Why London's IT staff say $1M is needed to protect the city from cyber attacks

The City of London could spend more than $1 million to shore up and maintain municipal cyber-defences if a proposed amendment to the budget is approved by council.

The total price tag of $1,009,000 was carefully thought out by city staffers, who say the need was identified through a series of reviews and projects designed to test for vulnerabilities and gauge the City's current security situation.

"Cities across the globe, including London, are seeing increases in the volume, diversity and complexity of cyber attacks," said Mat Daley, the director of information technology services for the City of London.

There have been a number of high profile attacks on large corporations and municipalities in Canada, including in southwestern Ontario.

In April 2019, the City of Stratford was the victim of a ransomware attack, which the municipality paying $75,000 in bitcoin. In December of that same year, Woodstock was also attacked but refused to pay the ransom, spending $667,627 to resolve by other means.  

Ransomware refers to malicious programs that encrypt computer files requiring payment before a 'key' to decrypt the files is handed over to victims. 

While London hasn't yet been victim to a successful large-scale attack, Daley sees the risk increasing every day.

"I'll put it this way. When it's 3:00 a.m. and I'm worried, it's ransomware," he told CBC News.

Other attacks could include denial of service attacks, in which criminals prevent people from accessing a website or service by flooding it with artificial traffic, or malware designed to outright destroy data. One major concern is data loss, and the potential for citizen information to fall in the wrong hands if it is not properly protected, said Daley.

Staff documents show the funding would cost the average homeowner $1.18 more each tax year.  

Municipalities seek solutions en masse

With attacks against municipalities across the country on the rise, and Daley saying the cybersecurity insurance sector not providing accessible coverage, London has been working with the Municipal Information Systems Association (MISA). 

MISA is a pan-municipal cross-country group dedicated to discussions surrounding municipal cybersecurity. It's MISA's role to bring municipalities together and provide education and information with the end goal of ensuring stability and security across the board.

"Medium and larger municipalities are starting to realize how important cybersecurity is to protecting the data of citizens, critical infrastructure, political systems, and so on," said Kush Sharma, MISA's director of municipal modernization and partnerships.

He says a cyber attack can compromise everything from water and waste distribution systems to transportation technology. 

The weakest link

Sharma says cyber criminals can target uneducated staff members, tricking or scaring individuals into downloading and running harmful code on municipal computers, or divulging sensitive information like passwords.

"It's a matter of literally seconds before that thing deploys and starts [encrypting files once it's activated]," Sharma said.

Everyone from the mayor and council, to external contractors and vendors, needs to be taught proper safe practices, and periodically, municipalities need to run simulated attacks, he added.

Not much information is available to the public concerning specific cybersecurity solutions for London. Staff say this is to avoid criminals getting a head start on adapting technology to specific security situations.

Councillors will discuss the budget request at a meeting of the Strategic Priorities and Policy Committee on Jan. 26.