Ransomware reared its ugly head many times this year, but as the barrier to entry for deploying ransomware becomes frighteningly low, experts are warning that municipalities are becoming increasingly vulnerable.
While the average ransomware demand dropped to only about CA$650 in 2018, ransoms in the ten and hundred thousand dollar-range are still popular.
That’s why local governments remain attractive targets – there are hundreds of thousands of them, they’re government funded, and they’re easily convinced to pay up because the alternative is often much more costly.
Attacks on Wasaga Beach, Ont. and Midland, Ont. last year both came with initial ransom demands in the six-figure range. According to the Canadian Internet Registration Authority, the full cost of recovery was estimated by both municipalities to be approximately $250,000 each.
Ontario municipalities such as Stratford, The Nation, and Woodstock, alongside three separate hospitals in Eastern Ontario, have all been hit by some type of ransomware in 2019. These are just the ones we know about.
The absence of that data is one of the biggest reasons why the problem persists across Canada.
“Canada is in a good position looking after its federal security systems, but outside of the federal area, it’s a mixed bag,” David Masson, Canada’s former senior manager for Public Safety Canada and the current country manager for Darktrace, told IT World Canada. “We don’t really have a full grasp of the threats Canada is facing coast to coast. Part of that is because we don’t have a proper reporting mechanism in place.”
José Fernandez, a malware expert at Montreal’s Polytechnique engineering school, says provinces deserve some of the blame.
“There has been a lack of leadership at the provincial government level when it comes to supervising, establishing standards, or even checking over the shoulders of municipalities from time to time,” he says.
Ransomware has quietly been wreaking havoc on municipalities for years, but incidents were largely unreported and swept aside, making it difficult for both the public and private sector to accurately track the silent devastation.
Considering the significant financial damage facing municipalities nation-wide, Fernandez says he’s surprised about the lack of action, but did acknowledge some recent action taken by the federal government.
Last November the federal privacy law covering the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA), made data breach notification and reporting mandatory.
The federal Office of the Privacy Commissioner of Canada has already seen a four-to-five times increase in the number of breaches reported to its office since mandatory breach reporting came into effect, according to the Underwriter, but details are scarce when it comes to the specific nature of those breaches and where they occurred.
Numerous municipal associations such as the Association of Municipalities of Ontario (AMO) and the Federation of Canadian Municipalities are now taking a more active role in educating their members about cyber risks. The AMO, for example, has begun collecting and sharing information on the data-paralyzing menace – citing a lack of urgency at the provincial level when it comes to cybersecurity.
“AMO has also been urging the provincial and federal governments to work closely with municipal governments to help protect governments from cyberattacks, and to help public services weather attacks with less disruption,” AMO president Jamie McGarvey told the Star earlier this summer.
Greg Young, vice-president of cybersecurity at Trend Micro, says there’s a growing sense of urgency among elected officials surrounding ransomware, but for years, it’s been mostly a non-issue.
“When ransomware started to become an issue, it wasn’t at the top of the agenda for elected officials to suddenly allocate funding towards cybersecurity or to prioritize the issue. It’s often going to be a grassroots measure coming from the IT staff itself,” he says.
People are ‘overwhelmed’
Until municipalities can develop and maintain strong preventive measures – on a budget, no less – the number of reported security incidents is bound to increase, says Masson.
“Cyber hygiene is not a part of regular human life yet,” he says. “That scale of threat we’re facing is too much in terms of quantity, too complex, and it’s starting to move at machine speeds. Human beings are simply getting overwhelmed.”
Public officials are starting to agree.
After the city suffered its own ransomware attack in April, Stratford mayor Dan Mathieson said Canadian municipalities are “sitting ducks” for “cyber terrorists”.
It’s no different in the U.S. where even large cities are struggling to combat ransomware.
Baltimore officials recently voted to transfer $6 million from a fund for parks and public facilities to help pay for the devastating impact of the May ransomware attack on the city. According to the U.S. Department of Health and Human Services Office for Civil Rights, there are currently 550 breaches reported within the last 24 months that are currently under investigation by their office. In October alone, U.S. healthcare providers reported 18 separate data breaches. The FBI has described ransomware as an epidemic.
Ransomware-as-a-service campaigns now allow individuals and groups to deliver massive blows to municipalities – and private organizations – despite a complete lack of technical skills.
Trend Micro’s Midyear Security Roundup report indicates a steep increase in overall ransomware detections from the second half of 2018 to the first half of 2019, although the number of new ransomware families declined.
“A few attackers who make up a large part of the ransomware market have focused on a weak link, that weak link being municipalities,” says Young.
Earlier this month, the Canadian Centre for Cyber Security issued a country-wide alert about Ryuk ransomware, noting it was “affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad.”
Ryuk goes beyond simply encrypting data – recent variants also include the ability to exfiltrate it.
Ontario’s top cybercrime cop issued a strong warning to infosec pros recently about the devastating impacts of Ryuk and says that there are still municipalities that think ‘I’m too small’ to be hit by ransomware.
