Corp Comm Connects

Municipalities are 'a treasure trove of information.' If the Toronto library cyberattack is a sign of what's to come, how can cities defend themselves?

Municipalities cover water, waste, 911. If these are compromised - if water quality was tampered with - the result could be deadly.

Thestar.com
Jan. 3, 2024
Alyshah Hasham, Emily Fagan

Increasingly sophisticated cyberattacks are battering at the defences of municipalities across the country - including Toronto - experts say.

Sometimes, like in the case of a ransomware attack on the Toronto Public Library in late October that is expected to leave online services down until the new year, the attack is successful, resulting in stolen personal data likely being shared or sold on the dark web and leaving the victims vulnerable to fraud and identity theft.

It’s a serious data breach. But think about how much more a municipality covers: Water. Waste. 911. If these were to be compromised by hackers - if water quality was tampered with or delayed 911 responses - the result could be deadly. And as more services go digital there are more opportunities for disaster.

Municipalities “are a treasure trove of information,” said Kyle Bateman, manager of Information Technology for Port Hope.

“In the services they provide, if anyone is looking to do damage or looking to have some sort of impact within an organization in a negative way, a municipality would be a prime target.”

Cybersecurity policy expert Charles Finlay at Toronto Metropolitan University said the library attack should serve as a warning for what vulnerabilities could exist in the security of critical infrastructure.

Maneesh Agnihotri is responsible for keeping the City of Toronto safe from such attacks. He's been the city’s chief information officer for the last year and leads a team that has grown from five people when the division was created three years ago to 80 people today.

They work with divisions across the city and advise city agencies to ensure everything from “24/7/365” threat monitoring, which includes a team that scours the dark web to see if Toronto is being mentioned as a target, to properly encrypted files to making sure organization’s weakest point – the people who work there – are properly trained in cybersecurity awareness.

The reality of his job – and those of his peers across the country – is that the number of cyberattacks are increasing. Many are driven by profit, others come from “hacktivists” who want to disrupt public systems. Some come from other countries, often during election times, global conflicts or during the visits of foreign leaders. The number one type of attack is ransomware, typically in the form of “phishing,” which is an attempt to deceive a person into sharing sensitive information or passwords, rather than a breach of a network.

“You have groups that are very sophisticated,” Agnihotri says. “They are like companies … you can get ransomware as a service.”

While it is easier than ever to hire hackers as a service, what is unusual is that some hacker groups operate by a set of ethics. Agnihotri points to a ransomware attack on Sick Kids Hospital in December 2022. When the group who made the ransomware software learned it had been used to attack a hospital, they provided Sick Kids with a code so they could regain control of its data. He says these “rules of engagement” also mean that some attackers, if you pay them, will not attack again, which makes how the city communicates to the public about an attack even more delicate.

Even so, he says communication is important for public trust, and is one reason that when an attack is successful the most important thing is to contain the threat and figure out what, if anything, has been compromised.

Agnihotri is careful not to share the details of the city’s cybersecurity plans – a practice that is part of the city’s cybersecurity plan. He won’t say, for example, whether the city has ransomware insurance, an expensive but common practice that allows organizations to pay out ransoms. He also won’t share how many attacks the city has experienced, though he notes that in the year he’s been in charge there has not been a “priority one” incident, the most serious category, directed at the city of Toronto. (This excludes agencies like the library, which don't fall under his department's direct control.)

Agnihotri feels the city is in a good position right now, compared to most municipalities, though no organization can ever be totally risk-free.

So, while the city and the library don’t comment on specific cybersecurity strategies, cybersecurity expert Finlay says talking about the steps the city and its agencies are undertaking to strengthen its cybersecurity measures could go a long way to rebuilding resident’s trust in the safety of these systems.

“I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks,” said Finlay.

Based on the statements the library has made publicly since the ransomware attack, Finlay believes it has done everything it could, including working with police and alerting those affected. He hopes this situation serves as a call to action. He says it’s not a matter of if, but when, other city services will face similar attacks.

“This is an attack essentially on all of the residents of Toronto,” he said. “It should be responded to with the kind of investments and improvements that are necessary in light of that.”

This is particularly true given that a recent survey of municipalities done by Municipal Information Systems Association (MISA) Ontario found that attacks are on the rise.

“It is critical for the provincial and federal governments to realize that critical infrastructure - and many day-to-day citizen services are on that level – needs to be protected,” says Kush Sharma of Municipal Information Systems Association (MISA) Ontario, a group that brings together municipal technology experts and advocates for more support for municipal IT operations including cybersecurity from other levels of government.

Sharma was also Toronto’s first chief information security officer. 

He says there has been improved information-sharing among municipalities and between other levels of government, including regular threat briefings, free resources and even pooling funds to access more advance security tools.

This is especially useful for smaller municipalities that struggle with funding and resources more than Toronto does with its $38 million budget.

The good news, he said, is that the survey found in 2023, 91 per cent of municipalities had not had a significant cyber breach. Where ransomware attacks did happen, the ransom requests ranged in amount from under $50,000 to more than a million dollars.

The Toronto Public Library has said they did not pay a ransom but did not provide details on what demand may have been made.

The investigation into the library attack is still ongoing, but Agnihotri says there are some early lessons to be learned. Constant threat monitoring is important, and so is employee cyber-awareness. The phishing awareness campaigns conducted by his office have been promising, he says, with a low click-through rate but it only takes one to potentially lead to a security breach.

And there must be ongoing training to keep employees consistently aware of new threats.

“They are always knocking at the door,” Bateman said. “They are always looking for ways to get in, they are always trying new things.”