Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, November 18th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes David Shipley of New Brunswick’s Beauceron Security will join me for a discussion. But first a quick look at what happened in the past seven days:
The parent company one of Canada’s biggest supermarket chains is still saying virtually nothing about a cyber incident that started a week ago today. Is silence golden? David will have some thoughts.
A ransomware attack against Australia’s second-largest private healthcare provider is getting the country angry. The government has formed a task force to go after the hackers, and possibly forbid organizations from paying hackers. David and I will discuss whether cooler heads are needed.
And we’ll look at a recent expert panel report on cybersecurity in Ontario’s broader public sector, which includes municipalities, hospitals, children’s aid agencies and education institutions. How much and what kind of help do they need?
In other news, a Chinese government intelligence officer was sentenced to 20 years in prison by a U.S. judge. He was convicted a year ago for conspiracy to commit economic espionage and other offences for accessing aviation-related information of American companies. He would arrange trips for unsuspecting experts to China to give university presentations. But when he took his guests to dinner, Chinese agents hacked the computers left in their hotel rooms.
Swiss police have reportedly arrested a Ukrainian man wanted by the FBI for heading a cybercrime group. Cyber reporter Brian Krebs said the man was arrested three weeks ago in Geneva. He is allegedly head of the JabberZeus gang, which goes after bank passwords of victims. CNN says this week Swiss authorities agreed he should be extradited to the U.S.
A threat actor has compromised over 15,000 WordPress websites. According to researchers at Securi, the goal is to redirect unsuspecting people when they do a search on sites they go to. They end up being sent to a fake question-and-answer site. Website owners have to regularly scrutinize their code for compromises.
A state-sponsored threat actor is believed to have compromised a digital certificate authority as part of its hacking activities. That’s according to researchers at Symantec. The group, dubbed Billbug, usually goes after organizations in Asian countries. But the researchers worry that the gang can create legitimate-looking digital certificates that could fool any target’s computer system with malware-filled software.
Google agreed to pay US$391 million to 40 U.S. states for misleading users on the amount of location tracking Android did. Users thought turning off location tracking stopped data collection. It didn’t.
Finally, an analysis of websites and applications suggests developers still aren’t writing secure code. Researchers at Synopsys found 95 per cent of work it looked at had some vulnerabilities. At least 20 per cent were high-risk, and another 4.5 per cent were critical.
(The following transcript has been edited for clarity. To hear the full conversation play the podcast)
Howard: We’re going to start with questioning the communications strategy of Empire Group. It’s the parent company of one of Canada’s biggest grocery retailers. Under its brand are Sobeys, Safeway, IGA and other supermarket chains. Two weeks ago Empire said it was impacted by what it called an IT systems issue. But it’s said little else since then. Other reporters and I have left messages asking for more detail, but statements have been rare. The grocery stores are open. On November 7th Empire said some in-store services were functioning intermittently or with a delay. In addition, some pharmacies were experienced difficulties in fulfilling prescriptions. It now says the pharmacy IT network is operating fully. On Twitter some employees reported seeing ransomware notes on in-store computers. As of Thursday morning, when this podcast was recorded, the company is still saying it is experiencing some system issues. David, is silence golden?
David Shipley: This is going to be a crisis communications lesson for Canadian firms. I don’t think it’s golden. It is a playbook that has been tried before and successfully used, particularly in the public sector, which doesn’t have the same level of accountability of a publicly-traded company that’s a critical part of our food supply chain. I understand all the pressures that they [Empire] must be under. They probably have a legal department that is screaming bloody murder about every single word that they issue to minimize their risk when it comes to their share price. They probably have pressure if they have cyber insurance for what they [can] disclose, when and how they disclose it, so they don’t jeopardize their insurance. And I’m sure that really, really hurts. They are probably trying to figure out how and where to message. [But] what exactly do they mean by ‘confidential data loss’ [The Toronto Star reports two provincial privacy commissioners have been told about a ‘confidentiality incident’]? Because we’re talking about pharmacies. This might actually get pretty sensitive. So there’s probably a degree of caution. They are probably also very nervous about causing something to flow out of communication that might lead to something — like we saw in the pandemic: The great toilet paper shortage of 2022.
