Canadian cybersecurity: making it up as we get attacked

Canada needs a more powerful cybersecurity and cyber defence system, along with better co-operation between federal policing, intelligence agencies, and federal ministries, to thwart growing cyberattacks, says the author of a Canadian Global Affairs Institute report with the provocative title When Empty Promises are Literally Empty: Canadian Cyber-Defence Policy by Ad-Hoc.

Alexander Rudolph told Research Money that the federal Canadian Centre for Cybersecurity (Cyber Centre) lacks the power to counter threats to public and private infrastructure and sensitive data. Nor, he added, is it even using the capabilities that it has.

“No matter how much money that we throw at it right now, not much is going to get done and a lot of money is going to get wasted,” said Rudolph. “There isn't attention to policy coherence and trying to improve the co-operation across the government as, presently, a lot of departments and projects are essentially in conflict with each other. And not much is getting done.”

Public and private movement lacking

He called on Prime Minister Justin Trudeau’s Liberal government to give the centre more authority, as well as appoint a minister of cybersecurity and cyber defence. According to Rudolph, such direct oversight of this and other related federal agencies would unify policy, "because lack of attention and coherence across these departments is what's causing a lot of these problems and the lack of movements to address cybersecurity, not only in governments, but in the private sector, too.”

Rudolph is a Carleton University political science PhD candidate, whose thesis examines how different countries develop, launch, and carry out cyber defence strategies against their adversaries. He also serves as vice-president of the non-profit group, Emerging Leaders in Canadian Security, as well as a cyber defence policy analyst with CFN Consultants, which primarily assists clients in obtaining defence procurement contracts.

“Now, [the Canadian Centre for Cybersecurity’s lack of progress in countering cyberattacks] could be a matter of not enough money or people,” said Rudolph. “But I think it's to do more with its mandate and authorities [i.e. powers.]”

Conflicts weaken cybersecurity capabilities

Rudolph blamed conflicts between the RCMP, Canadian Security Establishment (CSE), Canadian Security Intelligence System (CSIS), and Canadian Armed Forces for a weakening of the country's cybersecurity and cyber defence capabilities. His July report notes that, according to the Department of National Defence’s 2020-21 results report, the CSE has been anointed Canada’s cybersecurity authority.

His report also says the CSE, Canadian military, and Department of National Defence are working together to boost Canada’s cyber-defence capabilities. However, the relationship lacks institutional and legal frameworks.

“Co-ordination is not the same as co-operation,” wrote Rudolph. “It is becoming increasingly important to clarify and codify this relationship as a matter of strategic imperative.”

Cyberattacks on the rise

Meanwhile, cyberattacks have drastically increased since the onset of the COVID-19 pandemic. In particular, a growing number of ransomware attacks pose particular concern for the public and private sectors. In a ransomware attack, a perpetrator delivers malicious code, known as malware, to encrypt and effectively steal data from an individual or organization. A ransom, often in the form of untraceable cryptocurrency, is demanded in return for the data.

One notorious ransomware case was the 2021 Colonial pipeline hack, which caused a significant interruption in fuel supplies to more than a dozen US states and led the targeted company to pay its attackers US$4.4 billion.

Canadian organizations have been victimized in similar ways by large-scale cyberattacks. In October 2021, Newfoundland and Labrador hospitals fell victim to a cyberattack, which stole employee and patient information from three of the province’s four regional health authorities, ultimately cancelling medical services to thousands of residents.

Stephanie Carvin, a Carleton associate professor of international affairs and national security issues, told Research Money in January that signs pointed to the breach being a ransomware attack. But NL Premier Andrew Furey declined to confirm the exact nature of the incident.

Attacks on critical infrastructure

A Canadian Centre for Cybersecurity report noted that more than half of Canada’s ransomware victims were critical infrastructure operators.

A 2021 Canadian Internet Registration Authority survey showed that 69 per cent of Canadian organizations paid ransoms to hackers. According to a Cyber Centre bulletin, the average cost of the known 235 Canadian ransomware attacks in 2021 (from January 1 to November 30) was $6.35 million.

Most Canadian victims (two-thirds) were small-and-medium-sized enterprises (SMEs). About one in four small-business owners have reported an increase in cyberattack attempts in the past year, according to a joint Canadian Federation of Independent Business (CFIB)-Mastercard survey released in March. Almost thee-quarters of respondents expressed more concern than ever about potential cyberattacks.

While the average reported loss is around $26,000, some victims have lost as much as $500,000. Victims have also lost considerable time, along with long-term impacts on their operations and reputations.

CFIB and Mastercard have launched a new CFIB Cybersecurity Academy, which offers training to help SMEs deal with cyberattacks.

“The last two years saw a huge number of small businesses increase the amount of business they are doing online, which has many benefits, but also introduces new risks,” said CFIB executive vice-president Laura Jones in a news release. “It’s critical to make it easy for business owners to protect themselves in this new environment.”

Rudolph praised CyberSecure Canada for launching a certification program through Innovation Science and Economic Development Canada, which will establish “a baseline cybersecurity standard for businesses.”

Government financial benefits would help

It takes staff and infrastructure to maintain effective cybersecurity, however. Rudolph pointed to the example of US creative content giant Patreon as a cautionary tale about how these resources might make easy targets for cost-cutting.

“We recently saw that Patreon, basically, fired their entire security team, and the universal thought is that it's going to hurt them in the end because there's just going to be a greater likelihood of being attacked,” he said.

Such risks, he noted, make a strong case for government support to help SMEs prepare for attacks, rather than trying to respond afterward.

“And at that point, if you're attacked, it's going to cost way more than having a security team. So if the government of Canada can provide tax rebates or actual direct economic benefits for not only investing in cybersecurity, but keeping it, that would go a lot further than having just the CyberSecure program itself, even though I think it's a great program.”

Calling for collaboration

For various reasons, Rudolph said, most cyberattacks go unreported, which means the actual severity of the problem remains unknown. The Trudeau government has proposed legislation, Bill C-26, which would amend the Telecommunications Act to make reporting mandatory, a requirement Rudolph applauded.

“The reputational risk of disclosing that you've been the target of a cyberattack needs to just be accepted,” he said. “That's the general risk. The cyber risk that exists right now is: An attack is going to happen sooner or later and you need to [tell] yourself that, in the event that something does happen, it's okay. Things do happen.”

Rudolph's report indicates Ottawa has budgeted $875.2 million in 2022 for cybersecurity and cyber defence, with $17.7 of that total slated for the launch of a research program between the CSE and academics. Program grants will support work that will remain classified, as well as projects whose results can be published.

He told Research Money that this program's importance lies in promoting such collaboration between members of the public, private, and academic sectors, “because the Canadian intelligence community is well-known for being very tight-lipped."

For. now, however, that community has provided few details on who it will partner with — and what kind of research projects they will conduct.

“So my interpretation is that they're focusing on computer science and [artificial intelligence] and quantum research and missing out on a lot of the great research and work that's being done in the private sector,” said Rudolph.

Private companies are probably ahead of academia when it comes to cybersecurity research, he contended.

“There should be a real proper engagement with research in the industry and industry itself and also with policy,” he said. “That [lack of policy] is the real deficiency in the government right now.”

R$