Canadian police officers are barely holding the line against hordes of cyber-criminals, state-sponsored cyber-spies and shadowy freelancers who fit somewhere in between. And with money, training and resources in short supply, our cops risk losing the fight.
In a report released this week by the Centre for International and Defence Policy at Queen’s University, co-author Ron Deibert, a professor of political science at the University of British Columbia and director of the Canada Centre for Global Security Studies at the University of Toronto, argued that Canada has made only a belated, half-hearted effort to address cyber-security.
“The Canadian government is late to the cyber-security arena, and only recently released a cyber-security strategy in the fall of 2010,” he wrote. “It devotes relatively few resources to the problem, does not fully address the division of appropriate institutional responsibilities, and only barely nods at the importance of a foreign policy for cyberspace.”
In an interview, Robert Beggs, CEO of Digital Defence Inc
., a Burlington, Ont.-based security firm that works with enterprise clients, agreed and says if Canadian companies get hacked, they’ll find it a lot harder than their U.S. counterparts to get law enforcement help.
“If you’re a citizen of the United States and you’re a company, and you say, ‘I think I’m under cyber-attack,’ you can call up specialist police elements that deal with that type of threat,” he says. “In Canada, we are significantly under-staffed for law enforcement.
“They lack the training, they lack the tools. And the cyber-defence centres in Canada will only talk to you if you’re a member of critical infrastructure. There is nothing else if you fall through that crack.”
Sergeant Paulo Batista, of the Ottawa Police high-tech crime unit, says that, as it stands, the resources available to police for prosecuting cyber crimes are “extremely limited.”
Nevertheless, he says, any victims of a cyber-attack in his jurisdiction shouldn’t hesitate to call the cops. “Even if we’re not able to do something, the awareness is important to us from an information and intelligence-gathering point of view.”
Beggs says the amount of money the federal government is spending on cyber-security — $90 million over a five-year period — is “clearly inappropriate” in comparison to other liberal democracies around the world, such as the United Kingdom, “which budgets more than $1 billion in the short term.”
When contacted by ComputerWorld Canada, Jessica Slack, a spokeswoman for Public Safety Canada, responded to criticism of Canada’s cyber-security strategy in an e-mail by stating that the $90-million dollar investment, plus an additional $18 million in “ongoing funding,” will in fact “allow the government to take concrete action to meet the evolving cyber threat.”
Batista says his organization, like many other police forces, is perpetually understaffed and underfunded. But at the same time, he appreciates that the government is facing budgetary constraints.
He says his field of law enforcement, by its very nature, can be very expensive to run: “Little things such as forensic courses for the computer investigators I have, they start at $3,000 to $4,000 a pop, for a three-day course.
“And the expertise is down in the States. So that means I’ve got to get an investigator on a plane at a hotel for X number of days, out of the office, to deal with stuff at a substantial rate. I’m looking at, for one course, somewhere between $5,000 and $10,000 to get the person qualified on that certification.”
While it may sound like a lot of money, he says, “Ninety million dollars would have very minimal impact on what we do. Our computers alone run $8,000 to $10,000 a pop. If we have four investigators, you can see the math adding up rather quickly.”
But Beggs says Canada’s strategy is failing in more than just this respect. More money would certainly help, yet he contends that Canada could also introduce better laws to combat cyber threats, as other countries around the world have done.
“For example,” he says, “New Zealand has put in deep interception laws, has given the police the legal assistance they need to pursue cyber-criminals and are aggressively pursuing them. Now, that’s not really a money issue as much as an enablement issue.”
Batista says the ability of a police department to pursue online outlaws operating on a global scale is very much dependent on the nature of the foreign governments they have to co-operate with. Countries from the former Soviet Union, for instance, “are still very close-mouthed and closed-door with reference to criminal offences,” he says.
In some of these cases, he adds, “the chances of a successful prosecution are next to zero.”
The line between cyber-espionage and crime is also sometimes hard to discern, opening up the question of which agencies should be in charge. China is often accused of being directly involved in cyber-attacks on foreign governments and corporations, or at least of indirectly sponsoring the attacks. Sometimes the attackers are after military or industrial secrets, but in other cases they’re working on behalf of companies trying to get an edge on their competition, says Beggs.
And we shouldn’t forget that there are plenty of threats closer to home, he adds.
“A lot of the espionage we’re seeing is actually one business competitor against another business competitor,” he says. “I’m seeing law offices right now, for example, where one law office has targeted computers in another Canadian law office in order to gain access to obtain information pertaining to an upcoming court case.”
“I had one construction company, a contractor, actually place a key logger with remote access onto the computer of an administrator of a competitor so that they were under-bidding. They were under bidding by a couple hundred dollars on contracts that were worth close to $1 million and they’re winning because, hey, they’re coming in at a couple hundred dollars under.”
But the real losers in this game, unfortunately, are often the police departments, says Batista.
“The nature of the business we’re in is we consume money,” he says. “The bad guys make money. So we’re always going to be at a disadvantage.”
“I would love to have an endless supply of money. No doubt about it. But my coffers are limited to an X amount of money a year and I’ve got to create my investigations around what is offered financially.”
When it comes to cybercrime, he says, police have to set priorities. “It boils down to a triage of where resources are best used.”
For example, he says, at any given moment in Ottawa, there could be 1,200 to 1,500 pedophiles prowling the Internet in search of child pornography. “It’s a complicated ethical issue,” he says. “Are the child molesters the ones we should go after first? Is it the guys who are doing the multi-million dollar frauds? Is it the guys who are defrauding Ma and Pa at home of their savings?
“There’s no end to where money could go for a good cause. You just have to decide which one you’re going to pick today.”
Brian Bloom is a staff writer at ComputerWorld Canada. You can find him on Google+. He covers enterprise hardware and software, information architecture and security topics.