2024/37 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Showcase your young professionals! / Date Changed – Upcoming webinar: Collaborate, Share and develop your security with ISAC Baseline on Thursday 5 December 2 pm – 3 pm CET / How is your service catalogue doing? / Why are we forced to self-organise cloud migrations? / We are Digital Knights – “You shall not pass”
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 6): Expect it to take about 7 signatures to get something approved – 5 of those are “followers” – the other 2 are not always obvious. Ask a middle-manager with at least 30-year experience in the organisation (“Left-Overs”) to help you find them BEFORE starting.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 6): Elected officials are not professional managers and some of their decisions cannot be implemented. It is sometimes ok to let them fade away gracefully into forgetfulness.
- Weekly [TLP:RED] for IT Leaders (Repeat # 6): Tenders should never contain requirements that the preferred solution provider does not explicitly call-out in their specifications.
| Summary |
Hi everyone, I hope you are doing well. Colleagues from five cities / regions from Belgium, Bulgaria, Croatia, Ireland and Italy joining Friday morning plus our friends from ECSO.
We started off sharing experiences in creating services catalogues as the foundation for creating relevant cyber risk registers and driving the creation / delivery of robust improvement roadmaps aligned with the strategic roadmaps of our administrations. The primary challenge seems to be around determining the services of relevance, and we reminded ourselves that it is usually only the ones we “operate” (versus subscribing to or outsourcing) that we can truly influence.
One colleague then shared how administrations are being pressured to move to national cloud services, while at the same time being asked to ensure at least x number of administrations would also move at the same time. Seems the task of identifying who would move to a central service is being left to “self-organisation” of the potential users – a huge collaboration task that resources are stretched thin for of course. In industry it works the other way around – suitable services / users are identified by the centre and migration planned / done centrally with a clear turn-off date for legacy services (assuming central control of these of course). Ah yes, and the resources for doing this are of course not provided – typical centralistic attitudes – do “something” but figure out for yourself how to do it…
We then shared recent near-misses and breaches starting with on-prem data appearing in the cloud of a supplier, CoPilot being installed by default in Powerplatform updates with the threat of data being moved to the supplier cloud, authorized users doing un-authorized things (i.e., sensitive data exports) and of course the perennial movers/leavers/joiners headache we have. Interestingly enough we often get in our own way by being faster than HR processes for example – i.e., we sometimes get leavers / suspects disabled faster than HR so that daily account scripts may actually re-activate accounts based on flags in the HR system. We are continuously reminded that collaboration is the foundation of security – technology can (sometimes) help.
We then discussed a potential webinar with colleagues from ECSO on “managing a cybersecurity team/how to attract good people and how to create a good office culture that focuses on retaining the employees?” It was an engaging discussion and could have gone on for a long period of time – so yes, well worth chasing and asking the exam question to senior colleagues at public administrations “So why did you not switch to the private sector?”. Core of all answers was that the public administration colleagues value serving their community and job security – financial dimensions mainly seem to be critical for younger colleagues and / or those with significant financial needs (i.e., buying / paying for a house etc). Colleagues working in public administrations are indeed “Digital Knights” protecting their citizens. This thought also inspired this week´s image of Gandalf and the Balrog – “You cannot pass”.
For the webinar we are looking for examples of young cyber professionals in public administrations to tell their story and why they selected to join the administrations – if you have someone in your organisation like this, then let me know and we will provide a chance to tell their story.
Cheers,
Oliver
Insights from AI
Creating and sustaining cybersecurity is a challenging task. It is indeed perhaps also a “wicked” problem (see https://en.wikipedia.org/wiki/Wicked_problem). I asked CoPilot “what are wicked problems related to creating and sustaining cybersecurity?” The AI responded as per below:
“Great question! Cybersecurity is often considered a “wicked problem” due to its complexity and the lack of definitive solutions. Here are some key wicked problems related to creating and sustaining cybersecurity:
Evolving Threats: Cyber threats are constantly changing, making it difficult to develop long-term solutions. Attackers continuously adapt their methods, requiring cybersecurity measures to evolve as well1.
Multiple Stakeholders: Cybersecurity involves various stakeholders, including governments, businesses, and individuals, each with their own interests and priorities. Coordinating efforts among these diverse groups can be challenging1.
Attribution Difficulties: Identifying the perpetrators of cyber attacks is often difficult, complicating efforts to hold them accountable and deter future attacks.
Legal and Regulatory Challenges: The legal landscape for cybersecurity is complex and varies across jurisdictions, making it hard to implement consistent and effective policies.
Resource Constraints: Adequate cybersecurity measures require significant resources, which may not be available to all organizations, especially smaller ones.
Interconnected Systems: Modern systems are highly interconnected, meaning a vulnerability in one area can have cascading effects on other parts of the system4.
Human Factor: Human error remains a significant vulnerability in cybersecurity, as people can be manipulated or make mistakes that compromise security.
These challenges make cybersecurity a dynamic and ongoing issue that requires continuous adaptation and collaboration.
| In the News |
- Date Changed: Join Our upcoming Webinar on Benchlearning 5 December 2024 2pm – 3 pm CET: Learn how ISAC Baseline can help your city enhance its cybersecurity and collaborate in a community of peers across Europe. Register for our webinar on November 5th and see how compliance work with NIS2 requirements is effectively supported by Benchmarking and a Solution Library with shared security practices using the Benchlearning principle. Registration is here: https://events.teams.microsoft.com/event/a826eed1-27ff-4804-ad3f-d1bfe0803de5@ab59e806-3337-45df-8257-2bc61793098b
- Bucharest’s District 5 City Hall hit by ransomware attack https://www.romania-insider.com/bucharest-district-city-hall-ransomware-attack-october-2024
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
We are currently beginning to prepare a proposal for DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 “Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies (2024)” that will be due for submission on January 21st, 2025.
The focus will probably be supporting NIS2 deployment by raising local / regional NCAF maturity through replicating / localising the ISAC Baseline Cooperation model currently implemented by our friends at I-Trust. If any local / regional public administrations or Local Government Management associations are interested, please contact me – I expect that we will be able to deploy to a maximum of 3 EU member states.
Currently working on the project abstract and value proposition for LGMAs.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/