Abuse of the Internet by countries, criminals and terrorists is only going to increase until governments draw a line in the sand, Canada’s former national security advisor told a conference on Tuesday.
“Cyber will continue to be a major, major issue in part because we haven’t found a way to articulate how dangerous it is and what we can do about it,” Richard Fadden said at the second annual Urban Security and Resilience Conference in Toronto.
Every individual, organization and government is under threat from online attack, he said. “We need to find a way to deal with this. If Canada wants to do anything, we need to find a way to leverage what we want to have happen.”
Fadden, former head of the Canadian Security Intelligence Service (CSIS) and a security advisor to two Prime Ministers, said the major threats the country faces include terrorism; aggression by Russia and China; the West’s inability to make commitments and cyber (including cyber crime, propaganda and terrorist recruitment).
Unfortunately, he said, getting Ottawa – or companies — to act isn’t easy because Canadians don’t see themselves under threat. But if they want to convince politicians and corporate leaders of the problems he called on those at the conference – executives, incident responders and disaster recovery officials – to talk clearly to those in power.
“It’s not good enough to be a technical expert in counter-terrorism or dealing with cyber threats. You have to be able to put issues in context, use langue they understand so they will do what you suggest in dealing with those threats.”
“If you cannot convince your government and your population you have an issue, they’re not going to spend money and effort to resolve it.”
Fadden also admitted governments have to do more. “Until governments are willing to open up a little bit more about the [cyber] threats and how serious threats are we’re at a disadvantage.” In addition, “the C-suite has to be as concerned about cyber protection as protecting their financial information and resources.’”
However, he also said both the public and private sector should share lessons learned after a data breach. “The key is to tell people, ‘An organization similar to yours has gone through this, and if had done just a little bit more the problem would have been solved.’”
How to deal with these problems? Excluding dealing with certain nation states, which he suggested is largely a diplomatic problem, “the West not good at putting ourselves in the heads of those we’re trying to deal with. We just think of them as bad guys … but if you’re going to deal with terror or cyber or urban resilience you have to put yourself in head space of the people who are causing the problem you’re trying to deal with. I don’t think we’re particularly good at that.”
“We tend to underestimate our adversaries … People who undertake cyber attacks or planning acts of terrorism are not idiots. In fact some of them are very bright. They benefit from having no absolute values or restrictions on what they can do,” and they make decisions quickly. By contrast “in the West today we’re very slow at decision-making. The only time we move swiftly is when there’s a significant crisis.”
In particular, Fadden worries about what some countries are doing online. He cited attacks on Ukraine’s power grid in 2015 and 2016, attributed to Russia, distributed denial of service attacks or the changing of information in government or corporate databases. We haven’t decided if these are acts of war that justify retaliation, he said — but wondered how Canadians would feel if we lost electricity in February. “We need as a society to work through what it means, never mind coping with it when it happens.”
“The other depressing thing is it’s not only countries that can do this,” he added, but other groups as well. “This is a significant issue for military and defence departments right now,” he said, adding governments need to speed up their decision making about dealing with such attacks.
For Fadden, what he calls cyber propaganda –including using the Internet to recruit terrorists — “is the most insidious cyber threat because it’s not always visible.”
We have to talk about finding ways of countering those who turn to violence, no matter how they do it, he said. “One of the difficulties dealing with cyber is it hasn’t yet been internalized as a significant issue” by Canadians.
Meanwhile it’s “pretty clear” Russia attempted over the Internet to influence recent elections in U.S. and France. “We have to be careful how we condemn this,” he added. “When the West was doing it (interfering in other countries) we thought we were doing it for good reasons … But it is not a good thing and I suspect we’ll see more of it.”
He worried that the world is breaking into spheres of influence, with Russia and China setting parameters around countries near them, while the U.S. appears to be withdrawing from the world.
“We need to decide where to draw lines of the sand,” he said of Western nations, complaining these countries are more concerned about human rights than security. “We need to find a balance.”
He doubts there will be another world war, but said the “possibilities for regional conflicts and mistakes are much higher than two years ago … All of this requires caution and care, clear objectives and an indication of our limits of tolerance of what we’re prepared to put up with.”
Sessions at the three-day conference are dealing with cyber and physical threats to cities.