"The future of Canada's cybersecurity landscape"
Good afternoon everyone, and thank you for the warm welcome.
My name is Caroline Xavier, and my pronouns are she, her and elle.
Before we start, I’d like to take a moment to acknowledge that the land where we are gathered is the traditional and unceded territory of the Algonquin Anishinaabe people. I am very grateful to live work and play on this land.
This is actually my second time speaking at the Canadian Club of Ottawa, but my first time as Chief of the Communications Security Establishment. The last time, I was on a panel linked to immigration and the need for its digital modernization.
Perhaps I didn’t do too badly last time because they invited me back!
But let’s be honest, the real reason the Canadian Club asked me back is because we are here today to talk about the future of cyber security – a really timely topic, especially given it is Cyber Security Awareness Month.
Before we go any further, I should be very clear – I am not a cyber security expert.
If you’ve come here with a wish for an in-depth discussion of network configuration, you’ve got the wrong speaker! But I have some others from our Canadian Centre for Cyber Security I can send your way.
What I hope you have come here for, is a discussion of the main cyber threats affecting Canada.
What are the key trends?
And what do they mean for our day-to-day lives?
If that’s why you’re here – then great!
If not, thank you for coming, and it is a good thing there was a great lunch being served….
So, if I’m not a cyber security expert, then what am I doing here?
Well, I am the head of the federal agency responsible for protecting Canada’s government and critical infrastructure from cyber threats.
The agency is CSE – the Communications Security Establishment.
And within that agency, we have the Canadian Centre for Cyber Security – or the Cyber Centre for short.
The folks at the Cyber Centre are the cyber security experts – world-class ones. The Cyber Centre is Canada’s technical and operational authority on cyber security.
And as per our plans, we have just published a new edition of the National Cyber Threat Assessment, also known as the NCTA.
The report went live at 11 o’clock this morning, so the insights I’m going to share with you are literally hot off the press.
I’ll give an overview of the top five “key judgements” from the NCTA. These are the key trends we think are going to be important now and more importantly for the future.
“The future of cybersecurity” is a big topic, but I’ve been asked to keep it to ten minutes, so let’s jump right in with key judgement number one: “Ransomware is a persistent threat to Canadian organizations”.
To a group like this, that probably doesn’t come as a surprise. You follow the news. You see the headlines. If you’ve read either of our previous editions of the NCTA, ransomware has been front and centre.
Ransomware is when a threat actor compromises your system, encrypts your files and refuses to restore them unless you pay a ransom.
They may also steal your data or leak it online.
Ransomware is not the most common form of cybercrime.
Would anybody like to venture a guess as to the most common form of cybercrime?
The most common types of cybercrime are online fraud and scams.
(You know that call from the Canada Revenue Agency where they want to put you in jail…)
The Canadian Anti-Fraud Centre shares a running total of fraud reports for the year, and it works out at about two hundred and fifty per day in Canada. And those are just the ones that get reported.
In our day to day lives – online fraud and scams are the cybercrimes we’re most likely to come across.
But ransomware is the most impactful, because it has the most power to the disrupt services we rely on.
One of the case studies mentioned in the NCTA is Humber River Hospital in Ontario. It suffered a ransomware attack last June that resulted in a Code Grey – meaning essential services were reduced.
What’s interesting about this case study is that everything went about as well as it possibly could from a cyber security standpoint.
The systems had been updated just the day before, the malware was detected almost immediately, and the IT systems were shut down before any files could be encrypted.
Gold star for Humber River.
But the hospital has over 5000 computers, that had to be patched one by one over the course of 48 hours.
So even with no privacy breach and no ransom to pay, it still took two days to get all the systems back online.
The hospital had to cancel clinics, and redirect ambulances, though it was able to keep the emergency department open.
In the cyber security world – timing and fast reactions are critical.
The Humber River incident is just one example.
Since the start of the pandemic, over 400 healthcare organizations in the US and Canada have suffered a ransomware attack.
Key judgement number two: “Critical Infrastructure is increasingly at risk from cyber threat activity”. A theme also featured in our last NCTA, but still very much an area of concern.
As the previous example shows, the health sector is a popular target, but so is critical infrastructure generally.
What do I mean by critical infrastructure? Any services we can’t do without, such as energy, telecoms, and banking. Municipalities, transit systems and schools. Water, food and manufacturing. It’s a long list.
Critical infrastructure is increasingly at risk for a couple of reasons.
First, ransomware is just more common and more sophisticated than it was two years ago.
That’s in large part due to the Ransomware-as-a-Service (RAAS) model. Which essentially means that cybercriminals sell their tools and services online to other cybercriminals.
Bad guy “A” develops a new malware secret sauce and shares it with multiple other bad guys for a share of the profits.
As a result, many more players than ever before have access to sophisticated cybercrime tools.
The second reason why critical infrastructure is increasingly at risk, is because more operational technology is connected to the Internet.
Let’s say you’ve got a water processing plant, with physical systems that control the amount of chlorine that goes into the water.
Up to now those physical systems might have been controlled by a human being at the site, pulling levers or pushing buttons.
But now those systems could be monitored and controlled from anywhere because they are connected to the Internet.
That’s very convenient for the water company. But to a cybercriminal it’s a golden opportunity.
That connectivity came into play in the case of Colonial Pipelines – the US company that was hit by a ransomware attack in May 2021.
