John Moore  

The library started off as the target of a cyber attack, and it’s unclear as to whether there was ever any ransom pay – the library said not and I suspect that’s true. But were there other demands that were made that were either met or refused? Anyway, we don’t know the answers to all of that. But what we do know is that this is a big source of concern for cities in particular. And Charles Finlay is with us, who’s a cybersecurity policy expert at Toronto Metropolitan University, and can help us understand why cities are the targets that they are. Good morning, Mr. Finlay.

Charles Finlay  

Good morning, John, good to be with you. 

John Moore  

Nice to have you too. So why cities as opposed to big corporations? I guess they’re all targets of a sort. But why are cities particularly rich targets for these criminal actors, and we’ll talk about how organized this all is in a minute. But why are cities such rich targets for them to go after and parts of the city administration or structure like libraries?

Charles Finlay  

Well, really, because they’re so important for citizens. And these criminal gangs, these ransomware gangs, as is often the case, can use city infrastructure, municipal infrastructure as leverage to drive significant ransom. So it’s really the importance of municipalities, the importance of the services that municipalities deliver. You think of water, wastewater, 911, fire, emergency police, all of those, all of those pieces, it’s the importance of municipalities and the services that they provide that really drive the vulnerability that they have to cyber attack.

John Tory  

So when you talk about that, and you talk about water, for example, if you think about it for a second [is] an incredibly sensitive area because everybody needs water to live. We rely [on] here and I think, frankly, take for granted. I had the opportunity as mayor to get to understand exactly what’s involved in delivering, safe water, fresh water to people, every morning reliably without fail. But is it possible that somebody who is engaging in one of these cyber attacks could, for example, either take control of or disable the water system, such that it would put into jeopardy the ability to deliver that safe water to people every morning, and every afternoon?

Charles Finlay 

It is possible. We’ve seen attacks of that kind against water wastewater in the United States. There are examples that have occurred, where water, wastewater systems are vulnerable [so] this is a very important issue and a very important concern. And in fact it’s really a part of all critical infrastructure across our society and economy that is vulnerable to cyber attack. Transportation, we’re seeing significant attacks on the healthcare system, financial services of all kinds, communication systems, logistics, so all kinds of critical infrastructure are under attack. And this is a very significant challenge.

John Moore  

So let’s talk about what we can do about it, maybe starting with the sort of, I’ll call it the sort of top level in terms of having people whose job it is to set up defenses and to monitor these kinds of things. What are cities and big organizations like that doing to try to protect themselves in the broader sort of structural sense against this sort of attack?

Charles Finlay  

So really, there’s sort of three categories, there’s people, process and technology. People need to be trained. All people across an organization need to be trained to take the important steps necessary to protect organizations. That includes things like not clicking on links in emails that don’t come from trusted senders, which is often an important vector of attack in terms of ransomware. So, you know, general training across an organization and then of course, specific individuals need to be in place in cybersecurity groups within organizations to protect those organizations, so that’s on the people side and that’s [a] really, really critical process. We need breach response plans in place that are well practiced within these organizations so that the organizations know how to react, who to call and what the steps are that they are going to take when they are the victim of a cyber attack – and they will be a victim of a cyber attack. Then, we come to the technology piece and of course, this is important, but not as important as some might think. We need to have the proper defensive technologies in place to ensure that these organizations are protected. So people, process and technology in that order.

John Moore  

Thank you very much Charles Finlay, who’s a cybersecurity policy expert at Toronto Metropolitan University. Interesting to hear about the threat that is out there, but also the defenses that are being mounted against it so thanks very much thanks very much.