Cyber threats against Canadians and organizations show no signs of slowing, according to the federal government’s latest analysis, and many attacks are successful for one reason: Failure to follow basic security hygiene.
“The vast majority of cyber incidents in Canada occurred because basic elements of cybersecurity weren’t followed,” wrote Scott Jones, the head of the Canadian Cyber Security Centre, in its national cyber threat assessment released this afternoon.
The centre is the public-facing division of the Communications Security Establishment, otherwise known as the country’s electronic spy agency. The CSE protects federal networks while the centre advises the private and public sectors on cyber strategies.
One of the key conclusions said Defence Minister Harjit Sajjan, who oversees the CSE, is that “the internet is at a crossroads, with countries like China and Russia pushing to change the way it is governed, to turn it into a tool for censorship, surveillance, and state control.”
This is a reference to pressure at the United Nations and the International Telecommunications Union by some countries for technical and policy changes. China and Chinese telecom companies have pressed the ITU to adopt what they call the New Internet Protocol to develop a “top-down design for the future network.” According to reports, the NIP would allow a state to in effect have a kill switch on Internet traffic it doesn’t like.
The centre’s report said the NIP might provide certain cybersecurity advantages, “but it would enable powerful censorship, surveillance, and state control.”
At a press conference for reporters, Jones said successful attacks largely exploit unpatched systems. “We still as a nation are making it far too easy for any cyber actor to execute their operations against us. One simple thing that everyone can do is deal with the basics.”
Not only does the black market sell more sophisticated attack tools, he added, but they boast “better support than many of us can get for our IT products.”
Asked why organizations aren’t hitting the basics, Jones acknowledged many small and medium-sized businesses find security products and services too expensive or too complex to implement. The centre has a guide for SMBs with “very simple things” like turning on automatic software patching.
Jones also said the centre is looking for industry partners like the Canadian Bankers Association, which is urging young companies to pay attention to that SMB guidance.
In addition, the IT industry should make it easier for customers to keep their systems up to date, he said. “It needs to be less drastic, it needs to be easier, it needs to be automatic to apply security patches.”
Meanwhile, large organizations, with their large IT staff, need to share more threat information widely with other firms, Jone said.
The report notes that its 2018 edition also said “many cyber threats can be mitigated through awareness and best practices in cybersecurity and business continuity. Cyber threats and [foreign] influence operations continue to succeed today because they exploit deeply-rooted human behaviours and social patterns, and not merely technological vulnerabilities.
“Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity. Cybersecurity investments will allow Canadians to benefit from new technologies while ensuring that we do not unduly risk our safety, privacy, economic prosperity, and national security.”
The threat assessment and predictions are used by the government to set its priorities, as well as to inform Canadians about cyber hazards.
Key findings include:
- The number of cyber threat actors is rising, and they are becoming more sophisticated. The commercial sale of cyber tools coupled with a global pool of talent has resulted in more threat actors and more sophisticated threat activity. Illegal online markets for cyber tools and services have also allowed cybercriminals to conduct more complex and sophisticated campaigns.
- Cybercrime continues to be the cyber threat most likely to affect Canadians and Canadian organizations.
- Ransomware will almost certainly continue to target large Canadian enterprises and critical infrastructure providers. These entities cannot tolerate sustained disruptions and are willing to pay up to millions of dollars to quickly restore their operations. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potentially destructive consequences of refusing payment.
- While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada.
- State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. But the centre feels it unlikely cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation.
- State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. We assess that these threat actors will almost certainly continue attempting to steal intellectual property related to combatting COVID-19 to support their own domestic public health responses or to profit from its illegal reproduction by their own firms. The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises.
- Online foreign influence campaigns are almost certainly ongoing and aren’t limited to key political events like elections. “Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events.”