Hackers breached the company’s corporate IT network. But because the IT network and operational network were connected, the company decided to shut down the entire pipeline themselves as a precaution.
Gas stations ran dry up and down the US East Coast and several states declared a state of emergency.
The practice of connecting operational technology to the Internet is only just beginning. With 5G technology, we have the potential for just about everything to be connected – smart homes, smart factories, smart transit systems, smart cities, so this is an important cyber threat to consider for the future.
Now, so far we have only talked about the threat from cybercriminals.
What about nation states?
Key judgement number three: “State-sponsored cyber threat activity is impacting Canadians”.
The state-sponsored cyber programs of China, Russia, Iran and North Korea pose the biggest strategic cyber threat to Canada.
That was our assessment two years ago, and that remains the case.
Now, to be clear, we do not think state-sponsored actors would conduct destructive cyber operations against Canadian critical infrastructure in the absence of direct hostilities involving Canada.
However, Russia’s invasion of Ukraine has shown that Russia is willing to use cyber capabilities to support wartime operations.
Russian-backed cyber actors have gone after targets in Ukraine’s government, finance, energy and communications sectors.
For example, Russia targeted a satellite Internet provider in causing significant service outages across Ukraine and several other European countries.
We also see foreign states using cyber capabilities to monitor diaspora populations in Canada as well as Canadian individuals they see as a threat, such as activists.
This edition of the NCTA names China, Iran and Saudi Arabia as three nations that are very likely monitoring diaspora populations in Canada using a combination of social-media surveillance and spyware.
You also have countries such as Iran and North Korea engaging in cybercrime as a way to raise money to get around international sanctions or to cover their tracks when engaging in cyberespionage.
And then you’ve got the use of cyber tools to steal intellectual property and commercial secrets.
In that department, China is the most significant actor in terms of both volume and sophistication.
The US has unsealed indictments against Chinese state-sponsored threat actors accused of carrying out systematic cyber espionage in 12 countries, including Canada.
The technologies targeted included IT, maritime technology, vaccines and virus treatments, aviation and defence.
There’s one other type of state-sponsored cyber threat that’s important to mention and that’s key judgement number four: “Cyber threat actors are attempting to influence Canadians, degrading trust in online spaces”.
This is a biggie.
In 2020 we called online foreign influence activities “a new normal”. Over the last two years, online disinformation has become more prevalent, more organized and harder to distinguish from reality.
We have seen this amplified with the invasion of Ukraine, where Russia has engaged in a coordinated disinformation campaign to justify its actions and influence events.
One false story used doctored photographs claiming to show Canadian forces committing war crimes in Ukraine.
Another used a deepfake video appearing to show the President of Ukraine telling his military to surrender to Russia.
In April, CSE took the unprecedented step of sharing insights from classified intelligence sources on social media, to inform Canadians about Russia’s sustained disinformation efforts.
But perhaps even more worrying, is the impact of foreign-backed disinformation on Canadian society itself.
For example, a 2021 Statistics Canada survey found that nine out of ten Canadians sought out information online about COVID-19. Not surprising.
Of those Canadians, 96 per cent reported coming across content they suspected was misleading, false or inaccurate. That’s basically everybody.
Obviously, not all of that false information is deliberately created to deceive and not all of it is coming from abroad. But some of it is.
These campaigns make it harder for Canadians to make informed decisions about our lives.
Disinformation polarizes opinions and amplifies discord. It undermines trust in public institutions, in government, in the media, and in the democratic process itself.
Now, all of those four key judgements are themes we have highlighted in previous NCTAs – ransomware, threats to critical infrastructure, state-sponsored activity and disinformation.
But before I wrap up, there is one final key judgement, and it’s a new one for this edition of the NCTA: “Disruptive technologies bring new opportunities and new threats”.
I call this the double-edged sword rule.
A new technology comes along with the potential to change our lives for the better. And it does.
But as sure as night follows day, cyber threat actors find ways to harness that technology for their own ends.
The report highlights three emerging technologies to watch in this space – machine learning, quantum computing and cryptocurrencies.
We’ve talked in previous reports about how cybercriminals use cryptocurrency to exchange and launder money.
But new privacy coins, such as Monero, make it even easier for cybercriminals to move money around completely undetected.
Decentralized finance platforms – which enable peer-to-peer financial services – have flourished over the past two years, and this has opened up lucrative new targets for cybercrime.
Industry reports estimate that in 2021, cybercriminals stole over 3 billion dollars in value from both cryptocurrency exchanges and decentralized finance platforms.
I know. I have painted a pretty grim picture.
If we have time in the Q and A I’d be more than happy to talk about some of the ways CSE and the Cyber Centre are working to counter these threats.
There is a lot going on that is very positive, and there are steps we collectively all need to continue to take to mitigate the risks.
If I can leave you with one action item that you can do today, it’s to go to the Cyber Centre website
There is a wealth of resources for different audiences.
If you’re an executive, you can get the overview of any aspect of cyber security.
If you’re an IT professional you can geek out to your heart’s content.
And if you’re a cyber security newbie, our Get Cyber Safe campaign has all the practical advice you need to get started.
It may seem overwhelming, but getting the basics right can have a big impact.
So that’s my shameless plug for the day: The Cyber Centre website
You can also find the full National Cyber Threat Assessment there for more detail on the key judgements I’ve talked about today.
I will wrap it up here so we can have time for your questions.