Cyber attacks have been called “a growing threat to the country’s economy, public infrastructure, power grids, utilities, and healthcare sector,” “a matter of national security’” and a “top concern for Canadians.” But experts say we need to do more to protect ourselves from cyber threats, including having more “boots on the ground’’ in the form of cyber security specialists.
“Cyber crime is still the number one threat activity affecting Canadians,’’ says Sami Khoury, head of the Canadian Centre for Cyber Security, part of the Communications Security Establishment (CSE) and Canada’s technical authority on cyber security.
“Our essential services are being disrupted, from hospitals and schools to municipalities and utility providers. Our personal and financial data are being stolen, trade or leaked online,” said Defence Minister, Anita Anand, in the biennial report by the Cyber Centre.
How big is the cyber threat to Canadians?
“Fraud and scams are almost certainly the most common form of cyber crime that Canadians will experience over the next two years as threat actors attempt to steal personal, financial and corporate information via the internet,” the Cyber Centre report said.
According to the Canadian Anti-Fraud Centre, since January 2021, there have been more than 150,000 reports of fraud in Canada with more than $600 million stolen, much of it by cyber criminals.
Among the most commonly used tools in cyber crime is ransomware, a type of malware that cyber criminals use to disable or disrupt an organization’s computer system until a ransom is paid.
Aside from the financial cost of the “ransom” itself, ransomware can impede the operation of critical systems, damage or destroy an organization’s data and reveal sensitive or confidential information, the Cyber Centre report said.
Due to its impact on an organization’s ability to function, “ransomware is almost certainly the most disruptive form of cyber crime facing Canadians,” the report added.
“The threat that we said was most likely to impact Canadians was cyber crime, with ransomware being front and centre as having a pretty significant impact,” says Rajiv Gupta, associate head of the Canadian Centre for Cyber Security.
“Ransomware threat actors started with the modus operandi of (getting into a network and) encrypting a customer’s data . . . and so the organization was essentially disabled until they paid the ransom. Then the ransomware threat actors would provide the key to decrypt that and hopefully (allow the organization to) get the network back into service.”
Gupta says cyber criminals are raising the stakes by threatening not only to disable the network, but steal the confidential or valuable information within the network and “exfiltrate” the data to itself or other criminal organizations.
“So they have multiple forms of extorting money from the victim (of the ransomware attack),” Gupta says. “Not only are (the victims) out of service, they also have the risk of having the data being owned by a group of criminals.”
Gupta added cyber criminals are increasingly emboldened by successful ransomware attacks, resulting in more frequent attacks and higher ransom demands. “Unfortunately, there have been a lot of organizations paying the ransom. The fact that people are paying the ransom is providing the source of revenue for this criminal marketplace to become more and more advanced and sophisticated.”
While Gupta is sympathetic to organizations, like hospitals, that accede to ransomware attacks, rather than risk endangering public health or patient confidentiality, the result is more ransomware attacks.
“When you are paying the ransom, you’re funding these criminal organizations and fuelling the whole ransomware ecosystem. And there’s no guarantee they’re going to give you the key or not publish your data.”
In fact, a survey of Canadian businesses found that only 42 per cent of the businesses that paid the ransom had their service restored by the cyber criminals.
The most notorious ransomware attack was the Colonial Pipeline attack in the northeastern U.S. in May 2021, which caused the shutdown of the largest pipeline in the country for five days, causing price spikes and fuel shortages for millions of Americans.
The Cyber Centre has knowledge of 235 ransomware attacks in Canada in the first 11 months of 2021. But Gupta acknowledged that represents a fraction of the number of actual cyber attacks in Canada. “All of these incidents are vastly underreported,” Gupta says. Statistics Canada reported that roughly one in five Canadian businesses (18 per cent) were impacted by cyber security incidents in 2021, but only one in 10 reported the incident to the authorities.
So what can businesses, organizations and individuals do to prevent ransomware and other cyber attacks?
Gupta says the Cyber Centre has put together a Ransomware Playbook, which outlines what organizations can do when confronted by a ransomware attack and, more importantly, how to prevent such damaging and costly attacks from happening in the first place.
Gupta says the Ransomware Playbook shows organizations “how to formulate a plan, so when a ransomware event happens, it’s not the first time you’ve thought about this . . . figure out who is going to lead the response, have (data) back-ups so if they were to encrypt your data, then you can restore from your back-up and you have a way out.”
He says organizations should put in “preventative controls” that will identify and repel the typical tools and techniques used by cyber criminals to gain access to your computer system or information database.
Individuals can also benefit from implementing the controls recommended in the Ransomware Playbook to protect their own home computer systems, their online bank accounts and confidential information.
Gupta says ransomware and other cyber threats are not just a concern for business and large organizations, but for virtually everyone who has a cell phone, computer and other personal devices.
“The reality of modern-day business is that if you’re connected to the internet, cyber security is incredibly important and you have to work that into your (planning) when you’re running a business.”
While most Canadians are aware of risks of cyber attacks, Canada is woefully short of cyber security expertise to help protect our homes, businesses, non-profit organizations and government agencies from cyber attacks.
“One of the top issues is the talent crisis and the lack of cyber security experts or mid-tier level employees to fill that role,” says Angela Mondou, president and CEO of Technation Canada, the nation’s information and communications technology (ICT) industry association.
“By 2025, we need to have growth of over 65 per cent in cyber security positions,” Mondou says in a recent interview with Industry West. Globally, the number of cyber security positions required is estimated at 3.5 million.
“Right now, in the States, they’re short 700,000 positions,” Mondou says. “In Canada, we have a huge gap as well.” There are currently 4,000 vacant cyber security positions posted in Canada, but the actual shortage is probably closer to 25,000.
“It’s a lot of people. It’s a huge impact on our economy. It’s a huge impact on national security.”
To address this “talent crisis’’ and other cyber security issues, Technation launched a Cyber Security Taskforce in October, which is charged with getting government and industry to develop a national cyber security strategy.
The Cyber Security Taskforce has four main goals: identify “cyber imperative areas” to change and improve; increase the country’s supply of qualified cyber security workers; educate Canadians of the need for cyber security awareness; and help develop the “Canadian digital economy for the future.”
“Some of the recommendations we’ve come up with is having government (fast-track) the pathways to cyber security certification,” she says, noting that some private sector companies are offering “alternative and quicker pathways’’ for employees to be trained and certified as cyber security workers.
While Canada needs more entry-level cyber security workers, it also needs more experienced cyber security professionals.
“One of the larger challenges for industry is not at the entry-level, but the more experienced leader who has really worked in this space, has business savvy and has problem-solving capability,” explains Mondou. “There needs to be an all-hands-on-deck (approach to developing a) national cyber security workforce.”
Mondou says Canada needs to start preparing small and medium-sized enterprises (SMEs) to defend themselves against cyber attacks because they represent most businesses in the country.
“In our organization (Technation), it was mandatory that every single employee had to go through an on-line (cyber security) certification process. We had phishing tests, fraud tests. We’re always being tested.”
Mondou would also like to see cyber security awareness campaigns directed at average Canadians. “Canada is such a safe nation. We haven’t had the massive infrastructure attacks like other countries. So we’re a little, I would say, naïve.”
Since the pandemic, the “cyber threat landscape” has changed for the worse, with more and more Canadians shopping and buying their groceries online, doing their banking online, working online and even attending medical appointments online.
“The biggest threat is between you and your keyboard, your phone or your laptop. The threat platform is in everyone’s home,” she said. “So there really does need to be increased awareness by individual Canadians because they’re all part of the supply chain of data now.”