Launch of a website for the new Baden-Württemberg Cybersecurity Agency

The growing threat to state and local government administration posed by hacker attacks is causing billions in damage to town halls, public infrastructure, and businesses. The newly founded Cybersecurity Agency Baden-Württemberg (CSBW) is one of the first state agencies nationwide to address this threat at the political level and offer assistance to municipalities and cities in the event of an attack. The CSBW collects information on incidents, issues warnings, and supports public administrations in cleaning up hacked platforms and encrypted data with a mobile response team. Our task in this project was, on the one hand, to establish the digital presence of a new authority as a trustworthy information website and, at the same time, to make it so secure that it does not become an easy target for hackers.

Project Goal

The aim of the project was to introduce a newly founded state authority and present it as modern, dynamic, flexible, and adaptable as its field of activity. The project was designed to appeal to various target groups with different areas of expertise, including municipal employees, potential new employees, and the interested public. For this project, we worked with our client's contact persons to go through a holistic process: positioning and brand strategy, development of the corporate design with logo and key visual illustrations, web concept, UX&UI design, web development, content editing, go-live!

Branding
What made this project special for us: Unlike many of our other relaunches, CSBW did not have an existing website that needed to be redesigned or whose content needed to be migrated – the website was completely rebuilt from scratch and then filled with content. Starting with the content side, we created a corporate identity with a high recognition value for the state authority and supported the rollout of the design across all communication channels. As part of the digital branding process, exclusive illustrations were developed in a young and modern style, covering and illustrating a wide range of topics and issues. The illustrations are an ideal tool for addressing the technical topic of “cybersecurity,” which some target groups find daunting, with ease.

Security concept
The fact that a new cybersecurity authority is a target for attackers was something we kept in mind throughout the entire development process. We were able to draw on a wealth of experience with development standards and data protection guidelines, followed by intensive internal testing procedures. We combined established and freely available Drupal modules with our custom modules, which we program and continuously develop based on specific project requirements. In all our in-house developments, but also when using established modules, we follow the premise that modules can be used performantly and securely, sustainably and stably over several years. Here, we lay the foundation for IT security through the consistent updatability of our systems. In order to objectively and critically review our work, we cooperated with a cybersecurity company that performed PEN testing on our pre-live system under real conditions – which we passed successfully!

Two-stage approval process
We defined a custom workflow for CSBW that involves a two-stage approval process – very similar to the traditional procedures used by public authorities. Content is created as a draft in Drupal, submitted for approval with an email notification, and then either published, rejected, or made available for review by the authority's management. When all backend users log in, two-factor authentication ensures the highest security standards.

Accessibility
We developed a clear catalog of measures based on the BITV 2.0 regulations for the accessibility of the website with the functions to be used. Using the dual control principle, we ensured that the website can be optimally operated using keyboards and screen readers while remaining visually contemporary and appealing. We also focused on accessibility in editorial training with references to semantic structure and alternative texts.

Challenges

The challenge in this project definitely lies in securing the application against attacks. Although no user data is collected, a public attack on the website would be damaging to its image and politically explosive. We were able to meet this challenge not only with the Drupal application, but above all through cooperation with the hosting provider of the state of Baden-Württemberg. The setup of the servers was coordinated with us.

Our measures included, among others:
•    Prevention of access to unauthorized ports through special firewall configurations (hardware-based (router hardware firewall) and software-based (e.g., iptables)
•    Use of intrusion prevention systems such as fail2ban (support with installation and configuration)
•    Configuration of chroot environments to encapsulate application code
•    Automatic deployment of application code using continuous integration/continuous delivery (CI/CD)
• Extensive application and system monitoring (e.g., notification in case of unauthorized manipulation of application code)

Last but not least, the Drupal community also provides us with support: thanks to their commitment, potential vulnerabilities are quickly identified and security patches are passed on to our development team.

Conclusion

Our work with the Baden-Württemberg Cyber Security Agency shows that Drupal is not only a highly configurable and extensible CMS, but also has robust security features. It demonstrates that Drupal is ideal for implementing websites in public administrations, including for mapping complex workflows and approval processes. The project demonstrates that a clear Drupal backend facilitates the daily work of public relations staff with the website and ensures the highest security standards through a project-specific login process.