Cyber Attacks and CHECK Testing

“I am writing with a request about cyber security under the Freedom of Information Act 2000.

1. Could you please tell me whether you have had a CHECK test in i) 2016/17, ii) 2017/18 and iii) 2018/19?

CHECK-approved tests have been completed for each year in accordance with PSN compliance.

2. Could you also tell me what cyber security do you have aside from CHECK work including the following i) user education ii) other penetration tests iii) internal security team iv) other.

We confirm that information is held which meets the scope of this request. However, it is considered that the disclosure of this information has the potential to place the Council at increased risk of targeted cybercrime, and is, therefore, exempt from disclosure under Section 31(1) of the Freedom of Information Act 2000 – ‘Law Enforcement’.

3. Could you please tell me how many incidents of cyber-attacks you have recorded since the beginning of 2017?

We neither confirm nor deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000.

We believe that information relating to any successful cyber-attacks which the Council may or may not have experienced is exempt from disclosure under Section 31(3) of the Freedom of Information Act 2000 – ‘Law Enforcement’.  This is because disclosure places the organisation at risk of fraud and crime.  Such systems hold information about individuals and, therefore, the possible chain of events resulting from releasing this information could put individuals, and authorities, at risk of criminal activity.

Confirming or denying whether information is held on cyber-attacks and what remedial measures may or may not have been taken could aid malicious parties by encouraging further attacks. Attacks on IT systems are criminal offences, so to provide information or confirmation of information being held might prejudice the prevention of crime by facilitating the possibility of an offence being carried out. There is a very strong public interest in the effectiveness of law enforcement and the prevention of crime.

Although DCC appreciates that there is a general public interest in openness (because this increases public trust and engagement), this public interest should be weighed against a very strong public interest in safeguarding the security of Council specific systems.  Indeed, it can be held as not in the interests of an individual council to provide information about the number of attacks that may or may not have been made against its IT systems as this could enable individuals to deduce how successful the council is in detecting these attacks and incurring this risk can be deemed not in the public interest.

Section 31 of the Freedom of Information Act 2000 states that there is a very strong public interest in protecting the law enforcement capabilities of public authorities.

4. Of these can you tell me how many incidents were referred to external sources including the police, the National Crime Agency and the National Cyber Security Centre?

We neither confirm nor deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000.  Please refer to our response to question (3) above.

5. And how many of these incidents were handled internally?”

We neither confirm nor deny that this information is held in accordance with Section 31(3) of the Freedom of Information Act 2000.  Please refer to our response to question (3) above.