This is part five in a five-part series independently produced and investigated by Spacing
The Toronto Public Library’s chief librarian, Vickery Bowles, sat down for an extended virtual interview with Spacing‘s senior editor John Lorinc to share her perspectives and experiences of the ransomware attack. The interview transcript has been edited and condensed.
Spacing: There was a fairly sharp warning about cybersecurity risk from the Auditor General in 2021. I wanted to get a sense from you about how the library responded to her warning and her subsequent warning, which was issued a year later, and was directed to TPL and a couple of other agencies.
Vickery Bowles: We were delayed in responding because of COVID. We were all focused on that, but we did respond. We’ve completely complied and cooperated, working very, very closely with the [Office of the Chief Information Security Officer, CISO]. They have a confirmation program. We do answer various surveys and questionnaires and have discussions our IT staff with the CISO office so they understand our security environment and technical environment.
Spacing: Can you tell me a little bit more about some of the issues that have been flagged?
Vickery Bowles: We had a digital strategy, which was approved by the Board in 2021. And within that, cybersecurity was a priority. We had a security roadmap and not all of that security roadmap was public because it would compromise our security position. We had made a lot of progress on our digital strategy and security roadmap [prior to the attack]. If there is a silver lining with this cyber-attack, it has provided us with an opportunity to accelerate that process because of the rebuild that we’ve done of our technical environment.
When we worked with Gartner in developing the digital strategy in 2021, we were identified as being at the `developmental stage’ in terms of our [cybersecurity maturity model] and but that was very typical of a public sector institution. Since all of the changes we’ve made, we have not gone through the formal assessment process to determine where we are in terms of our that developmental framework, but we know we are more advanced than we were in 2021.
Spacing: Where are you going to be next year at this time in terms of the maturity model?
Vickery Bowles: I’m sorry, I can’t answer that.
Spacing: In communicating to Torontonians who have been shut out of the library system…
Vickery Bowles: I just correct you on that. They haven’t been shut out of the library system. All of our 100 branches have been open. The Wi-Fi has been available. We’ve continued to check out materials, we’ve continued to take in returns and we continue to register people. We’ve provided people with programs. It’s true they haven’t had access to our catalogue and to their accounts and to public computers. But all of our other services have continued and our staff have worked really hard and wonderfully so our services could continue under these constrained conditions.
Spacing: Okay, I’m glad you mentioned that. I take your point. Still, the question is, what assurances can you provide Torontonians that the library’s cybersecurity preparedness will be more robust next year and that it could survive something like this?
Vickery Bowles: I can tell you that we have been working very closely and collaboratively with our cybersecurity third party experts and with various contractors to rebuild our technical environment and make progress on our security roadmap. The cybersecurity experts who did the forensic analysis of the cyber-attack would not have signed off on the work they did with us, and under the guidance of counsel, unless they were satisfied. As I said earlier, there’s only so much we can share because we have to maintain the security of our environment, but certainly the installation of additional security controls, enhanced processes and protocols was a key part of the work we did with our third-party cybersecurity experts and that’s all been put into place.
Spacing: Do they provide any warranty on their work?
Vickery Bowles: No, there’s no warranty. What they’ve said to us is, it’s not a matter of if you’re going to be attacked, it’s when. That was the first thing they said to us. What you have to do is to mitigate those opportunities, which, of course, is what we were doing in any case.
Spacing: Can you talk a little bit about the about the cybersecurity awareness culture within the library? I’ve spoken to people who felt some of the training that began in 2022 was ‘off the shelf.’ Do you think library staff were a bit too relaxed about cybersecurity and what are you specifically doing to change that culture?
Vickery Bowles: The cybersecurity training we have is mandatory. People don’t have a choice, they have to take the training. And [the attack] did not happen through staff making a mistake with phishing. It happened through an Internet-facing server that was infiltrated and used as a way to get into the technical environment.
Spacing: There are statistics in one of your reports about the susceptibility of your staff to spear phishing.
Vickery Bowles: We also have to be on guard completely. That’s absolutely true, and it’s true of the world we live in right now because there are cyber criminals out there. It’s organized crime, and this is what they do each and every day.
Spacing: In December each year, the TPL puts out a “risk register” report. The metrics were changed from 2022 to 2023. Could you explain what was going on there, because it seems from reading the report that more red flags went up in 2023.
Vickery Bowles: We started our risk register [in] 2020, not that long ago. We’ve had a few risk registers and it’s just been part of our evolution. We change things. We have a manager of risk and privacy and she brings a lot of expertise to her role. It’s been part of her job to develop a more sophisticated and advanced approach to measuring risk and identifying mitigating factors.
Spacing: There’s not much detail in your reports, but it would seem there were more red flags raised in in the 2023 report compared to the 2022 report. The question is, what was going on there?
Vickery Bowles: My recollection is that there weren’t more red flags. In fact, I think that our cybersecurity risk was identified as being higher in 2022 and that we lowered [it] because of all the work we were doing in 2023 and 2024.