But even large cities are dragging their feet.
Absence of CISO in Toronto until now is ’embarrassing’
In July, Beverly Romeo-Beehler, Toronto’s auditor general revealed that two city agencies were attacked by ransomware. In both cases, computer systems were compromised and the incidents were not communicated to the chief information officer – who at the time was Rob Meikle – due to an absence of protocols allowing the CIO to have jurisdiction across those agencies.
While the ransomware attack didn’t impact Toronto’s corporate backbone, Romeo-Beehler issued a stern warning to the city’s IT officials to accelerate the development of notification protocols and other steps to improve the city’s cybersecurity posture, adding Toronto’s system was still vulnerable.
She issued another warning last week.
In addition to hiring a managed security services provider at the end of July to perform penetration vulnerability testing and supply 24/7 support, Toronto is planning to hire its first chief information security officer (CISO) to perform real-time analysis of immediate threats, stay on top of emerging cyber threats, and implement programs that mitigate internal risks.
The introduction of a CISO would have been great news 20 years ago, according to Fernandez. Such an announcement in 2019 is “embarrassing”, he told IT World Canada.
“This is very, very, bad. I’m shocked,” he says in a phone interview. “I would not have expected a major city in North America to be in that position.”
Even the city’s chief technology officer, Lawrence Eta, says the introduction of a CISO took too long.
“It’s something that the [auditor general] has called out for a while. Yes, it’s taken longer than it should have…we certainly would have liked to accelerate it faster,” Eta told the publication during an interview in August.
Lakshmi Hanspal, global CISO for Box, said she’s seen knee-jerk hiring moves made in the past by organizations that were falling behind in cybersecurity.
“When that happens my antennas go up right away,” she says. “A question that then pops up is ‘Are they just looking to hire a scapegoat?’”
Upon closer examination of the job posting on LinkedIn, Hanspal says she’s confident the city is on the right track, but it’s too early to know for sure.
“They’re asking for someone with strong business acumen combined with the necessary technical experience,” she explains, suggesting this is crucial when it comes to articulating the impact of cybersecurity on the city’s workloads and business operations to city managers.
But in the healthcare space specifically, Ed Rodriguez, vice-president of sales and general manager of Citrix Canada, says he’s noticed a disturbing trend even when the right leaders are in place overseeing security and privacy.
“There are people within the healthcare industry, at the security and compliance levels, that fully understand what their requirements and regulations are…but over time we’ve seen that when these officers roll out a system that is too onerous on the security side, it leads to physicians and caregivers having a lot of difficulty accessing that system,” he says. “As a result, their capability to deliver care in a timely matter goes down, and they become frustrated with the interactions required for the technology.”
And when this happens, doctors sometimes take shortcuts. Patient data is shared across personal email addresses, and people revert back to a paper-based system, leading to a confusing combination of paper trails and digital records.
“When you introduce new tech and electrical medical records and all the necessary security measures to restrict access to the right individuals, you’re dealing with authentication. Now instead of walking into a patient room and picking up a folder, you’re dealing with a username, a password, finding patient records. Now those records aren’t even in my hand, that information is sitting on the screen in the far corner of the room,” explains Rodriguez. “And as you can imagine, a lot of the folks who are providing the highest level of patient care have been in the industry for a very long time. So adopting new tech is obviously not going to be as swift as it is for younger generations.”
But experts – and the data – all agree on this: Just like private sector workers, public sector employees often click on stuff they shouldn’t and a lack of training may be at fault.
Workers aren’t getting the training they need even though they’re asking for it
While hackers are sometimes successful at penetrating systems with brute force, they often rely on people clicking on things they shouldn’t.
A survey from security firm Scalar Decisions’ says 60 per cent of respondents receive no cybersecurity training at all from their employer. The survey reached out to 1,550 Canadian employees. Fifty-five per cent of respondents who don’t currently receive cybersecurity training want some.
The problem extends to the healthcare space as well.
Kaspersky research says Canada is behind on cybersecurity training in healthcare when compared to the U.S. Over 24 per cent of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41 per cent of respondents in Canada when asked the same question.
Is there hope?
In addition to the federal government’s efforts to establish a strong baseline across small businesses in Canada, municipalities are beginning to take matters into their own hands.
The Canadian Cyber Threat Exchange said it has created a special pricing model to entice local governments, hospitals, and institutions of higher education to join the not-for-profit data exchange and participate in newly set-up private sector discussion forums.
Earlier this month, James McCloskey, manager of network and information security for the city of London, Ont., pitched local government officials on an idea that would allow them to share their security assessments of tech products with each other without getting sued by vendors for possible violating non-disclosure agreements at the annual security conference of the Ontario wing of the Municipal Information Security Association of Ontario.
While one can’t say that local governments are winning the fight against ransomware, it’s safe to say that most have finally bought into the idea that it’s not a matter of if, but a matter of when.