Hamilton cyberattack shows municipalities need to shore up digital defences: expert
A recent ransomware attack that knocked out several online services in one of Ontario's largest cities has brought into sharp focus the need for municipalities to have a plan to respond to what's become an unavoidable -- and increasingly sophisticated -- threat, a top cybersecurity expert said.
The breach in Hamilton is the latest example of the seriousness of such cyberattacks, which have increasingly targeted municipalities in recent years, said Charles Finlay, executive director of Toronto Metropolitan University's Rogers Cybersecure Catalyst.
- Download our app to get local alerts on your device
- Get the latest local updates right to your inbox
While Hamilton's critical services have not been affected, cyberattacks on municipal networks can lead to dangerous situations if they tamper with emergency, water and wastewater systems, Finlay said in an interview.
Municipalities of all sizes are being targeted because they often hold large amounts of data that can be leveraged to extort significant ransoms, he said. Those behind the attacks also know municipal services are important to residents and governments can't afford to be offline for long, he said
Every municipality needs to establish "how they will respond to that kind of crisis," Finlay said, stressing it's not something that should be improvised once the damage is done. Governments also need to beef up training for staff to ensure they follow best practices such as two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders, he said, noting breaches can often stem from employee mistakes.
"It's no longer a question of if a municipality is going to be attacked -- it's only really a question of when they're going to be attacked," Finlay said.
"I would urge us all to recognize that these attacks on municipalities are a wake-up call and we really need to do more now, before we have even more dangerous situations emerge."
Officials in Hamilton said last week that they have engaged experts, insurers, lawyers and others in their efforts to restore the city's systems following the Feb. 25 attack, though no timeline has been set.
Systems used for online payments or licence applications have been affected, and municipal staff are processing routine transactions manually or accepting cash wherever possible, they said. An investigation is also underway to determine if any personal information was accessed or compromised.
Over the weekend, Hamilton's website was down "due to precautionary system changes made by staff in response to the ongoing cybersecurity incident," the city said on social media. The main site was back up Monday morning, but two related sites were still out of commission.
Hamilton's city manager, Marnie Cluckie, declined to say whether the city had paid a ransom related to the attack, or explain what it is doing to shore up its digital defences.
"The cyber criminals are sophisticated. We cannot divulge information that could be useful to them. This includes, for example, what we are doing to protect data and our systems. It also includes not discussing specific ransom demands in public nor our decision criteria for such demands," she said in an emailed statement last week.
"Once systems are up and running again, the city will conduct a full review to identify where changes and improvements may be needed and to help prevent a similar incident from happening in future."
The Hamilton breach comes on the heels of similar attacks on two city-owned institutions in Toronto: the public library and the zoo, two incidents that exposed sensitive employee information. The library's system was affected for months.
The three recent cyberattacks stirred pangs of sympathy in Dan Mathieson, the former mayor of Stratford, Ont., which was hit by a ransomware attack almost five years ago.
It took the southwestern city about two weeks to restore full service on its systems after hackers installed and activated malware on several of its servers in April 2019. The city also paid about $75,000 in ransom, and included those costs in its cyber insurance claim, it said at the time.
The insurance company set out cybersecurity standards that the city had to meet in order to stay covered, Mathieson said in a recent interview. It also helped lay out a path for them following the breach, he added.
"If I was to look five years from where we were to where we are today, awareness (of cyber threats) is much higher" among elected officials, municipal staff and the public, said Mathieson, who chose not to seek re-election in 2022 after nearly 20 years in office.
"Municipalities are finally realizing we need to do far more work in that area."
The provincial government has also given the issue more attention, though both Ontario and Ottawa should do more to support municipalities, Mathieson said. One of the options to consider would be provincial or even federal cybersecurity standards, alongside necessary funding, he said,
"It is a national security risk. Our water systems, our wastewater systems, our hydroelectric power grid -- all of this is run at local levels, but has national and international implications if there is a problem," he said.
In a report released in the fall of 2022, Ontario's Cybersecurity Expert Panel said cybersecurity initiatives in the broader public services sector were moving forward without a centrally co-ordinated strategy or model. The panel suggested the province "reinforce existing governance structures to enable effective cybersecurity risk management" across the broader public services sector.
The Association of Municipalities of Ontario, meanwhile, released a set of best practices for members, urging them to approach cybersecurity policies and protocol as an "expansion to emergency preparedness."
"Just as municipal governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack," the document said.
Municipalities should conduct a comprehensive risk assessment across all departments to identify potential risks, then create "actionable and appropriate solutions to address weaknesses in their system and direct resources to bolster security," it said.
The organization is holding a cybersecurity workshop for municipalities in partnership with the Rogers Cybersecure Catalyst later this month.
This report by The Canadian Press was first published March 11, 2024.
CTVNews.ca Top Stories
'A step forward': New screening criteria for sperm donors takes effect
Canadians looking to grow their families with the assistance of sperm or egg donations should soon have more options for donors as the federal health agency does away with longstanding restrictions criticized as discriminatory.
Ontario Provincial Police arrest 64 suspects in child sexual exploitation investigation
Ontario Provincial Police say 64 suspects are facing a combined 348 charges in connection with a series of child sexual exploitation investigations that spanned the province.
U.S. presidential candidate RFK Jr. had a brain worm, has recovered, campaign says
Independent U.S. presidential candidate Robert F. Kennedy Jr. had a parasite in his head more than a decade ago, but has fully recovered, his campaign said, after the New York Times reported about the ailment.
What is whooping cough and should Canadians be concerned as Europe declares outbreak?
There is currently a whooping cough epidemic in Europe, with 10 times as many cases compared to the previous two years. While an outbreak has not been declared nationwide in Canada, whooping cough is regularly detected in the country.
Pfizer agrees to settle more than 10K lawsuits over Zantac cancer risk: Bloomberg News
Pfizer has agreed to settle more than 10,000 lawsuits about cancer risks related to the now discontinued heartburn drug Zantac, Bloomberg News reported on Wednesday, citing people familiar with the deal.
Case against ex-Mountie charged with helping China can go ahead in Quebec, judge says
A Quebec court judge has ruled that the case against a former RCMP officer charged with helping China conduct foreign interference can go ahead in the province.
Steve Albini, legendary producer for Nirvana, the Pixies and an alternative rock pioneer, dies at 61
Steve Albini, an alternative rock pioneer and legendary producer who shaped the musical landscape through his work with Nirvana, the Pixies, PJ Harvey and more, has died. He was 61.
Ippei Mizuhara, ex-interpreter for baseball star Shohei Ohtani, will plead guilty in betting case
The former interpreter for Los Angeles Dodgers star Shohei Ohtani has agreed to plead guilty to bank and tax fraud in a sports betting case in which prosecutors allege he stole nearly US$17 million from the Japanese baseball player to pay off debts, federal prosecutors said Wednesday.
Watch fighter jet pilots pummel fake enemy ship off coast of Philippines
The United States and Philippines held annual joint-training drills just off the Southeast Asian nation’s western coast on Wednesday. Military forces sunk a 'mock' enemy warship – the BRP Lake Caliraya, which was a decommissioned tanker made in China.