Resilience and crisis management
Dealing with cyberattacks in municipalities.
Cyberattacks pose a growing threat to local authorities. The effects of such attacks can be devastating and significantly impair the functionality of the administration. This article examines the various aspects of IT crisis management in local authorities, from the technical impact and crisis prevention to crisis response and preparation. The aim is to create an understanding of the need for resilience in public administration and to highlight practical approaches to managing cyber crises.
1. effects of cyberattacks
Cyberattacks can massively disrupt a municipality’s technical infrastructure. If specialist procedures, cash register systems or file searches fail, the administration faces considerable challenges. Without time recording systems, employees’ working hours are not recorded and access to certain rooms may be denied by digital access systems. Communication also suffers: Telephone systems, email services, websites and social media channels can be affected, making internal and external communication much more difficult. Attackers are often active in the system over a longer period of time without being noticed. They use multi-stage attacks to infiltrate deep into the IT structures. This makes it difficult to identify the time of the compromise and raises the question of which backup is trustworthy. Hiring forensic experts can help, but they often need a lot of time to fully analyze the attack.
In contrast, DDoS attacks rarely lead to such crises, as they are usually temporary and have less far-reaching effects. Nevertheless, they can also limit the availability of services and should not be underestimated. The compromise of infrastructure and data means that confidential information can fall into the hands of unauthorized persons. Indications of an attack include unusual contacts to external servers or inexplicable extensions of user account rights.
In the event of suspicion, it is essential to disconnect from higher-level networks such as the state administration network or the federal government networks. In such cases, certificates are often also deleted, as the municipality is no longer considered a trustworthy participant in the network. Returning to these networks is subject to certain conditions.
2 The need for resilience in administration
Administrations must be resilient in order to meet the challenges of cyberattacks. This is particularly relevant in stable systems. The vulnerability paradox states: “To the extent that a country is less susceptible to disruption in its supply services, the greater the impact of any disruption.” The more complex and differentiated the organizational structures are, the more security of supply is assumed. If a system then fails, the shock is all the greater. The pressure to return to normal operation quickly is high. Attempts are often made to be able to act again within a short period of time. But reality shows that overcoming such a crisis is a marathon, not a sprint. It can take up to a year for all systems to be restored. This puts an enormous strain on employees; burnout cases are not uncommon, with only around half of those affected returning.
3. crisis prevention: preparing for an emergency
How can employees in local authorities prepare well for a possible cyberattack? Crisis prevention plays a crucial role here.
Technical prevention measures are essential, but should be realistic and feasible within a municipality’s means. This includes regularly updating systems, installing security software and carrying out security checks. However, local authorities often come up against personnel and financial limits here.
Another important aspect is raising employees’ awareness of IT security. An open error culture promotes awareness of potential risks and encourages employees to report unusual incidents. Training and regular information events can increase awareness and strengthen understanding of security processes.
3.1 Avoiding organizational failure
Organizational weaknesses can exacerbate the impact of a cyberattack. IT is often viewed in isolation, with low pay grades and little understanding within the organization for these activities. There is a lack of staff and adequate cover arrangements. A lack of onboarding and offboarding processes means that access and authorizations of employees who have left are not deleted. These “organizational debts” are the result of compromises that were made years ago. When the framework conditions change, these compromises often remain in place, resulting in a loss of speed and flexibility. Unclear goals, mixed roles and imprecise requirements are indicators of such debts. Reducing this organizational debt requires targeted action. A bounty program can encourage employees to actively contribute to improving the organization. They can point out processes that positively or negatively influence the efficiency of the system and thus contribute to optimization.
4. crisis response: dealing with the crisis
When the crisis occurs, quick and coordinated action is required. The first technical measures include disconnecting the network to prevent the attack from spreading further. However, this requires clear procedures and responsibilities in order to be able to react quickly and effectively. Communication, on the other hand, is a central aspect of crisis response. Alerting channels must be established to inform all relevant people quickly. Fallback communication channels such as alternative telephone numbers or messaging services should be prepared. Dark sites, i.e. ready-made websites for crisis communication, can be used to inform the public. Internal and external communication must be transparent and timely in order to maintain trust.
Certain incidents must be reported to the relevant authorities. These include the CERT (Computer Emergency Response Team) and data protection supervisory authorities. Depending on the severity of the attack, the Federal Office for Information Security (BSI) must also be informed. The provisions of the NIS-2 Directive may also apply here. The police should be involved in order to initiate criminal investigations and secure evidence.
