Ransomware attacks have highlighted the vulnerability of French municipalities to computer attacks over the past year. If the attacks targeting large metropolises like Marseille have caused a lot of talk, smaller municipalities have not escaped ransomware: Mitry-Mory, Antony, Morière-lès-Avignon, the list of victims is long. and far from being exhaustive.
The Anssi initiative
The situation did not escape Anssi and the government, which began at the beginning of the year to rely on the funds allocated to the agency as part of the recovery plan to finance support for the security of local authorities and healthcare establishments, two sectors particularly affected by ransomware attacks. “We have implemented various measures,” explained Gwenaëlle Martinet, head of the France Relance project at Anssi, during the press conference devoted to the agency’s 2020 activity report. “First of all, the establishment of a” safety path “” aimed at understanding the level of maturity of the beneficiaries, or even setting up first-level actions for the most advanced players. »Security audits financed by Anssi, and entrusted to private actors, in order to better understand the state of security of the local authorities concerned. “We currently have 230 beneficiaries who take advantage of one of these courses, who work with a service provider,” explains Gwenaëlle Martinet.
The second part of the plan is aimed at local authorities that are more mature in terms of security and who wish to benefit from Anssi aid to co-finance a security project, taking the form of purchase of hardware or software by the community. The main lines of this plan had already been presented in a letter sent to local authorities at the start of the year.
Aim for the right level
There remained an unanswered question: that of the smallest local authorities, the many small municipalities that do not always have the means to afford equipment or tools dedicated to security, but which nevertheless remain targeted by these attacks. And Anssi does not have the means to finance safety audits for all the municipalities in France, even with the resources allocated within the framework of the recovery plan.
Asked about this, Gwenaëlle Martinet explains the agency’s logic in this area: “There is no population threshold strictly speaking to access these cybersecurity routes, but there is a criterion of technical maturity. The municipality must have an IT department or a CISO, who can be our contact for this course. He is the one who will be able to understand what we are doing and make it last over time once the course is completed ”. But, with 36,000 municipalities in the country, it is hard to imagine town halls with 3,000 inhabitants having a CISO when some are already having great difficulty in ensuring their daily functioning. The Anssi project manager mentions one avenue: that of pooling CISOs for the smallest municipalities.
Pooling IT resources is not a completely new idea. This is notably the purpose of the various associations and federated structures within the Declic network, with which Anssi entered into a partnership in 2020. If the approach already exists for many IT-related functions, decline this approach. This is fairly new for the security sector, as Emmanuel Vivé, president of the Déclic network and CEO of Adico, explains: “we have started to offer shared CISO services within our structures for some time. , inspired by the model of shared DPOs that were created with the entry into force of the GDPR. We decline the logic and we try to convince the other organizations of the Declic network to do the same ”. For the moment, a handful of structures have set up this type of service, entirely financed by the member municipalities. “It is always a question of finding the right financial balance to offer this type of service, and above all of convincing the municipalities that they have an interest in financing them,” he explains.
“We come across 12 year old servers”
The idea is new, but it is gaining ground, and the first shared CISOs are already working with municipalities. The task is mainly focused on setting up RGS audits with the municipalities concerned. “You have to understand that we are starting from afar with these organizations. We sometimes come across servers that have been there for 12 years, without updating. Computer security is not a priority for the mayors of small towns, so the work is above all to raise their awareness and review the basics in this area. The RGS repository is well made for these scenarios, it is not too technical and allows the subject to be tackled in a concrete way, ”explains the leader of the Declic network. The actions of a CISO of this kind mainly focus on awareness raising and the audit of municipalities. This does not prevent it from going to intervene directly when a crisis situation arises, but this remains an exception.
The fact remains that if the idea begins to take shape, it remains difficult to implement. For example, it is difficult to recruit experienced profiles, especially when the resources of the municipalities and pooling structures are well below market prices. “In most cases, we prefer to train people from home,” says Emmanuel Vivé. This does not mean either that the task will be simple: principle of free administration of local authorities requires, each computer system is different and has its own specificities, an additional complexity for a CISO who will have to audit and advise several dozen municipalities in the year. And we must finally convince elected officials of the value of the process, which is not always considered a priority.