Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June 17th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by David Shipley, head of Beauceron Security in New Brunswick, to discuss some of what’s been going on. But first a look back at significant events in the past seven days:
Proposed federal legislation announced this week would give the Canadian government some oversight over the cybersecurity programs of many companies providing critical services. It would also force them to report breaches of cybersecurity controls. David and I will parse this proposed law.
And just as were recording this show on Thursday the government announced a proposed overhaul of the privacy legislation covering much of the business sector in Canada. The timing will be tight but David and I will have a few minutes to squeeze in some commentary about that.
Linux administrators are being warned of a newly-discovered and hard-to-detect piece of malware. Researchers at BlackBerry and Intezer said the malware infects all running processes in a server. That gives the attacker rootkit functionality, including the ability to steal passwords and install a backdoor to give remote access.
That’s not all Linux admins have to worry about. Researchers at Akamai discovered a new botnet and worm that has been actively breaching Linux servers since March. Dubbed Panchan, the botnet is composed of 209 infected computers, including 82 in Asia, 66 in Europe and 48 in the U.S. and Canada. Targets include telecom companies and universities. Protect your servers with complex passwords, multifactor authentication and network segmentation.
Microsoft issued a security update for a Windows vulnerability called Follina that affects a number of versions of the operating system and Microsoft Office. This vulnerability has been actively exploited since April so the update should be installed as soon as possible, along with other critical updates released this week.
IT departments that use Cisco Systems’ Secure Email and Web Manager appliances have been warned to install the latest security updates. The patches close a major vulnerability that could allow a remote attacker to bypass login authentication and access the web management interface.
And email administrators who use the Zimbra email suite should make sure they’re running the latest version. This comes after researchers at SonarSource of Switzerland announced they found a vulnerability that allows an attacker to steal login credentials. The patch was released last month, so there’s no excuse for not having installed it by now.
(The following discussion has been edited for clarity. To hear the full conversation play the podcast)
Howard: We’ll start by looking at the proposed cybersecurity legislation announced on Tuesday. One part is a new law called the Critical Cyber Systems Protection Act [CCSPA]. It will allow the government to name companies as vital services in four critical infrastructure sectors — financial, energy, telecom and transportation. Those companies will have to show regulators they have cybersecurity programs, can mitigate supply-chain and third-party risks, and have to report cybersecurity incidents to the Canadian Security Establishment — which for our American listeners is the equivalent to the combined National Security Agency and Cybersecurity and Infrastructure Security Agency. Regulators will have the power to give the companies orders if they don’t like what they’re doing in cybersecurity. And the companies will have to exchange information about cyber incidents. What do you think of this proposed act?
David Shipley: I think it’s a great first step, and I think it brings telecommunications, energy and transportation up to the same level of cyber security oversight and accountability as the Canadian financial system. And given their importance to our economy, I think it’s entirely appropriate. It sets up some basic cyber security hygiene standards, creates the relationships between experts at the Canadian Security Establishment (CSE) with the regulators for each of these important sectors to advance the state of security — and that’s not a bad thing. And it does provide for mandatory breach reporting by these sectors, which is fantastic. So there’s a lot I like.
But there are also some concerns: It doesn’t require mandatory information sharing from CSE back to stakeholders when they learn about incidents. They do a good job of that today, but it is voluntary. I’d like to see that firmed up a little bit in the legislation so that the insights and lessons learned –that’s the most important thing — when a cyber incident happens we’re telling somebody about: What were the root causes? How can we improve?
When we look at the Europeans’ NIS2 proposal [an EU cybersecurity standard] they’re going beyond just key sectors to any sector that could have a meaningful economic impact. I think about the food supply chain and the JBS Meats ransomware attack. At a minimum, this [Canadian] legislation should have the food supply chain in there because they are just getting hammered with cyber attacks.
But if we step back, the majority of actual attacks are not in these four sectors [telecom, energy, finance and transportation]. It’s far more likely to be subnational and entities — hospitals, school districts, municipalities, small and mid-sized businesses who are not covered by this proposed regulation. Senior Canadian government officials indicated in a technical briefing they have the ability to add more sectors to the law the intent for now is to see provinces actually draft their own mandatory breach reporting for areas of their jurisdiction. That’s problematic for several reasons: Number one is if each province is going to regulate these other sectors. You could have have-not security provinces. Second, imagine if there are 13 different cybersecurity reporting laws and I get hit but have business across the country. Reporting to all jurisdictions seems like a nightmare. And finally some provinces might have industry write the laws. Well, that hasn’t worked out so well when it comes to things like the right to information.