But the reality of really good communications … is eventually this stuff is all going to come out. You can either draw it out or get in front and own it. I think Maple Leaf did a great job [earlier this month]. You haven’t heard a thing about Maple Leaf in the media since they said, ‘Yep we had a cyber attack,’ … because they answered the questions. Now the story is becoming how Sobeys is handling this …
I’ve received a lot of private messages from Sobeys employees since I’ve been in the media talking about this, and I got to tell you they are dispirited. They’re frustrated and some are worried about being paid on time. The company told them nothing. They’ve been under extraordinary stress throughout all of this and basically learning about the attack through the media. That really, really sucks for them. I think we have to remember that when it comes to cyber security crises our employees are an important audience, and telling them what’s going on, how you’re going to make it right, how you need their help recovering makes them part of the solution. Just leaving them in the dark because you’re afraid they’re going to say the wrong thing — well, guess what? They’re going to go to Reddit. They’re going to post pictures. They’re going to talk about this stuff anyway. So I don’t think silence is golden. I think they [Empire] just dragged out the pain of this.
So Quebec and Alberta’s privacy commissioners have been notified that there’s been a confidentiality leak. Confidentiality leak of Scene points? Confidentiality link of my detailed pharmacy prescriptions? I’d like to know today, please. They could get ahead of this but instead, we’re just speculating about this chaos, and that’s disappointing.
Howard: But the strategy is working: Stores are open, people are shopping, people may see some inconvenience. But apparently most aren’t. And according to CBC News the company has even found a workaround to make sure staff are paid.
David Shipley: I would challenge that it’s working. It’s not like people are just going to stop shopping at Sobeys because they tell them, ‘We had an incident.’ If anything their stock price would take a hit probably no more than it’s taken already. I really don’t see what they have gained from this silence other than get the media going, ‘Why do you have to make this so difficult?’ … This is really important. Safeway stores in rural Canada are the only option for a lot of people to get their groceries. [Being more transparent] would engender public sympathy — particularly if there are shortages or staff are exhausted.
Howard: So is this a new PR strategy that someone has discovered in Canada? A large publicly-traded company can get away with saying virtually nothing for days at a time?
David: It’s not new. We’ve seen this with provincial healthcare cyber attacks, where the entire conversation was shut down under an overly broad envelope of ‘Security.’ It worked there, and I think it’s a negative trend. I hope more companies follow the Maple Leaf example than this. What they are going to is force regulators to take more stringent approaches, particularly for publicly traded companies, saying they have to disclose more stuff. We’ve seen this kind of legislation in the ‘states.
Howard: Let’s move on to ransomware. There’s outrage in Australia after two huge cyber attacks. First, a wireless provider called Optus was hacked in September, and then in October Medibank, which is Australia’s biggest private health insurer, was hit by a ransomware attack after refusing to pay a ransom. Stolen data of over 9 million current and former Medibank customers began appearing this month on criminal websites. One Australian cabinet minister said a task force has been formed to in their words “hunt down the scumbags.” That’s a reasonable promise or posturing to voters?
David: I’ve been one of the advocates to release the hounds. We have to impose costs on cybercrime, and that can’t just happen by being defensive and pouring money in. We’ve got to disrupt the operation of gangs. The Americans did this very successfully after the Colonial Pipeline ransomware attack. I’m not saying that this is going to result in a bunch of Russian organized criminals being marched into a courthouse in Australia, and that’s not what they’re saying, either. They’re saying, ‘We’re going to ruin your stuff. We’re going to leak your tools. We’re going to disrupt as much of your operations as we can. We’re going to cause you chaos. I think it is good to start throwing punches back at these groups. It will send a signal. And I don’t think it’s going to be great for Canada right now. Threat actors may say, ‘Let’s plant our flag there for a while.’
I think it’s important we point out that it’s outrageous what the Medibank criminals did. The first file they posted [to the dark web] was about people who had abortions, then they posted information about mental health. These [attackers] are awful, awful people to do that. I think the Australians are mad as hell and they’re not going to take it anymore. Good for them.
