Opinion

Purse & Mathieson: Canadian cities are only one cyberattack away from catastrophe

Purse & Mathieson: Canadian cities are only one cyberattack away from catastrophe

The following first appeared in the Ottawa Citizen on January 20, 2025.

It’s not about if but when a cyberattack will occur. Provincial and federal governments must create a strong municipal cybersecurity action plan to protect critical infrastructure.

Cyberattacks against Canadian municipalities are increasing and directly affecting the lives of millions of Canadians.

While federal and provincial authorities have stepped up investments in other areas of cybersecurity, support to municipalities remains alarmingly low. With so much at stake, provincial and federal governments must partner with municipal leaders to build a comprehensive cybersecurity strategy that shields essential infrastructure from severe attacks.

Consider this scenario: One Monday morning, you get a call from your mom. She has severe stomach pains. You were at her place last night for a family dinner and feel iffy. You take her to the hospital. When you get there, it’s chaos; several people have similar or worse symptoms.

In the subsequent investigation, the local public health officer finds high chemical levels in the drinking water that were attributed to a cyberattack on the water system chemical controller. The town’s water must be shut down, affecting the entire population and hundreds of businesses.

Could this happen? Yes. The scenario above is modelled on a 2021 Florida incident in which a hacker tried to poison the water system. The Canadian Centre for Cyber Security’s recent National Cyber Threat Assessment reveals that they are “aware of over 100 cases” of cyber threats targeting Canadian municipalities since 2020.

Even with ransomware attacks, human costs are seldom tallied, and the financial costs are passed on to taxpayers. Municipalities also manage critical infrastructure like water treatment, power distribution, emergency services, traffic control, and healthcare. They have adopted various technologies to help manage, monitor and operate these critical systems to provide better services to the public.

While there are regulations that guide their operation, these have not kept pace with the technology or the threats.

Most municipalities want to prevent disasters. However, they struggle to find public interest in investing taxpayer dollars in security when there are many other pressing concerns, such as housing, health care, policing and emergency services.

If cybersecurity needs to compete against these other issues, support for even limited cyber investment will be tough —  that is, until such a disaster happens. And if it does, no amount of regret will be able to fully alleviate the impact on those affected.

Like the Florida scenario, we have the shadow of the Walkerton tragedy to guide us. The consequences of inaction are enormous.

The only justification for action should be the potential human costs, but there is often the argument about the financial costs and the strain on the already burdened taxpayer.

What we rarely hear, however, is that the total of post-incident costs is usually many times that of preventative measures that could have protected the organization from the attack.

For example, the cost of a 2024 ransomware attack on the City of Hamilton has already exceeded $7 million, which will directly impact the ongoing provision of public services. Therefore, taxpayers pay far more if preventative measures are not taken. Municipalities need to implement a robust cybersecurity strategy. But what would that entail?

At a minimum, it would ensure that all Canadian municipalities have the expertise, funding and resources to implement cyber security best practices that will protect their critical infrastructure, such as training of key staff, risk-based allocation of security controls, monitoring and detection capabilities, protected data, system backups and verified incident response plans.

Those who think this type of event is highly unlikely need only reflect on what happened in Florida and consider the already numerous attacks on Canadian municipalities.

While it is a bit overplayed within the cybersecurity community, there is a common refrain: It’s not about if but when an attack will occur.

Given the risks to public safety and millions of Canadians, provincial and federal governments must create a strong municipal cyber security strategy and action plan that ensures municipalities get the resources and funding they need to safeguard critical infrastructure. The potential consequences are simply too high to ignore.

Randy Purse is senior advisor, Cybersecurity Training and Education at Rogers Cybersecure Catalyst, Toronto Metropolitan University’s national centre for research, training and collaboration in cyber. Dan Mathieson is special advisor, Cybersecurity and Municipal Engagement at Toronto Metropolitan University and the former longtime mayor of Stratford during the city’s major 2019 ransomware attack.

More from the Catalyst