Spacing: Can you talk about whether TPL has the resources to hire people with cybersecurity expertise, not the third-party consultants, but staff? I’ve talked to people with differing views on whether or not a public sector organization facing perennial budget pressures has the funding to compete with private sector salaries?
Vickery Bowles: We’ve added a number of staff — a manager of cybersecurity and another staff member who reports to him. We didn’t have those positions previously but we do now. We have a CIO, who has a tremendous amount of technical expertise and strategic expertise. We’ve developed this position and added new staff dedicated only to cybersecurity. The other thing I’ll say is that we started [in] 2022 working really closely with City’s CISO office, and they’re tremendous to work with. We get a lot of support, regular notifications about different applications that may be at risk, or where there’s patching required. They come to me directly and I forward them to our CIO and to the head of cybersecurity. It’s a regular part of our operation. Going forward, [the City’s CISO] is going to be doing 24-hour monitoring of the security of our environment.
Spacing: Is there some transfer of responsibilities from TPL to the City?
Vickery Bowles No, it’s not a transfer of responsibility. It’s a new part of the service environment that we’ve implemented. They are going to take on that responsibility of the monitoring because we didn’t have that previously. It’s not unusual not to have it, but it’s something we have implemented.
Spacing: I’d like ask you about the duration of the shutdown. Did the shutdown go on longer because of the acceleration of upgrading the cybersecurity systems?
Vickery Bowles: What makes us different from most organizations is there are three components to our technical environment. Number one, we use it for our business operations. Secondly, we use the technical environment to deliver services to the public. Then thirdly, technology in and of itself is a service to the public. So, there are three buckets, which adds to the complexity of our technical environment, and they’re all integrated. It’s a very sophisticated technical environment and there’s a lot of complexity.
When you go to rebuild, we have our data centre, and in addition, we have 5,000 public and staff laptops and desktops. Each and every single one of those had to be touched. They were all in quarantine. Every single one of them had to be touched in order to go through the cleaning process and then moved to a clean technical environment. We’ve been very thorough. The cybersecurity experts advised us that we need to make sure there isn’t malware in our system, somewhere on a laptop or a desktop. That’s why it’s taken so long.
Spacing: Can you confirm that Black Basta was the ransomware gang that made the incursion?
Vickery Bowles: I’ve been told by legal counsel not to talk about the threat actor, so I really have to abide by that.
Spacing: Let me just press you on this. The British Library has been much more open about what happened when they were attacked.
Vickery Bowles: Yes, I’ve read their report. It’s excellent.
Spacing: I understand that legal counsel is there to kind of mitigate risk. I don’t quite understand why one entity can make these kinds of disclosures and another can’t. You’re in the same business.
Vickery Bowles: Well, we’re operating in a different legal environment. I can’t really answer that. I just know what I’ve been advised. As a public sector leader, I believe strongly in the importance of transparency and accountability. I’ve worked really hard with the communications that we have provided the public throughout this process, and with our staff and with the board, through the public reports and the closed sessions, to provide the best and most accurate information I can.
Spacing: Just two other small questions. TPL did not pay the ransom, correct?
Vickery Bowles: We did not pay them. I’m not going to negotiate with criminals.
Spacing: And at some point, will either the City or TPL reveal the cost of this incident?
Vickery Bowles: The City has covered the cost for TPL. That’s a question for the City. I haven’t seen any invoices. I don’t know what the costs are.
Spacing: Should that number become a matter of public record?
Vickery Bowles: I don’t know. I think it’s important not to give in to criminal activity, and it’s important to maintain the integrity of organizations, especially public sector organizations. I don’t know if giving a number has an impact on making public sector organizations more of a target or not.
The only thing I want to add is that the public has been so incredible and supportive of us. Our staff had been incredible, too. They’ve been worked so hard, long hours, and they’ve developed all these workarounds and they’ve been so positive, even though it was that it was staff data that was has been stolen.
One of the things that really strikes me about this [incident] is that I feel when you attack a public institution, and especially a public library that’s dedicated to intellectual freedom and openness, it’s an attack on the very essence of civic life. We all should be appalled at the number of public sector organizations that have been attacked, particularly in recent months, but particularly when it’s attack on libraries.
Spacing: These attacks are intended to undermine trust in public institutions. Do you think such events should commensurately increase the level of awareness on the part of public institutions to take these threads as seriously as they can?
Vickery Bowles: Yes, they do. I can tell you I’ve been contacted by colleagues from all over North America about this, wanting that wanting to know more. I’ve already spoken with colleagues in the United States, through the Urban Libraries Council. I’ll be doing a presentation with the Canadian Urban Libraries Council. It certainly has heightened awareness in the public sector and from my public library colleagues throughout North America.
Part I: Toronto Public Library ransomware attack: Overview
Part II: Toronto Public Library ransomware attack: Unanswered Questions
Part III: Toronto Public Library ransomware attack: Was TPL adequately prepared to defend itself?
Part IV: Toronto Public Library ransomware attack: Where does the TPL go from here?
Part V: Q+A with Toronto’s chief librarian, Vickery Bowles