Howard: I’m not sure whether ransomware gangs would necessarily turn their sights on Canada. A week ago Canada arrested someone who they believe is deeply involved in ransomware, and they’re apparently getting ready to be extradited to the U.S. for trial.
David: If you’re dumb enough to be a ransomware affiliate in Canada and hitting Canadian and American folks … you’re going to get nailed. Admittedly, it took a while for the law to catch up with the IT worker from Gatineau who made himself $30 million … But to gangs that operate outside of Canada I would say we look like a pretty ripe target.
Howard: Australia’s minister responsible for cyber security is talking about banning organizations in that country from paying ransomware gangs, I guess in the hope that the crooks will, I don’t know. Will that make crooks give up?
David: If they know that there’s no reasonable prospect of being paid it might force them to shift to other jurisdictions. I have talked about this before: I generally hate that we pay ransoms. I can understand in certain circumstances — an attack against a health care system, the loss of decades worth of irreplaceable medical research from a Canadian university — there foreseeably is no other choice but to pay. But for a lot of other use cases, no. They could recover. The city of St. John’s, New Brunswick is a great example. They took their lumps and rebuilt. There may be some room for legislation that if not outright bans payments … Keep in mind we’ve seen some precedent from the Americans that you can’t pay ransomware groups that are on terrorist financing lists. The other thing that could be a really good disincentive is saying if an organization has to pay it has to get government approval and it’s got to be made public.
Howard: We talk about governments going after the crooks and forbidding companies from paying ransoms. Shouldn’t the conversation be around all the things that organizations can and should be doing to blunt the impact of ransomware attacks? You know, there’s been no explanation of how Medibank attackers were able to access data on over 9 million customers. It sounds to me like that data wasn’t encrypted, wasn’t segmented and maybe they didn’t have very good password control.
David: I don’t think this is an either-or conversation, though I think we can have really good legislation that imposes cyber hygiene standards. I will give a shout to the province of Quebec for their work in having the most robust privacy and data protection laws in the country. Quebec’s also done a great job of having a ministry of cybersecurity to send a signal that cyber security matters, and it matters the most senior leadership of the province and it expects that to be reflected in the corporate private sector as well. This is where Canada’s Bill C-26 is off the mark by only concentrating on four critical infrastructure providers. That wouldn’t count Sobeys, so maybe we should go back and rethink that one. We can have good legislation that helps people understand what we expect from a due diligence defense. But let’s remember even if you do all the right things you can still have a very bad day if the threat actors are really lucky. So if you absolutely have no choice to pay the ransom, that’s okay — but you’re gonna have to tell people you paid.
Howard: I’ve reported here before that I covered a recent cyber security panel that involved police in Canada and the United States and they want victims of cybercrime — especially ransomware — to contact them so that they can get as much information as they can to help them go after crooks. At the Aspen Cyber Summit this week in the United States a Justice Department official said Washington is having Increasing success in helping victims who report ransomware attacks, and that includes sometimes getting the cryptocurrency back that they paid to hackers, shutting criminal cryptocurrency exchanges and getting foreign countries to arrest suspects.
David: Which is awesome. That goes back to mandatory cybercrime reporting across the entire Canadian public and private health sector to a single source — including, ‘Yeah we paid the ransom here’s the bitcoin address, let’s see what we can get back.’ … Please do contact your law enforcement and tell them when you’ve paid the ransom so that we can fight back.
Howard: The final item we’re going to look at today is the strain of cyber attacks on municipalities, school boards, hospitals and children’s aid societies and how they can be helped. These are called the broader public sector. This week I interviewed the chair of an Ontario expert committee that looked into the state of cyber security in the broader public sector. Robert Wong told me that the situation is bad in some organizations, particularly the small ones with limited revenue and therefore little or no IT support.
