Former bosses at Copeland Borough Council blame a 2017 ransomware attack for the authority’s failure to submit audited accounts for its final four years of business.
As part of local government reform, Copeland was incorporated into the joint Cumberland authority on 1 April 2023.
Auditors from Grant Thornton have now also lambasted Copeland for its response to the ransomware attack – which ex-council bosses say is behind its accounting troubles – highlighting an apparent inability to demonstrate how allocated monies have been spent and for a lack of adequate cyber security measures.
An audit report produced by Grant Thornton and recently presented to councillors highlighted that Copeland had hired non-specialist IT staff to oversee the recovery from 2017’s attack – which also hit a number of other councils and dozens of NHS trusts in England.
“The Council commissioned external contractors to assist with the recovery from the cyber attack,” it found. “However, these contractors were largely general IT staff and not third-party cyber incident recovery specialists. The council then rebuilt its critical IT systems on end-of-life equipment.”
It also found that Copeland did not know what equipment it had or whether it was still supported by the end of the following financial year, adding that it did not understand the risks it faced due to the “weaknesses present in its IT control environment”.
The report concluded that the council’s management “should ensure any future capital directions are adequately tracked, reported and monitored to demonstrate value for money is being secured given the failings with producing supporting evidencing for the £1.8m capital direction used to cover cyber attack costs in 2018 and 2019”.
Ransomware attacks
Copeland Borough Council was hit by a wave of WannaCry ransomware attacks in May 2017 that caused havoc at a number of UK public service providers over a bank holiday weekend.
Following the WannaCry attack, Copeland made a number of applications to borrow millions from capital reserves to pay day-to-day running costs.
A former councillor who also worked at Sellafield echoed some of these comments when he told Computer Weekly last year that he was aware of no consideration having been given to potential cyber security vulnerabilities in relation to Sellafield prior to the attack.
Despite having told the BBC the cyber attack had been contained in 2018, a council source told Computer Weekly that Copeland bosses subsequently admitted they “still don’t know who did it and what [information] was lost” during the 2017 attack.
Copeland and Cumberland’s unique possession of operational data for Europe’s biggest nuclear site, which employs around 11,000 people at its facility along the Cumbrian coast, makes it a particularly vulnerable target for cyber assaults, according to a council source. This data can include the movement of nuclear inventory, waste management, planning information and services provided to Sellafield by contractors.
Sellafield and its regulatory bodies, however, say they have no reason to believe any sensitive information was compromised in the 2017 ransomware attack.
Sea of red
The financial repercussions of the ransomware attack have been far-reaching, according to former council bosses who blame Copeland’s evolving accounts crisis on the 2017 incident.
A “discrepancy” of at least £8m has been identified in Copeland’s books – representing more than half an entire year’s budget at the recently dissolved borough council. The fallout from the incident is understood to have contributed to a shortfall of nearly £30m in the newly established Cumberland authority.
Auditors from Grant Thornton eviscerated council officials for the state of Copeland’s finances in a March meeting, describing them as “a sea of red” and indications of long-term failings.
“In my long career as an auditor in local government, I have never seen a set of accounts as bad as these,” one of the firm’s lead auditors told council figures. “I’ve been doing this job for a long time, and this is one of the worst series of audit reports we’ve come across. All things we might expect to be done reasonably have not happened in Copeland for a long period of time. Copeland was significantly below what was expected.”
The most recent audit report Grant Thornton produced for the council also highlighted a lack of accountability within the council over costs stemming from the cyber attack and subsequent response. The report noted staff turnover and poor record-keeping as reasons for this.
It found “management were unable to fully explain the make-up of the cyber related costs and lost income to support the capitalisation directive of October 2018 due to records being unavailable and staff transition brought about by the passage of time. It is therefore not possible to conclude that the expenditure incurred delivered value for money to the residents of Copeland during 2018/19.”
Cumberland now faces statutory recommendations – a measure described as “incredibly rare” by the auditors – if it does not submit the four years’ worth of outstanding Copeland accounts by 30 September 2024.
IT health check
Important questions remain over the adequacy of the Cumbrian local authority’s cyber defence systems and overall IT governance.
The UK’s chief nuclear inspector called for “consistent strong leadership” on cyber security in the nuclear industry at the Office of Nuclear Regulation’s annual conference in October.
However, a series of reports from Computer Weekly, Private Eye and The Guardian have raised questions around the vulnerabilities of Sellafield’s cyber security regime and practices by employees both on- and off-site. A council source recently described Copeland and Cumberland as an “Achilles Heel” for hackers and cyber threats.
Cumberland told Computer Weekly it has developed an “interim emergency plan”, but did not provide further details of the document, nor a copy of it.
A council spokesperson argued that doing so or “providing further detail about the IT systems could potentially put the security of systems at risk.”
The spokesperson said that Cumberland Council is aware that there was no disaster recovery plan in place for the former Copeland. Following the extensive work undertaken to obtain Public Services Network (PSN) compliance – a government cyber security standard – at Copeland, the Cumberland team has developed an interim recovery plan. “This ensures plans are in place for all legacy networks,” it said.
Russell Price, chair at the Continuity Forum, last year criticised Copeland’s media response to the 2017 incident. But, he said, Copeland and Cumberland face cyber security challenges that many UK public sector bodies are grappling with.
The Cumberland spokesperson told Computer Weekly that the measures taken to address cyber security since the combined authority was set up in April 2023 had been “extensive”.
“A significant amount of work has been undertaken by Cumberland to ensure that Copeland’s ICT control environment meets the requirements of Public Services Network Accreditation,” the spokesperson said.
“This work could only start from 1 April 2023, when Cumberland Council came into existence. A significant number of former Copeland ICT architecture is now cloud-based,” they continued.
“An extensive ICT health check was commissioned and undertaken, with further extensive work undertaken to address remedial actions to obtain PSN certification for the legacy Copeland network.”
Strategic risk
The council spokesperson also said the local authority had “registered a strategic risk” for cyber attacks due to the present geopolitical climate.
The US has warned that China is upping its use of cyber attacks to target key energy and utility infrastructure in the West.
A former National Cyber Security Centre boss recently told Computer Weekly, however, that the UK is at risk of misunderstanding the cyber threats posed by China and other potentially hostile state actors.
“The majority of the Copeland Infrastructure has been replaced and modernised, and implemented in line with best practice,” the spokesperson said. “This includes the core network, the firewalls, the VPN and the datacentre facilities.
“Cumberland Council has registered a strategic risk in relation to cyber attacks, due to the current geopolitical risk environment,” they continued. “The team are currently harmonising their operational risk registers and will work with the Council’s Risk Manager to produce an operational risk register that conforms to the Council’s Risk Management Framework.”
Sellafield has been contacted for comment.
