Cybercriminals have caught Canadian municipalities flat-footed. Our cities must get with the times or send more taxpayer money and private data out the door.
Cybercrime costs Canada $3.12 billion a year. A portion of that involves ransom payments to cybercriminals who digitally hold computers hostage.
Ransomware, which involves remotely encrypting hard drives and demanding money in exchange for the key, has become the favourite tool to attack Canadian systems. That’s what happened to a Québec municipality in September – it had no other choice but to pay bandits $30,000 after two weeks offline.
Similar attacks left two Ontario towns locked out of their own servers. Officials had to pay thousands to get them back, prompting the police to warn local governments. In the U.S., Atlanta and Baltimore had their servers hacked last year, rendering many vital services such as 911 dispatch and local courts out of commission.
These are not isolated incidents. Ajay Sood, the general manager of Symantec Canada, told Global News: “It’s a small percentage of what’s being reported, a smaller percentage of what’s being detected and an even smaller percentage of what’s been occurring.”
Politicians who are unaware of or overlook cybersecurity put everyone in danger.
Outdated systems make the problem worse – experts detect security holes on a daily basis. In 2014, Québec authorities had to delay the launch of personalized licence plates until 2017 because existing computers were years old and needed $4.5 million worth of updates.
Some Quebec provincial offices still use the vulnerable Windows 2000 operating system and spend millions on extended warranties. Quebec spends the lowest proportion of its budget on IT security of any region in the country.
Even though political capitals are the prime targets, local governments are increasingly attractive for hackers. Municipalities hold valuable data yet are poorly prepared to detect and fend off attacks.
The potential damage of neglecting cybersecurity can be manifold: loss of records, temporary shutdowns, costly recoveries and erosion of trust among citizens. And failure in local government services can have a greater impact than distant federal agencies on the quality of people’s lives.
A survey reveals that Canadians are overconfident and poorly informed about their cybersecurity preparedness. The illusion of safety can be an ingredient for a disaster, especially as the 2019 federal election approaches. NATO has warned Canada to prepare for foreign meddling, as has become standard practice for Chinese and Russian agents.
Antivirus and firewall software isn’t enough, even for small towns that believe they’re unlikely targets. Cyber attacks affect governments at all levels and come as direct hacking and as clever social-engineering techniques designed to exploit human flaws.
Most ransomware infections occur after someone is deceived into clicking on a link. Education and awareness must be the cornerstone of any cybersecurity strategy. Training employees to identify deceitful emails, maintain secure passwords and report any suspicious activity is key. Hiring an external firm to conduct a security audit, albeit expensive, will identify many vulnerabilities and avoid losses.
Likewise, at least having a regularly updated backup offsite will help with the recovery if everything else fails.
This is just the start to addressing today’s issues. Municipalities, large and small, are constantly investing in new technologies such as cameras and public Wi-Fi zones. Cesar Cerrudo, co-founder of Securing Smart Cities, argues that “the more technology cities use, the more vulnerable to cyberattacks they could become.”
A report from the Centre for International Governance Innovation proposes a network of collaborating online-security stakeholders. In Cyber Scaffolding: Proposing a National Organization to Support the Canadian Economy and Public Safety, Timothy Grayson and Brian O’Higgins argue government should forge private and non-profit partnerships. Officials “lack the specialized cybersecurity ‘business’ knowledge to intelligently match the speed of change.” They all too often end up “addressing yesterday’s problems.”
A cybersecurity department in every small town is not fiscally feasible, but municipal officials can and should reach out to agencies and law enforcement at the provincial and federal levels.
The recently launched federal Canadian Centre for Cyber Security, “a single unified source of expert advice, guidance, services and support on cybersecurity for government, critical infrastructure owners and operations, the private sector and the Canadian public,” seeks to offer much-needed assistance.
Where possible, however, municipal officials should look to nearby universities and private consultants. Non-government actors can offer a valuable hand that’s less tied up with the usual red tape and political animosity.
Banks, hospitals and firms of all sizes have learned the lesson the hard way. Municipalities are next. They should adapt to the new era and be prepared.
It’s not a matter of if, but when, they will be attacked.