Municipalities can make an easy target for cyberattacks, says expert
Cybersecurity experts and intelligent technology officials are constantly on the lookout for that single email clicked on by an unsuspecting employee that could conceivably paralyze any business or government institution.
“I remember when cybercrime and ransomware wasn’t a thing,” said Matt Lewis, acting chief security officer at Field Effect. “The worst thing we had to worry about was keystroke clockers.”
Now, said Lewis, who worked for 20 years at Communications Security Establishment and Canadian Centre for Cyber Security, “you are only one email away, one user clicking through an email before one of those incidents kick off ” a problem.
Hamilton’s public battle with a cyberattack highlights a prominent municipality to suffer the perils of a security breach. It was attacked in late February. Huntsville is the latest Ontario municipality to discover, on the weekend, that it had been attacked.
Other municipalities over the past several years have also experienced significant cyberattacks, including Burlington in 2019, where a phishing scam cost the municipality more than a half-million dollars and Saint John, N.B., which spent $2.9 million to overhaul its website after an attack. The town of Stratford, meanwhile, paid a $75,000 ransom, and in 2021 Durham Region had several gigabytes of data stolen and ransomed.
Toronto’s public library was attacked by hackers in October 2023, disrupting every system and technology across more than 100 branches. Officials said names, social insurance numbers, government identification and addresses of employees were exposed.
Public institutions are easy targets for cyber criminals because of the large amount of personal information and control that provide essential services to the public, said the Office of the Information and Privacy Commissioner of Ontario.
“It is essential to maintain public trust in institutions and confidence in the seamless operation of critical systems,” said the information and privacy commissioner. “Organizations must remain vigilant in their efforts to protect against these attacks, continually monitoring their systems for signs of suspicious activity.”
Lewis agreed municipalities are vulnerable targets for hackers because they have a “massive” amount of information about people.
“Once you have that information, you can ransom it. You can sell it on the black market, or you can use that information to target the citizens themselves,” he said. “Hackers will try to get a foothold anywhere they can, and then they can go laterally across the network.”
Lewis said municipalities have “very large threat surfaces” for hackers, such as many connections to the internet, while at the same time having limited security in place.
Municipalities also operate critical public services, such as wastewater and water systems and the hydroelectric power grid, which even at the local level has significant national and even international implications, said Lewis.
“For a lot of municipalities, cybersecurity is not a priority until it is a catastrophe,” said Lewis. “It’s not entirely their fault. When people contact their government, it is rarely about IT issues. It’s about parks, potholes, libraries. And when you only have a certain number of resources, oftentimes cybersecurity is the last thing that you want to invest in.”
Canadian Anti-Fraud Centre reported that between 2020 and 2021, scams and fraud jumped 130 per cent, and Canadians lost about $380 million.
Ontario’s 2022 cybersecurity expert panel recommended “reinforcing” existing governance structures, improving cybersecurity awareness and training, having cross-sector collaboration to better mitigate cyberattacks and expanding communication across the broader public sector.
The Information and Privacy Commissioner of Ontario has fact sheets and tips for protecting information against ransomware and phishing and what to do with a suspected data breach.
Officials in Hamilton recently said they have engaged experts, insurers, lawyers and others in their efforts to restore the city’s systems following the Feb. 25 attack.
Lewis said hackers use a variety of attacks against victims, including “smash and grab,” while others burrow into the network “so they can understand how your network works,” including the protection of data.
Once a municipality, or anybody else, is attacked, victims are usually “dealing with incomplete information, they don’t know the extent” of the incursion, “they are trying to put the pieces together, while at the same time trying to figure out if that hacker is still on their network,” said Lewis.
And this takes time, he said. Businesses and governments have been known to take a year or more to resolve their computer issues, especially if they have to replace their entire system, he said.
“You have no faith in your current infrastructure,” Lewis said of institutions following an attack. “It requires almost a complete rebuild since the compromise is so pervasive.”
Lewis urged municipalities, and businesses, to ensure that their systems are up to date rather than nearly expiring, and keep their threat systems as small as possible. Agencies also must encrypt all data, including backup information, he said.
The Association of Municipalities of Ontario, in January 2023, released a cybersecurity tool kit that included enforcing security policies as part of emergency preparedness. Municipalities should conduct a comprehensive risk assessment across all departments and then create plans to address weaknesses in the system, said the document.
Niagara This Week reporter Mark Newman recently reported the Town of Lincoln’s cybersecurity firewall is blocking as many as 1,000 suspicious emails each day.
Mike Kirkopoulos, Lincoln’s chief administrative officer, said the town’s filters have stopped “over 22,000 spam and phishing attempts” over a span of a month.
It is also reviewing its cybersecurity system in the wake of Hamilton’s cyberattack, he said.
In St. Catharines, corporate information officer Les Garner told Standard reporter Karena Walter staff have been trained to find suspicious emails. Cybersecurity remains a priority for the city, and it has been making changes over the past five years to ensure its information and process is safe, Garner told Walter.
Cybersecurity is a top priority for Niagara Region officials, said Todd Harrison, commissioner of corporate services and treasurer, and the municipality “regularly” invests in protecting data.
“The Region remains committed to monitoring cybersecurity trends and developing issues,” said Harrison in an email through a spokesperson. “There is no single solution that guarantees the prevention of the wide range of cybersecurity incidents and attacks.”
Niagara-on-the-Lake “prioritizes” cybersecurity, said spokesperson Marah Minor, as it “interacts” with its external security partners and other government agencies.
“With cyberattack events constantly changing, staff continue to work in this critical area as outlined in council’s strategic plan to enhance and bolster security measures and systems.”
Asked for comment about Welland’s cybersecurity process, spokesperson Paul Orlando said the city has “no comment at this time.” Messages sent to City of Niagara Falls officials regarding cybersecurity were not acknowledged.
Lewis said victims shouldn’t expect any immediate accountability from cybersecurity attacks. These attacks can be perpetrated by anybody, but most of the time they are conducted by organized crime located anywhere in the world.
“Forget about prosecution,” he said. “Just an attribution is very difficult. As long as people have the motive to do it and economic incentive, cybercrime is not going away.”
Businesses and governments have been known to take a year or more to resolve their computer issues, especially if they have to replace their entire system