Cities Must Eat Humble Pie, Recognize Cyber Vulnerability

Commentary, Disruption, Fergus Hodgson

Cybercriminals have caught Canadian municipalities flatfooted. Either our cities get with the times or send more taxpayer money and private data out the door.

Cybercrime costs Canada $3.12 billion a year. A portion of that involves ransom payments to cybercriminals who digitally hold computers hostage. Ransomware, a type of attack that involves remotely encrypting hard drives and demanding money in exchange for the key, has become the favorite tool to attack Canadian systems. That is what happened to a Québec municipality in September, which had no other choice but to pay bandits $30,000 after two weeks offline.

Similar attacks this year left two Ontario towns locked out of their own servers. City officials had to pay thousands to get them back, prompting the police to issue a warning to local governments. In the United States, two major cities, Atlanta and Baltimore, had their servers hacked this year, rendering many vital services such as 911 dispatch and the local courts out of commission.

These are not isolated incidents. Ajay Sood, the general manager of Symantec Canada, told Global News “It’s a small percentage of what’s being reported, a smaller percentage of what’s being detected and an even smaller percentage of what’s been occurring.”

Politicians who are unaware of or overlook cybersecurity are putting everyone in danger.

Inertia Exacerbates Risks

Outdated systems make the problem worse, as experts detect security holes on a daily basis. In 2014, Québec authorities had to push back the date for personalized license plates until 2017 because the existing computers were 35 years old and needed $4.5 million worth of updates.

Some Quebec provincial offices still use the vulnerable Windows 2000 operating system and spend millions on extended warranties. Quebec also lags behind its peers; the Canadian region spends the lowest proportion of its budget on IT security.

Even though political capitals are the prime targets, local governments are increasingly attractive for hackers. These smaller localities hold valuable data yet are poorly prepared to detect and fend off attacks.

The potential damage of neglecting cybersecurity can be manifold: loss of records, temporary shutdowns, costly recoveries, and erosion of trust among citizens. Further, failure in local-government services can have a greater impact than distant federal agencies on the quality of people’s lives.

A survey has revealed that Canadians are overconfident and poorly informed about their cybersecurity preparedness. This is not encouraging. The illusion of safety can be a dangerous ingredient for a disaster, especially as the 2019 federal election approaches. NATO has warned Canada to prepare for foreign meddling, as has become standard practice for Chinese and Russian agents.

Antivirus and firewall software is not enough, even for small towns that believe they are an unlikely target. Cyber attacks nowadays affect governments at all levels and come not just in direct hacking, but rather as clever social-engineering techniques designed to exploit human flaws.

Most ransomware infections occur after someone is deceived to click on a link themselves. Education and awareness must be the cornerstone of any cybersecurity strategy. Training employees to identify deceitful e-mails, maintain secure passwords, and report any suspicious activity is key. Hiring an external firm to conduct a security audit, albeit expensive, will identify many vulnerabilities and avoid losses in the future.

Likewise, at least having a regularly updated backup offsite will help with the recovery if everything else fails.

This is just the start to addressing today’s issues. Cities, large and small, are constantly investing in new technologies such as cameras and public WiFi zones. Cesar Cerrudo, cofounder of Securing Smart Cities, argues that “the more technology cities use, the more vulnerable to cyberattacks they could become.”

Cities Must Ask for Help  

A report from the Centre for International Governance Innovation proposes a network of collaborating online-security stakeholders. In “Cyber Scaffolding: Proposing a National Organization to Support the Canadian Economy and Public Safety,” Timothy Grayson and Brian O’Higgins argue government should forge private and nonprofit partnerships. Officials “lack the specialized cybersecurity ‘business’ knowledge to intelligently match the speed of change.” They all too often end up “addressing yesterday’s problems.”

A cybersecurity department in every small town is not feasible due to budgetary constraints, but city officials can and should reach out to existing agencies and law enforcement at the provincial and federal levels.

The recently launched federal Canadian Cybersecurity Centre, “a single unified source of expert advice, guidance, services and support on cybersecurity for government, critical infrastructure owners and operations, the private sector and the Canadian public,” seeks to offer cities with much-needed assistance.

Where possible, however, city officials should look to nearby universities and private consultants. Non-government actors can offer a valuable hand that is less tied up with the usual red tape and political animosity.

Banks, hospitals, and firms of all sizes have all learned the lesson the hard way. Cities are next. They should adapt to the new era and be prepared: it’s not a matter of if, but when, they will be attacked.