Hamilton cyberattack shows municipalities need to shore up digital defences: expert
A recent ransomware attack that knocked out several online services in one of Ontario's largest cities has brought into sharp focus the need for municipalities to have a plan to respond to what's become an unavoidable -- and increasingly sophisticated -- threat, a top cybersecurity expert said.
The breach in Hamilton is the latest example of the seriousness of such cyberattacks, which have increasingly targeted municipalities in recent years, said Charles Finlay, executive director of Toronto Metropolitan University's Rogers Cybersecure Catalyst.
- Download our app to get local alerts on your device
- Get the latest local updates right to your inbox
While Hamilton's critical services have not been affected, cyberattacks on municipal networks can lead to dangerous situations if they tamper with emergency, water and wastewater systems, Finlay said in an interview.
Municipalities of all sizes are being targeted because they often hold large amounts of data that can be leveraged to extort significant ransoms, he said. Those behind the attacks also know municipal services are important to residents and governments can't afford to be offline for long, he said
Every municipality needs to establish "how they will respond to that kind of crisis," Finlay said, stressing it's not something that should be improvised once the damage is done. Governments also need to beef up training for staff to ensure they follow best practices such as two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders, he said, noting breaches can often stem from employee mistakes.
"It's no longer a question of if a municipality is going to be attacked -- it's only really a question of when they're going to be attacked," Finlay said.
"I would urge us all to recognize that these attacks on municipalities are a wake-up call and we really need to do more now, before we have even more dangerous situations emerge."
Officials in Hamilton said last week that they have engaged experts, insurers, lawyers and others in their efforts to restore the city's systems following the Feb. 25 attack, though no timeline has been set.
Systems used for online payments or licence applications have been affected, and municipal staff are processing routine transactions manually or accepting cash wherever possible, they said. An investigation is also underway to determine if any personal information was accessed or compromised.
Over the weekend, Hamilton's website was down "due to precautionary system changes made by staff in response to the ongoing cybersecurity incident," the city said on social media. The main site was back up Monday morning, but two related sites were still out of commission.
Hamilton's city manager, Marnie Cluckie, declined to say whether the city had paid a ransom related to the attack, or explain what it is doing to shore up its digital defences.
"The cyber criminals are sophisticated. We cannot divulge information that could be useful to them. This includes, for example, what we are doing to protect data and our systems. It also includes not discussing specific ransom demands in public nor our decision criteria for such demands," she said in an emailed statement last week.
"Once systems are up and running again, the city will conduct a full review to identify where changes and improvements may be needed and to help prevent a similar incident from happening in future."
The Hamilton breach comes on the heels of similar attacks on two city-owned institutions in Toronto: the public library and the zoo, two incidents that exposed sensitive employee information. The library's system was affected for months.
The three recent cyberattacks stirred pangs of sympathy in Dan Mathieson, the former mayor of Stratford, Ont., which was hit by a ransomware attack almost five years ago.
It took the southwestern city about two weeks to restore full service on its systems after hackers installed and activated malware on several of its servers in April 2019. The city also paid about $75,000 in ransom, and included those costs in its cyber insurance claim, it said at the time.
The insurance company set out cybersecurity standards that the city had to meet in order to stay covered, Mathieson said in a recent interview. It also helped lay out a path for them following the breach, he added.
"If I was to look five years from where we were to where we are today, awareness (of cyber threats) is much higher" among elected officials, municipal staff and the public, said Mathieson, who chose not to seek re-election in 2022 after nearly 20 years in office.
"Municipalities are finally realizing we need to do far more work in that area."
The provincial government has also given the issue more attention, though both Ontario and Ottawa should do more to support municipalities, Mathieson said. One of the options to consider would be provincial or even federal cybersecurity standards, alongside necessary funding, he said,
"It is a national security risk. Our water systems, our wastewater systems, our hydroelectric power grid -- all of this is run at local levels, but has national and international implications if there is a problem," he said.
In a report released in the fall of 2022, Ontario's Cybersecurity Expert Panel said cybersecurity initiatives in the broader public services sector were moving forward without a centrally co-ordinated strategy or model. The panel suggested the province "reinforce existing governance structures to enable effective cybersecurity risk management" across the broader public services sector.
The Association of Municipalities of Ontario, meanwhile, released a set of best practices for members, urging them to approach cybersecurity policies and protocol as an "expansion to emergency preparedness."
"Just as municipal governments routinely prepare plans for the continuity of operations in the event of a natural disaster, they must also prepare plans to restore critical computer systems and networks as quickly as possible in the event of a cyberattack," the document said.
Municipalities should conduct a comprehensive risk assessment across all departments to identify potential risks, then create "actionable and appropriate solutions to address weaknesses in their system and direct resources to bolster security," it said.
The organization is holding a cybersecurity workshop for municipalities in partnership with the Rogers Cybersecure Catalyst later this month.
This report by The Canadian Press was first published March 11, 2024.
CTVNews.ca Top Stories
Joly touts 'private' diplomacy as Mexico criticizes Canada's culture, trade
Foreign Affairs Minister Mélanie Joly is not escalating a war of words with Mexico, after the Mexican president criticized Canada's culture and its framing of border issues.
Singh won't support Conservative non-confidence motion that uses his own words
NDP Leader Jagmeet Singh says he won't play Conservative Leader Pierre Poilievre's games by voting to bring down the government on an upcoming non-confidence motion.
Calgary man who drove U-Haul over wife sentenced to 15 years
A Calgary man who killed his wife in 2020 when he drove over her in a loaded U-Haul has been sentenced to 15 years behind bars.
Canada Post strike: Kids no longer need to mail their letters to Santa by the end of the week
Canada Post says it has removed the deadline for its Santa Claus letter program amid an ongoing national workers' strike that has halted mail delivery leading up to the holiday season.
Opposition leaders talk unity following Trudeau meeting about Trump, minister calls 51st state comment 'teasing'
The prime minister’s emergency meeting with opposition leaders on Tuesday appears to have bolstered a more united front against U.S. president-elect Donald Trump’s tariff threats.
Another case of 'zombie deer' disease confirmed in B.C.'s Kootenays
Health officials have confirmed a fourth case of chronic wasting disease in B.C.’s Kootenay region, prompting calls for a swift cull to prevent further spread.
Man severely injured saving his wife from a polar bear attack in the Far North
A man was severely injured Tuesday morning when he leaped onto a polar bear to protect his wife from being mauled in the Far North community of Fort Severn.
Video shows 'completely unprovoked' stranger attack in Vancouver, police say
Police in Vancouver are searching for witnesses after a seemingly random and unprovoked assault was captured on video in the city's downtown core.
South Korean president says he will lift martial law after lawmakers vote to reject his move
South Korean President Yoon Suk Yeol said early Wednesday that he would soon lift the military rule he imposed overnight, after the parliament voted to reject his martial law declaration.