Cyberattacks on public networks are becoming more common and more advanced. If the public sector doesn’t up its game soon and develop better responses, major systems like electricity, water, and transit could become more frequent targets.
The latest cyberattack spectacle is a ransomware attack against the Toronto Public Library (TPL). Residents can no longer access the digital catalogue or other online library services. Librarians have reverted back to checking out books by hand. The public computers—which, if we’re being honest, is the main draw for many library patrons these days—are offline. It’s also believed that employee data was compromised.
It happened at the end of October and for weeks people had been asking when the system would get back up and running. The other day the TPL answered that question. The answer wasn’t great: Sometime in January. That’s when the online system for the 100 branches in Canada’s largest city will begin to go back online. And that’s just the beginning of the reboot. It will take longer to get the whole thing going again.
It’s worrisome that a city service can be taken down by hackers for several months.
“Public library networks are at high risk because of their large exposure to relatively unsecured access by very large numbers of public users,” explains Christian Leuprecht, distinguished professor at the Royal Military College of Canada. “This attack shows the disruptive potential of ransomware and other malicious actors to networks in general and public networks in particular.”
Here’s how the library is explaining the long repair timeline: “Given the complexity and magnitude of this task involving TPL’s data centre and computers across 100 library branches, and the interconnectivity of our systems, we anticipate the restoration of library services will take several more weeks.” They then add: “We recognize that this is a long period of time without full library services, but this is considered an aggressive timeframe within the context of such an attack and the experience of other institutions in similar circumstances.”
We shouldn’t be satisfied with that answer. And not because we can’t bear to wait a few more weeks to browse for books on an online catalogue. We shouldn’t be satisfied because in today’s tech-savvy environment, a major municipal government should be able to call on experts who can get a handle on this situation in a much shorter time frame. It doesn’t bode well.
“Imagine if this had been the Toronto Transit Commission or another critical infrastructure asset,” adds Prof. Leuprect, a senior fellow at the Macdonald-Laurier Institute. “Would it be tolerable for a system to go down, let alone for months on end? Who is being and will be held accountable for a failure that appears to be entirely on TPL’s side? Should we find it acceptable for the largest public library system in the country to go down for months? Let alone have sensitive employee and other data exposed?”
These are great questions. They’re urgent ones as well.
The library also says they’ll be working to enhance their security systems, which suggests they didn’t previously have every security protocol in place that they could have. We should hope that critical infrastructure departments run by our cities, like transit and water treatment, take these issues more seriously and have far superior security protocols than the library. We can’t bank on hope, though.
It was only earlier this year that the Biden administration in the United States announced a national cybersecurity strategy to improve standards at critical infrastructure sites across the country.
The motivation for the White House came after they observed a number of alarming cyberattacks in recent years, including a 2021 attack on a Florida water treatment plant. The attack digitally increased the levels of lye in the water, which could have quickly turned deadly had a worker not promptly detected it.
The White House realized that too many facilities have their guard down.
These are the sorts of threats we’re facing. They need to be taken seriously. We can’t sit back and wait to respond after the fact like TPL has done.
A library today, our water systems tomorrow.
