Este artículo está también disponible en / This post is also available in: Spanish
Many aspects of our daily life, although we are not aware of it, are fully dependent on the proper functioning of the internet. A cyber-attack on a company, or a local public entity, a few years ago would have been almost anecdotal. However, as digitization increases, so does risk exposure and vulnerability to cyber-attacks.
On today’s blog we present a guide prepared by the IDB to help cities in Latin America and the Caribbean (LAC) be prepared for malicious attacks that put the security and development of your municipality. The IDB, as is evident in its “Vision 2025: Reinvest in the Americas“, is committed to innovation and the digitalization of our region as a key element for a sustainable and lasting recovery. For this reason, the security of digital platforms in our cities is a key element in achieving this goal.
Cyber attackers take advantage of any unprotected access
We are increasingly dependent on the proper functioning of information platforms and technologies. Basic public services such as security, water supply, energy, or mobility are also. For this reason, the greater the digitization of our public services, the greater the risk that they will be victims of cyberattacks, which are more sophisticated.
Cyber attackers are there, taking advantage of any unprotected access. Unfortunately, we are often overwhelmed by news of infrastructure hijackings: subway networks (New York, Sacramento), pipelines (USA), hospitals (London), emergency systems (Dallas), security cameras (Washington, District of Columbia), entire administrations sequestered and inoperative for weeks (Baltimore), parliaments (Australia) and a long etcetera. There are hundreds of thousands of daily cyber-attacks.
Why do cybercriminals attack cities?: Vulnerability
It is not easy at all to know the reasons why cybercriminals, cyberspies, cyberterrorists, cyberactivists attack us (political, criminal, economic or business or merely personal), nor to know who they are (private persons, criminal groups, companies, other countries) .
But why do they attack us? Because we are vulnerable. We are vulnerable due to software failures, infrastructures often obsolete, because we are not capable of knowing our vulnerabilities, or because we do not understand the smart city ecosystem.
We are vulnerable because it is not easy to govern and orchestrate the many public and private actors that act in the smart city. And many times, security fails because these many subjects either do not know or do not dare to share the information.
We are also vulnerable because we do not have strategies, plans, risk management or incident management. The human factor is above the technical elements.
Nor should we forget that we are vulnerable because we do not know or hire the specialized professionals that are required. And because we do not raise awareness, nor do we train managers, staff and the citizenry themselves in cybersecurity. This being the case, it is difficult to invest and explain to citizens why spending on cybersecurity is investing in the city.
The IDB Cybersecurity guide helps you prevent a cyberattack in your city
What should I do to protect my municipality from the risks of a cyber-attack?
To answer this question, the IDB has just published a guide whose objective is to provide knowledge and recommendations to help LAC cities protect themselves in cyberspace. With this publication, the IDB not only intends to raise awareness and put this concern at the forefront, but also offers guidelines for any city, large, small, or medium, to achieve maximum cybersecurity.
How to prepare your municipality for possible cyber attacks
The first thing is to identify the assets to be protected and the actors involved. Likewise, it is necessary to self-assess, to know the real state of your city in terms of cybersecurity. To facilitate this self-assessment, the IDB offers you a Cybersecurity Self-Assessment Tool, completely free of charge.
From there, cybersecurity governance is needed that is integrated into smart city management and broader data management. To achieve this, it is necessary to try to know the playing field: the national policies and strategies that exist, the applicable legislation, as well as the internationally recognized cybersecurity standards and choose the most appropriate and possible for the city.
Once we know the playing field, we must appoint a security officer. This figure must have the support of the highest political leadership. In general, it takes a lot of effort to develop coordination and cooperation mechanisms. The strategic level must develop security policies, processes, procedures, and standards for all actors, and establish clear competencies. It must be clear who and what must do.
Municipal cybersecurity: a shared responsibility at all levels
This publication is especially aimed at the leaders of the cities of LAC, their municipal managers, and employees, as well as technical personnel in information and communication technologies.
All of them play an important role in protecting municipalities from malicious attacks. Below, we share the different roles and responsibilities for each of these three levels, without forgetting that all of them must work together with the same objective: to protect your city from cyber-attacks.
Leaders must put cybersecurity on the public policy agenda so they can allocate resources without waiting to be attacked. They must also reinforce actions with regulations, clear competencies and the institutionalization of leadership and bodies that have adequate resources. Leaders are key so that preventive measures are put into practice and do not remain forgotten “in the drawers”.
MUNICIPAL MANAGERS AND EMPLOYEES:
The secretaries and employees at the management level must know the systems and infrastructures that must be protected, to test the norms, policies and procedures by the organization and the private providers.
And the technicians at the operational level must implement protection mechanisms such as identification systems, strong two-factor authentication, and access control; as well as anomaly detection mechanisms and capabilities to respond to incidents. In addition to these recommendations, the guide has grouped the entire cybersecurity technical apparatus, describing the cycle and steps to follow (management, identification, protection, detection, response, recovery, and self-assessment). The publication exposes, for a specialized audience, the technical elements of capabilities-based planning and the roadmap, as well as the main capability maturity models and cybersecurity, equipment, and technology functions.
In short, the vision, strategy and action of city leaders will determine their level of cybersecurity. We trust that the IDB guide will serve to raise awareness about this and be used as a tool to protect your municipality.
If you enjoyed this blog, sign up here to receive our monthly newsletter with all the blogs, news, and events from the IDB’s Housing and Urban Development Division. Likewise, we invite you to visit Gobernarte, the blog of the IDB Division of Innovations to Serve Citizens.
If you are interested in cybersecurity, we recommend you not to miss the following publication: Cybersecurity: Risks, Advances, and the Way Forward in Latin America and the Caribbean
*Authors listed in alphabetical order