David: It’s an epidemic. The data shows just how small municipalities around the GT [Greater Toronto Area] over the last five years have been hammered. And we’ve seen data coming out of the U.S. from the education sector showing ransomware attacks in particular against public education were up 56 per cent. Municipalities have just been robbed by these criminals there. This is not going to change because organizations in these sectors have lean IT budgets. They don’t have a ton of money to invest … I think there’s an absolute call to better co-ordinate across these sectors within provinces. Sectors can collaborate: The Canadian higher education sector under the leadership of CANARIE and working with groups like ORION have done cross-sector projects like DNS firewall and other things. They’ve done the CanSOC project a shared Security Operations Center across numerous universities with a shared thread feed. So I think there’s great precedent to ask how do we collaborate? Even in my province of New Brunswick many municipalities there are too small to stand up their own SOCs.
Howard: The Ontario expert panel made a number of recommendations. The main ones are that the province should create a single body to oversee cybersecurity efforts across the entire broader public sector. It wouldn’t quite be a regulator but it would demand accountability in the form of regular reports from institutions that they have cybersecurity plans. The board would set cybersecurity standards and be a source of best practices. Sectors would have some flexibility to solve the problems that affect, for example, only school boards.
Second, these organizations would have to create common cyber security risk operating models based on the National Institute of Standards and Technology (NIST) cyber security framework. One advantage is all municipalities could talk to each other in a common risk language, and of course municipalities could talk to, for example, school boards and hospitals as well. Third, the province should encourage these institutions to create shared cyber IT services, like one you just mentioned. Fourth, there should be a threat intelligence sharing platform for these sectors, and fifth, the province should look at creating some sort of public-private cyber insurance program for the broader public sector.
David: Amen to the shared services. Let’s have a real, honest conversation about what this cyber insurance actually going to look like. I think you absolutely have to have that common risk language and a baseline before the province says, ‘Here’s your insurance backstop.’ The reality is the insurance industry in Canada is losing 100 to 300 per cent of its cyber insurance premiums to payouts this year. And let’s be honest, it’s [mainly from] the public sector. It’s been hemorrhaging from these attacks, so it’s getting really, really hard for hospitals schools and municipalities to get cyber insurance. That’s going to have to get backstopped by the province, and I think Ottawa has a role to play … This is a national security issue.
Having a common security language based on NIST makes a lot of sense.
It’s about incrementalism: We are not going to go from the state of cyber chaos we’re in right now to a cyber utopia in five years. This is going to be a decade-plus effort, and it’s going to require investment. It’s yet another infrastructure debt and that we’re going to have to handle … You know there’s one thing that keeps me awake at night: I used to fret a lot about municipalities being in charge of the water supply. But someone on the critical infrastructure side of things told me it’s a lot harder to mess with water than you think. But, the person added, a sewer is a lot more damning because once you screw up a sewage system it doesn’t take long before it really can spread communicable diseases. So we’ve got to get moving on this. But I’d be cautious that we look at insurance as basically a disaster backstop. Without doing the hard preventative long-term investment …
Howard: One thing Robert Wong said to me was the solution is not to throw money at towns and children’s aid societies. He said cybersecurity starts with governance. Which means it starts with executives. If there’s a will then money will be found, he said.
David: I don’t necessarily agree with that. We work with a lot of these groups and their executives are scared. They’re mayors, and their city councils are talking about this but they don’t know where to get started. And keep in mind the talent shortage [of cybersecurity workers]. It’s about money and people. The broader public sector needs to be supported by showing how to build a governance plan, how you build a staffing plan, here’s what shared resources you can access, here’s how an IT project approval process could work … When you think about these children’s aid societies, it’s not like they’re flooded with cash right now and they’re doing really really important work for the most vulnerable in society and they can’t afford to take on an extra 10 to 15 per cent cost on the IT side to properly secure themselves.
Howard: One recommendation is these public sector organizations have to appoint a senior official responsible for cyber security.
David: I agree, because if no one’s responsible for IT it’s not going to get done. But they need to have a chief information security officer. Maybe it doesn’t need to be a full-time position/ Maybe you could share a CSO across a couple of small municipalities. Again, this has been done very successfully by Ontario universities. And they have a dual reporting responsibility back to the CIO, but they also report back to council. That way you’ve got really good checks and balances and transparency.
Howard: The province of Ontario says it accepts the recommendations. I’m not sure whether it means they agree with all of them. But it hasn’t put forward a timeline for implementing them.