Howard: The proposed act has some gaps that are going to be filled in after consultations with industry and the issuance of regulations. One of the things it does do is define what cyber incidents have to be reported: Anything that interferes with the continuity, confidentiality, integrity, security or availability of a vital IT system. Is that too broad?
David: It is a really interesting question. There may be some pushback from the industry about scale and significance. Under this legislation theoretically one device hit with ransomware and encrypted might check all these boxes. But is that really what CSE wants to hear, or do they want to hear about more significant outbreaks that have more meaningful impact?
Howard: But the problem is in your example where there’s only one computer in a company that’s been hit by ransomware it may be a unique strain and that company may have stopped the attack from spreading. Isn’t that justification for very quickly notifying the government of that attack?
David: I tend to agree with you. It’s like if you catch a patient zero with a new novel coronavirus — imagine how important to identify [the new virus] and notify others. Little attacks might fit into a bigger picture pattern that CSE may have. So I’m not against this. I think it’s going to have, as a CISO friend said to me when I when I shared the legislation, this is going to have budget leverage, a financial impact on companies.
Howard: I mentioned that there are some gaps. There are things that the government still wants to negotiate with companies and will set certain standards in regulations. One of them is how fast an incident will have to be reported. Another is how much detail will have to be reported. Those are pretty crucial details missing for a CIO or CISO.
David: Timeline’s going to be important. I think we should match the American required timeline of 72 hours for firms in critical infrastructure. We’ve seen some legislation proposed in other countries that require disclosure within hours of becoming aware. That’s completely ludicrous … But also if it’s a multi-sector attack, a nation-state start of a real big push you don’t want to have a huge window of weeks here. I hope it’s as closely aligned in process and look and feel as the Americans have done, because we are a tightly integrated economy. Many of our companies will probably have to report to the United States as well as Canada, so having different sets of processes is probably unreasonable. That is one of the concerns that’s been raised by some industry stakeholders: ‘We already have to report to our regulator. Why couldn’t the regulator just decide if CSE gets to hear this? Why do we have to create duplicate processes?’
Howard: The regulator who they might have to report to is the privacy commissioner of Canada. But then there’s a different standard. You report to the privacy commissioner if there’s been a breach of security controls on data that would have a real risk of serious harm to a customer or an employee. [As opposed to the CPPA’s standard described earlier].
David: Canadian banks have to report to the Office of the Superintendent of Financial Institutions (OSFI}, which sets their cybersecurity standards for them. Why not just keep that single process flow and make the regulator responsible for feeding information to CSE, is an argument.
Howard: One provision in the proposed Canadian cybersecurity legislation says that as soon as any cybersecurity risk to a company’s supply chain or its use of third-party products and services has been identified the company has to take reasonable steps to mitigate those risks. Is that going to cause a problem for IT departments?
David: It gets interesting. When we go back to the SolarWinds attack [where the update mechanism for its Orion network management suite was compromised] think about all these Canadian companies have to report to CSE they got hit. The government has order-making capability. What if it says to companies, ‘Pull it all out’? But IT can’t monitor the network without Orion. The government replies, ‘We don’t care.’ Theoretically, that might happen. Or they might say, ‘Tell us what your plan is to replace it,’ which puts more onus on companies to say, ‘We’ve worked with the vendor they’ve improved their processes. We’ve tightened up our contracts.’ It’ll be interesting to see how it gets applied — if we even ever know how it gets applied. The legislation gives the government the ability to issue completely private security orders.
Howard: But it’s an emergency clause. There’s some logic to saying a company isn’t moving fast enough to plug a hole in its system for whatever reason and so we’re going to issue an order to them to protect the public’s safety.
David: I agree the order-making power is sort of a weapon of last resort. I think the hope is that these companies see it’s in their own self-interest to deal with cyber threats as soon as possible. The part that I am concerned about is the secrecy component. The government can make secret orders to companies to pull equipment, force patches or force changes et cetra. And it’s not to say that there can’t be a secrecy window. But think about like Google Project Zero, for example. Google gives a window of time for organizations to get their stuff cleaned up and then they’ll publicly report a vulnerability. This is something when a parliamentary committee reviews the proposed law. It needs revisiting because I don’t like the idea of the government being able to make secret orders without ever having to be publicly accountable.
Howard: This goes back to an old debate: If companies have to notify the government there’s been a data breach or a serious cyber incident, why shouldn’t they notify the general public as well?
