DMFD176 Procurement of a Cyber Defence System

1.1.    Report LFC-0727y to the London Fire Commissioner (LFC) explains that in recent years the security threat posed to organisations around the globe from cyber-attacks, malware and associated threats, has increased significantly.

1.2.    Coming to prominence in 2017 the “WannaCry” ransomware attacks infected over 200,000 computers in less than 48 hours. “WannaCry” rendered useless some of the computers that help run Britain’s National Health Service (NHS), causing ambulances to be diverted and shutting down non-emergency services. Since then, there have been numerous well publicised examples of cyber-attacks impacting both the public and private sector.

1.3.    In response to the ever-increasing threat posed by cyber-attack, LFC procured a cyber-defence system in 2019. The system specification was carefully constructed so that as far as possible the system would operate autonomously (once installed and configured), utilising artificial-intelligence (AI) and machine learning capabilities, in order to respond to and naturalise threats.

1.4.    Whilst the LFC had multi-layered defence systems already in place such as anti-virus scanning, web-filtering and a strategy to implement security patches regularly, a cyber-defence system was considered an essential part of a multi-layered security defence, and this remains the case today.

1.5.    Information received from central government and other trusted sources has highlighted an increased threat of cyber-attacks, relating to the invasion of Ukraine. Whilst there has been no specific threat to the London Fire Brigade (LFB), it is essential that we maximise our defences in this area, particularly as another UK fire and rescue service was recently infected with ransomware. 

1.6.    In July 2023, LFC’s four-year contract for use of the current cyber-defence system, the Darktrace system from BT Global Services, comes to an end. This report proposes procuring a cyber-defence system, to ensure that the LFC continues to benefit from appropriate cyber protection.
 

2.1    The objective of this paper is to secure approval for the procurement of a new cyber-defence system, for a period of up to five years (three years with an option to extend by two years).

2.2    The failure to procure a new cyber-defence system will expose LFC systems to the risk of potential attack (directly or in-directly) from hostile external agencies or individuals, which if successful could seriously disrupt the front-line activities of LFB. 

2.3    The provision of a cyber-defence system is a current active control to a specific risk set out in LFC’s Information and Communications Technology risk register, which includes the risk that “A security incident compromises LFB’s ICT “confidentiality, integrity and availability.” 

2.4    As LFC has now deployed the Microsoft 365 system to all staff, the cyber-defence system specification will now include a requirement to extend autonomous cyber protection to this environment. The cost of this additional protection has been estimated and set out in part 2 of this report and the additional funding to facilitate this requirement will be the subject of a budget growth bid in the 2023/24 budget process.
 

3.1    The LFC and the Deputy Mayor for Fire and Resilience are required to have due regard to the Public Sector Equality Duty (section 149 of the Equality Act 2010) when taking decisions. This in broad terms involves understanding the potential impact of policy and decisions on different people, taking this into account and then evidencing how decisions were reached.

3.2    It is important to note that consideration of the Public Sector Equality Duty is not a one-off task. The duty must be fulfilled before taking a decision, at the time of taking a decision, and after the decision has been taken.

3.3    The protected characteristics are: age, disability, gender reassignment, pregnancy and maternity, marriage and civil partnership (but only in respect of the requirements to have due regard to the need to eliminate discrimination), race (ethnic or national origins, colour or nationality), religion or belief (including lack of belief), sex, and sexual orientation.

3.4    The Public Sector Equality Duty requires decision-takers in the exercise of all their functions, to have due regard to the need to:

• eliminate discrimination, harassment and victimisation and other prohibited conduct
• advance equality of opportunity between people who share a relevant protected characteristic and persons who do not share it
• foster good relations between people who share a relevant protected characteristic and persons who do not share it.

3.5    Having due regard to the need to advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:

•  remove or minimise disadvantages suffered by persons who share a relevant protected characteristic where those disadvantages are connected to that characteristic
• take steps to meet the needs of persons who share a relevant protected characteristic that are different from the needs of persons who do not share it
• encourage persons who share a relevant protected characteristic to participate in public life or in any other activity in which participation by such persons is disproportionately low.

3.6    The steps involved in meeting the needs of disabled persons that are different from the needs of persons who are not disabled include, in particular, steps to take account of disabled persons' disabilities.

3.7    Having due regard to the need to foster good relations between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:

• tackle prejudice
• promote understanding.

3.8    An Equalities Impact Assessment has not been carried out in respect to the procurement of a cyber-defence system. Any cyber-defence system will operate autonomously in the background and users will not have any interaction with the product.
 

Workforce comments

4.1.    The impact on LFB users of technology and information is referenced in the strategy. There is no plan to undertake workforce consultation on the strategy itself.

Sustainability comments

4.2.    There are no specific sustainable development implications arising from the procurement of the cyber-defence system.

Procurement comments

4.3.    Various routes to market have been considered, and it has been decided that this procurement will be carried out using the Pan London Information and Communications Technology (ICT)Framework.  Legal advice has previously been sought by LFB project leads on this course of action to ensure compliance with the Procurement Regulations.

4.4.    Collaboration with the GLA has been investigated with the Group Collaboration Procurement Group. However, no opportunities have been identified bythe LFBConflicts of interest

4.5.    There are no conflicts of interest to declare from those involved in the drafting or clearance of this decision.
 

5.1    Finance comments has been incorporated in Part 2 report.

5.2    There are no direct financial implications for the GLA.
 

6.1    Under section 9 of the Policing and Crime Act 2017, the LFC is established as a corporation sole with the Mayor appointing the occupant of that office. Under section 327D of the GLA Act 1999, as amended by the Policing and Crime Act 2017. The Mayor may issue to the LFC specific or general directions as to the manner in which the holder of that office is to exercise his or her functions.

6.2    By direction dated 1 April 2018, the Mayor set out those matters, for which the LFC would require the prior approval of either the Mayor or the Deputy Mayor for Fire and Resilience (the "Deputy Mayor").

6.3    Paragraph (b) of Part 2 of that direction requires the LFC to seek the prior approval of the Deputy Mayor before “[a] commitment to expenditure (capital or revenue) of £150,000 or above as identified in accordance with normal accounting practices…”. The Deputy Mayor's approval is accordingly required for the LFC to expend the sums set out in part 2 of this report.

6.4    The statutory basis for the actions proposed in this report is provided by sections 7 and 5A of the Fire and Rescue Services Act 2004 (FRSA 2004). Under section 7 (2)(a) of the FRSA 2004, the LFC has the power to secure the provision of personnel, services and equipment necessary to efficiently meet all normal requirements for firefighting; and section 5A allows the LFC to procure personnel, services and equipment they consider appropriate for purposes incidental or indirectly incidental to their functional purposes.

6.5    This report confirms this procurement will be carried out utilising the Crown Commercial Service (CCS) Technology Products & Associated Services (RM6068, Lot 3). This procurement will be carried out in compliance with the Procurement Regulations and the Commissioners standing orders on procurement.

6.6    These comments have been adopted from those provided by the LFC’s General Counsel Department in report LFC0727y to the LFC.
 

Part 1 - Appendix 1

Part 2

Part 2 - Appendix 1