Hamilton cyberattack shows municipalities need to shore up digital defences: expert
A recent ransomware attack that knocked out several online services in one of Ontario's largest cities has brought into sharp focus the need for municipalities to have a plan to respond to what's become an unavoidable -- and increasingly sophisticated -- threat, a top cybersecurity expert said.
The breach in Hamilton is the latest example of the seriousness of such cyberattacks, which have increasingly targeted municipalities in recent years, said Charles Finlay, executive director of Toronto Metropolitan University's Rogers Cybersecure Catalyst.
- Download our app to get local alerts on your device
- Get the latest local updates right to your inbox
While Hamilton's critical services have not been affected, cyberattacks on municipal networks can lead to dangerous situations if they tamper with emergency, water and wastewater systems, Finlay said in an interview.
Municipalities of all sizes are being targeted because they often hold large amounts of data that can be leveraged to extort significant ransoms, he said. Those behind the attacks also know municipal services are important to residents and governments can't afford to be offline for long, he said
Every municipality needs to establish "how they will respond to that kind of crisis," Finlay said, stressing it's not something that should be improvised once the damage is done. Governments also need to beef up training for staff to ensure they follow best practices such as two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders, he said, noting breaches can often stem from employee mistakes.
"It's no longer a question of if a municipality is going to be attacked -- it's only really a question of when they're going to be attacked," Finlay said.
"I would urge us all to recognize that these attacks on municipalities are a wake-up call and we really need to do more now, before we have even more dangerous situations emerge."
Officials in Hamilton said last week that they have engaged experts, insurers, lawyers and others in their efforts to restore the city's systems following the Feb. 25 attack, though no timeline has been set.
Systems used for online payments or licence applications have been affected, and municipal staff are processing routine transactions manually or accepting cash wherever possible, they said. An investigation is also underway to determine if any personal information was accessed or compromised.
Over the weekend, Hamilton's website was down "due to precautionary system changes made by staff in response to the ongoing cybersecurity incident," the city said on social media. The main site was back up Monday morning, but two related sites were still out of commission.
Hamilton's city manager, Marnie Cluckie, declined to say whether the city had paid a ransom related to the attack, or explain what it is doing to shore up its digital defences.
"The cyber criminals are sophisticated. We cannot divulge information that could be useful to them. This includes, for example, what we are doing to protect data and our systems. It also includes not discussing specific ransom demands in public nor our decision criteria for such demands," she said in an emailed statement last week.
"Once systems are up and running again, the city will conduct a full review to identify where changes and improvements may be needed and to help prevent a similar incident from happening in future."
The Hamilton breach comes on the heels of similar attacks on two city-owned institutions in Toronto: the public library and the zoo, two incidents that exposed sensitive employee information. The library's system was affected for months.
The three recent cyberattacks stirred pangs of sympathy in Dan Mathieson, the former mayor of Stratford, Ont., which was hit by a ransomware attack almost five years ago.
It took the southwestern city about two weeks to restore full service on its systems after hackers installed and activated malware on several of its servers in April 2019. The city also paid about $75,000 in ransom, and included those costs in its cyber insurance claim, it said at the time.
The insurance company set out cybersecurity standards that the city had to meet in order to stay covered, Mathieson said in a recent interview. It also helped lay out a path for them following the breach, he added.
"If I was to look five years from where we were to where we are today, awareness (of cyber threats) is much higher" among elected officials, municipal staff and the public, said Mathieson, who chose not to seek re-election in 2022 after nearly 20 years in office.
"Municipalities are finally realizing we need to do far more work in that area."
The provincial government has also given the issue more attention, though both Ontario and Ottawa should do more to support municipalities, Mathieson said. One of the options to consider would be provincial or even federal cybersecurity standards, alongside necessary funding, he said,
"It is a national security risk. Our water systems, our wastewater systems, our hydroelectric power grid -- all of this is run at local levels, but has national and international implications if there is a problem," he said.
In a report released in the fall of 2022, Ontario's Cybersecurity Expert Panel said cybersecurity initiatives in the broader public services sector were moving forward without a centrally co-ordinated strategy or model. The panel suggested the province "reinforce existing governance structures to enable effective cybersecurity risk management" across the broader public services sector.
The Association of Municipalities of Ontario, meanwhile, released a set of best practices for members, urging them to approach cybersecurity policies and protocol as an "expansion to emergency preparedness."
"Just as municipal governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack," the document said.
Municipalities should conduct a comprehensive risk assessment across all departments to identify potential risks, then create "actionable and appropriate solutions to address weaknesses in their system and direct resources to bolster security," it said.
The organization is holding a cybersecurity workshop for municipalities in partnership with the Rogers Cybersecure Catalyst later this month.
This report by The Canadian Press was first published March 11, 2024.
CTVNews.ca Top Stories
'It's a giant mess': Confusion remains about the GST/HST holiday
The organization representing small and medium size businesses in Canada says the start to the GST and HST holiday has been 'a giant mess.'
Donald Trump says Canada becoming 51st U.S. state is 'a great idea.' Jean Charest calls the comment a 'wake-up call'
U.S. President-elect Donald Trump is taking aim at Canada once more, saying it would be 'a great idea' to make it America's ‘51st state.'
'You're either with Beijing or you're with Washington': Ford says to Mexico in CNN interview
Ontario Premier Doug Ford has a message for Mexico as the threat of tariffs by incoming president Donald Trump hangs over both sides of the U.S. border.
'Why would I box myself in?: Singh on why he won't commit to helping bring Trudeau's gov't down, yet
NDP Leader Jagmeet Singh says U.S. president-elect Donald Trump's looming tariff threat is part of the reason why he's not committing to voting non-confidence in Prime Minister Justin Trudeau's government.
NEW Here's how the cost of living challenges are shaking up Canadian seniors' retirement plans
With the high cost of living increasingly a concern, some seniors are making sacrifices to help their adult children and grandchildren make ends meet. Here are some of their stories.
B.C. man drops camera into ocean, accidentally captures 'breathtaking' whale video
Before it turned into an extraordinary day, Peter Mieras says it began being quite ordinary.
What's the best treatment for ADHD? Large new study offers clues
Stimulant medications and certain therapies are more effective in treating ADHD symptoms than placebos, a new study on more than 14,000 adults has found.
Chicago man visits Michigan to return overdue book after 50 years
A Chicago man is trying to turn his honest mistake into something positive after forgetting to return an overdue library book to his childhood library in Warren.
There are 88 new Order of Canada appointees. Here's a look at some of the most notable names
Ryan Reynolds, Scott Oake and Maureen Ann Jennings are among the 88 new recipients of the Order of Canada.