4.1 Emergency operation and recommissioning
Emergency operations must be maintained during the crisis. The municipality should retain its sovereignty and be able to continue providing essential services. The recommissioning of the systems takes place in several steps: from the return to the networks via intermediate infrastructures to the target infrastructure. This often leads to the unprepared and unplanned introduction of new technologies, which poses additional challenges. Access to the federal or state networks may be restricted. Sometimes municipalities are removed from the networks and certificates are deleted. It must be clarified what security precautions need to be taken.
4.2 Capacities and support
Real crises often take longer than expected. It is important to request support in good time, for example through administrative assistance from other local authorities. Temporary outsourcing of specialist procedures can be considered. Data protection aspects as well as geographical proximity must be taken into account in order to facilitate access for employees and citizens. Various factors can make crisis management more difficult. Repeated questions and information tie up resources. Information is not always understood or cannot be followed up. Interventions in processes and new prioritizations, whether seasonal or situational, lead to conflicts. Unclear allocation of roles exacerbates these problems.
5. crisis preparation: strategies for emergencies
Effective crisis management is only possible if the preparation is right. It is not enough just to know the people responsible; the routines and processes must also be known and practiced. Employees should maintain the specialist procedures and services in a directory and know which technical requirements are necessary for this and where the corresponding documentation (analog) can be found.
A priority list helps to restore the most important services first in the event of an emergency. Criteria for prioritization can be: protection of life and limb, avoidance of existential damage, liability risks and quick success (“low hanging fruit”). Resilience should be understood as an ongoing process that focuses on adaptability rather than stability. Choice and self-organization promote the resilience of an organization. Emergence, i.e. the spontaneous development of structures in complex systems, plays an important role here.
5.1 Creating and maintaining emergency plans
Nevertheless, an IT emergency manual is essential. It contains immediate measures, scenario-specific instructions, alerting and escalation plans as well as contact lists for alerting, reporting and communicating with service providers and partners. A crisis team and a staff room should be defined. Business continuity management (BCM) regulates emergency operations and possible bypass solutions. This refers to the temporary provision of administrative services in other IT infrastructures. Plans for restarting, recovering and returning to normal operations must also be recorded. After the crisis, the plans are debriefed and updated.
5.2 Communication plan
A clear communication plan defines who receives what information when and how communication takes place internally and externally. This avoids misunderstandings and ensures transparency. In view of the increasing threat situation, organizations must regularly test and improve their defensive measures and response plans.
5.3 Objectives of crisis exercises
Routines are tested and improved through exercises. The effectiveness of the measures is assessed and gaps and shortcomings are identified. The ability to cooperate and communicate in unforeseen situations is improved. Participants are trained in dealing with cyber incidents and weaknesses in the interaction between organizational units are uncovered.
6. cooperation and resilience through collaboration
6.1 RESI Framework and BSI Cybersecurity Dialogue
The dialog between civil society and authorities is essential in order to address the relevance of cyber threats to society as a whole. The BSI’s cyber security dialog promotes exchange and the development of joint strategies. A ransomware scenario and existing publications are currently being summarized in an interprofessional and interdisciplinary collaboration, the process with the corresponding activities and decisions is being written down and handouts, templates and checklists are being linked at these points. The aim is to react more quickly and effectively in a crisis.
6.2 Cooperative resilience
Cooperative resilience refers to the ability to mitigate the crises of cooperation itself. It is a complex network of collaborating actors and supporting technologies. This includes cross-organizational networking and cooperation, i.e. the exchange of information and best practices, a cooperative infrastructure and the shared use of resources. It includes a common situational picture for a uniform understanding of the current situation and the mutual provision of capacities, i.e. support in the form of personnel and material resources. Experience has shown that administrative assistance or workaround solutions are often uncoordinated. Unclear secondments of personnel or the provision of resources without clear agreements can exacerbate the situation.
6.3 Cooperative resilience network
Municipalities can work together through voluntary agreements. Measures such as sending requests for administrative assistance to neighboring municipalities or sharing expertise and experience help to strengthen resilience. Documentation, wikis and templates support the establishment and return to the networks. Dark sites with input masks and templates enable information to be made available quickly. A resource pool for hardware and software facilitates emergency operations.
7 Resilience as the key to success
The focus must be on resilience so that municipalities remain “in control of the (threat) situation”. Given the large number of points of attack and vulnerabilities, it is likely that cyberattacks will happen. Crisis response and management is only as good as prior crisis preparation. Through targeted prevention measures, clear communication and contingency plans and collaborative approaches, public administrations can strengthen their resilience and act effectively in an emergency.