David: There has to be an appropriate notification regime, and I think we can deal with that. But when, say, an energy utility gets punched and punched hard it doesn’t necessarily want to give all the gory details out to the public and reduce confidence and trust in the work that it’s doing. There are all kinds of reputational implications and harms that could come into play. So I’m okay with them getting a shield on this one — particularly if we’re talking about one computer. But what’s important on the other side of that equation is what they [regulators] do with the breach reporting. We get the de-identified, anonymized key root causes, lessons learned and disseminated — at least to other energy companies so that they don’t make the same mistakes. Ideally that gets posted publicly again without names so that other industries where it might also be germane can see. Right now in Canada we rely on vendors in the security industry to issue reports, which is okay in some respects but they always do it from their own lens of, ‘You need to buy my thing .’And I say this as the CEO of a cyber security company. I like the idea of an independent government agency publishing the facts of an incident and the lessons learned and the best practices so you don’t have that vendor lens on it.
Howard: As I said the cyber security legislation package had two parts. The other part amends the federal Telecommunications Act and gives the government the power to ban telcos and internet providers from doing anything that harms their networks. This is the legal basis for the government of Canada to forbid cellular carriers from having network equipment from China’s Huawei and ZTE in their systems. What do you see in this package that would worry telecoms and internet providers?
David: There could be some legitimate concerns. We could be told to pull a piece of equipment for whatever reason and we’re not given any compensation. We made that investment. We made it in good faith et cetera and if we don’t do that there’s a big stick of a $10 million to $50 million fine. It’s an awfully big stick. I’m not sure what the checks and balances are. [Editor’s note: Telcos can appeal to a judge.] Given the critical role they play having the telecommunications industry with additional regulatory oversight relative to cyber security makes sense. But a little give and take here, particularly if you’ve got a government that maybe didn’t give clear direction or the geopolitical situation may have changed in radical ways that no one could have seen. I wonder if that will get some sober second thought as [Parliamentary] committees get to dig into things.
Howard: We had a quick look at the proposed privacy legislation that was introduced only hours before we started this recording, but to me it looks awfully similar to the original version. That didn’t pass Parliament before the election was called last year. What do you think of it?
David: We desperately need modernized privacy legislation in Canada with real accountability for firms that are abusing people’s personal information. This is a good step. [Right now] we’ve got essentially got paper tigers with our federal privacy commissioner. We look back at things that have happened with social media companies like Facebook or the Cambridge Analytica case, or we think about the stuff that was going on with Clearview AI , we’ve had the essential consequence of a stern finger-wagging for serious violations of privacy. This [new legislation] does move the bar. I particularly like the improvements they’ve made that data involving children is particularly sensitive and additional rigor around [protecting] that. What’s disappointing about this legislation, both its original version and its re-introduction, is we were the pioneers in Canada in privacy by design … and that framework isn’t apparent in this legislation.
Howard: One of the things that both the first attempt by the government to reform the privacy law and this new attempt includes is the creation of a data privacy tribunal that will review the recommendations by the federal privacy commissioner to issue fines for companies that don’t comply with the privacy legislation. In England, for example, the privacy commissioner has the power to issue a fine. The Canadian legislation creates a tribunal. The privacy commissioner would only have the power to recommend fines — and admittedly they’re multimillion-dollar fines. But it would be up to the privacy tribunal to actually approve fines. The previous privacy commissioner complained this is an extra step and it just drags out the whole process.
David: This comes down to whether you trust your privacy commissioner to do their job, which is to investigate and then to impose consequences. I think that’s a clearer signal. I’d rather have you hire a privacy commissioner, you empower them with a team, make sure they’re applying the law as you as you’ve written it and they do their action — and companies can appeal to the courts. A tribunal is unnecessary.
Howard: I’ll play the part of business: ‘I don’t want a bureaucrat and appointed person to act as judge and jury — he judges me on whether I’ve complied with the privacy law, and then he fine me.’
David: ‘But I would like three more bureaucrats [in the tribunal] to be on top of that bureaucrat.’ You’ve got the privacy commissioner and then you’ve got the courts [to appeal to], who are professional legal experts and arguably would probably be better for you overall in applying law than a tribunal appointed by the government who aren’t judges. If you really want accountability and oversight over this office, do it through the federal court.
Howard: One thing to remember is that the Liberal government is in a minority. These pieces of legislation need the support of a big enough opposition party to pass. So there’s there’s no guarantee they’re going to become law [without changes].
David: I don’t see philosophical opposition to the privacy legislation or even the cybersecurity legislation from the key party that’s propping them up, the NDP. I think the Conservative Party will want to dig into the business impacts on the privacy law and how that’s going to affect the Canadian economy. I think one of the most important questions that probably needs to be asked is if this law isn’t up to snuff for the European equivalency [under the General Data Protection Regulation]?
Howard: I would expect that the government has had informal conversations on the wording of the proposed privacy legislation.
David: I certainly hope so.