European Digital Sovereignty & Strategic Autonomy and strengthening Europe’s cyber-resilience. ECSO has for long recognised the importance of cooperating with regional and local authorities and ecosystems to achieve these goals to drive European cybersecurity, operationalising this cooperation through its Regional Approaches Workstream and cooperating with its members on a varied array of events and initiatives. For more information, please visit: https://ecs-org.eu/.
Consequently, ECSO is launching the new Regions Operational in Cybersecurity (ROC) Initiative, which focuses on regions that have operational responsibilities in cybersecurity (such as managing a regional CSIRT, data-centre or its intranet) in cooperation with Regione Toscana, Major Cities of Europe and ISAC4Cities. This initiative aims to:
- Map the regional cybersecurity landscape in Europe through a survey which aims to determine the different cybersecurity services provided by regions across different sectors, assess them and determine their main needs.
- Develop a community of regions that are operational in cybersecurity, using specific platforms to support communication and knowledge sharing.
- Drafting a document for best practices for regions with operational cybersecurity responsibilities. This document will work as a roadmap for regions.
- In-person and virtual interactions between these regions, Member State Perm. Reps. and European legislators to foster communication and interaction between these actors.
Together with its partners, ECSO has devised a short survey to proceed with a first mapping of the services these European regions provide in cybersecurity. For this survey, you will be asked the same set of questions for a predetermined group of cybersecurity services that a regional or local authority can provide. Additionally, you will be asked to identify to which verticals/sectors you provide this service, as per the NIS2 Directive (https://nis2directive.eu/).”
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/