1.In the past three years has your organisation:
A. Had any ransomware incidents? (An incident where an attacker attempted to, or successfully, encrypted a computing device within your organisation with the aim of extorting a payment or action in order to decrypt the device? ). If yes, how many?
B. Had any data rendered permanently inaccessible by a ransomware incident (i.e. some data was not able to be restored from back up.)
C. Had any data rendered permanently inaccessible by a systems or equipment failure (i.e. some data was not able to be restored from back up.)
D. Paid a ransom due to a ransomware incident / to obtain a decryption key or tool? If yes was the decryption successful, with all files recovered?
E. Used a free decryption key or tool (e.g. from https://www.nomoreransom.org/)? If yes was the decryption successful, with all files recovered?
In response to question 1A to 1E, Devon County Council (DCC) can confirm that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.
F. Had a formal policy on ransomware payment? If yes please provide, or link, to all versions relevant to the 3 year period.
DCC has not possessed a formal policy on ransomware payment in the last three years.
G. Held meetings where policy on paying ransomware was discussed?
DCC has not held meetings where a policy on paying ransomware was discussed.
H. Paid consultancy fees for malware, ransomware, or system intrusion investigation. If yes at what cost in each year?
I. Used existing support contracts for malware, ransomware, or system intrusion investigation?
J. Requested central government support for malware, ransomware, or system intrusion investigation?
K. Paid for data recovery services? If yes at what cost in each year?
L. Used existing contracts for data recovery services?
M. Replaced IT infrastructure such as servers that have been compromised by malware? If yes at what cost in each year?
N. Replaced IT endpoints such as PCs, Laptops, Mobile devices that have been compromised by malware? If yes at what cost in each year?
In response to question 1(H) to 1(N), DCC can confirm that we hold the information you have requested. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because the Council considers that this information constitutes valuable intelligence, that could be leveraged by a motivated cyber threat actor to inform a successful attack against our infrastructure. We feel that releasing this information would therefore increase the chances of DCC becoming the victim of a cyber-attack.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.
O. Lost data due to portable electronic devices being mislaid, lost or destroyed? If yes how many incidents in each year?
Devon County Council does not hold this information.
2. Does your organisation use a cloud-based office suite system such as Google Workspace (Formerly G Suite) or Microsoft’s Office 365? If yes is this system’s data independently backed up, separately from that platform’s own tools?
DCC uses Office 365. DCC holds information regarding our back-up arrangements for Office 365. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because we consider that releasing this information would reveal information regarding our technical architecture, that would constitute intelligence that could be leveraged by cyber threat actors, to inform a successful cyber-attack against our infrastructure.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.
3. Is an offsite data back-up a system in place for the following? (Offsite backup is the replication of the data to a server which is separated geographically from the system’s normal operating location site.)
A. Mobile devices such as phones and tablet computers
B. Desktop and laptop computers
C. Virtual desktops
D. Servers on premise
E. Co-located or hosted servers
F. Cloud hosted servers
G. Virtual machines
H. Data in SaaS applications
I. ERP / finance system
J. We do not use any offsite back-up systems
DCC holds this information. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because we consider that releasing this information would reveal information regarding our technical architecture, that would constitute intelligence that could be leveraged by cyber threat actors, to inform a successful cyber-attack against our infrastructure.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.
4. Are the services in question 3 backed up by a single system or are multiple systems used?
DCC holds this information. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because we consider that releasing this information would reveal information regarding our technical architecture, that would constitute intelligence that could be leveraged by cyber threat actors, to inform a successful cyber-attack against our infrastructure.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.
5. Do you have a cloud migration strategy? If so is there specific budget allocated to this?
The Council does not have a specific cloud migration strategy.
6. How many Software as a Services (SaaS) applications are in place within your organisation? And how many have been adopted since January 2020?
DCC holds this information. However, we consider this is exempt from disclosure under Section 31(1)(a) of the Freedom of Information Act 2000. This is because we consider that releasing this information would reveal information regarding our technical architecture that would constitute intelligence that could be leveraged by cyber threat actors, to inform a successful cyber-attack against our infrastructure.
We have considered the public interest in releasing this information and whilst we recognise that there is an overriding public interest in openness and transparency, we feel that there is a stronger public interest in the Council maintaining the security and integrity of its IT systems. We feel that significant weight should be applied to this public interest consideration given the current elevated cyber threat landscape facing public sector organisations. For these reasons we feel that the balance of public interest weighs in favour of withholding this information from disclosure at this time.