Trillium – Forum Magazine – July
Data has become the new currency, and it’s being stolen from us. Our social and business lives revolve around the use of data. We share our pictures, comments, and thoughts with family and friends through social media. Businesses, regardless of size or type, rely on data to operate, including business contacts, client lists, billing information, inventory, trade secrets or the ‘magic sauce’ that makes a company successful.
Our data is valuable to us. Because our data has value, attackers want to either steal it or make it inaccessible unless we pay an extortion fee. Consequently, being the victim of a cyber attack is no longer exclusive to large organizations. All organizations are being victimized. It’s important to understand who these attackers are, how they operate, and what can be done to minimize the risk they pose.
Organizations and employees are now working in a changed operational environment. COVID-19 resulted in a ‘doing it remotely’ lifestyle: working from home, shopping from home or some form of hybrid activity. Businesses accelerated technological transformation to enable this environment, before they may have been fully ready to do so. Complex systems have been rapidly adapted. Updating and patching some legacy systems that now connect to the Internet has proven to be challenging. Organizations have had to assume a higher level of risk than would normally be acceptable.
Cyber criminals and some nation states have seized this opportunity to increase their cyber attacks. The leaders of Canada’s intelligence agencies have warned that cybercrime is the “most pervasive threat to Canadians and Canadian businesses” and that “cyber-enabled attacks pose significant threats to Canada’s national security, its interest and its economic stability”.
Several types of attackers pose a threat to Canada. Nation states conduct cyber attacks motivated by espionage, and are also conducting ‘statecraft’. Their objectives are the theft of government and commercial secrets, and influencing and manipulating public opinion in other countries. Their normal victims are government agencies, non-governmental organizations, think tanks, and critical infrastructure operators. Nation states use their considerable technical capability to conduct sophisticated, stealthy cyber attacks. Once inside the victim’s network, they try to remain hidden for long periods. They’re looking for plausible deniability. They don’t want the attacks to be attributed to them. The Canadian Centre for Cyber Security, in its National Cyber Threat Assessment 2020, noted that “while cybercrime is the most likely threat, the state sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada”.
Cybercrime is being commercialized. It’s operating as a business. In some countries, cyber criminals are permitted to operate with minimal interference from the government providing they don’t attack the enabling state, and respond when called upon by state apparatus to provide assistance. The technical barriers to becoming a cyber criminal are decreasing as many of the required capabilities are readily available to purchase through on-line forums. Criminals are usually financially motivated to conduct their attacks, requiring that payment to them be made in crypto currencies. Unfortunately, the chances of cyber criminals getting caught are limited.
Canadian organizations are being victimized by cyber criminals. Media headlines flash the names of some high-profile victims. But these represent a small percentage of the actual number of victims. A comprehensive survey conducted by Statistics Canada found that “just over one-fifth (21%) of Canadian businesses reported that they were impacted by cyber security incidents which affected their operations in 2017”. That is a significant number of victims. Other studies have found similar results. Ransomware attacks conducted by cyber criminals are growing in sophistication, frequency, and profitability. Victims are extorted to pay for the return of their information which was either stolen or encrypted, making it unusable. One study revealed that ransomware attacks accounted for 67% of cyber security incidents. The cost of data breaches is significant. In Canada, the estimated average cost of a data breach in 2021, including ransomware attacks was $6.35 million.
Some cyber attackers operate with access to the victim’s network by virtue of being an employee, contractor, or vendor. These ‘insiders’ are both part of the first line of defence against attackers and are a potential threat. Working remotely has compounded the security dynamics for insiders. The motivation of insiders varies. Sometimes it’s an employee doing the wrong thing for the right reason. Not following security guidelines in the belief that they are assisting their organization. Sometimes, employees just make a mistake, like clicking on a malicious link in an email that subsequently downloads harmful software. In some instances, the insider’s actions are malicious. Someone may bribe them to provide access to the employer’s network or they do something for revenge.
Geopolitics is also shaping the cyber threat landscape. While not new, we are witnessing geopolitics playing out in digital space at previously unseen levels. Cyberspace has been an attractive environment to undertake state activity. It’s an environment that enables global reach while providing a relative degree of anonymity and deniability. Compared with the other tools available to nation states, it’s relatively low cost. It’s used to intimidate, punish adversaries, affect morale, and create political instability. Nation state activity that falls below the threshold of formal conflict is frequently referred to as ‘grey zone aggression’. Russia’s invasion of Ukraine has raised this grey zone aggression to new heights.
Cyber attacks have been used to disrupt government, financial websites, and satellite Internet service in Ukraine. The United States and European countries have accused Russia of conducting data wipe attacks against Ukraine which destroys data. Cyber criminal organizations and cyber hacktivists have also been drawn into the conflict pledging their support for one side or the other and launching cyber attacks against both government and private organizations.
There is concern that the cyber conflict could spill over into Canada. The Canadian Centre for Cyber Security has issued warnings urging Canadian critical infrastructure operators to raise awareness and take mitigation actions against known Russian-backed cyber threat activity.
Countries are responding to reduce the cyber threat level. In Canada, initiatives include: establishing the Canadian Centre for Cyber Security as “the single unified source of expert advice, guidance, services and support on cyber security for Canadians”; creating the National Cybercrime Coordination Unit in the RCMP “to coordinate Canadian police operations against cybercriminals and to establish a national mechanism for Canadians and businesses to report cybercrimes to police”; and, launching the CyberSecure Canada certification program for small and medium-sized enterprises. The Federal Budget 2022 allocated approximately $892 million over five years to enhance government cyber security programs and the Government conducted a mid-term review of the National Cyber Security Strategy as part of developing and implementing a renewed Strategy.
Internationally, countries are taking action. In 2021, a 30-nation summit was held to launch a global campaign to combat ransomware. The goal is to disrupt the financial motivation of cyber criminals by building the capacity to rapidly trace and interdict cryptocurrency payments around the world. Nations who undertake cyber attacks and permit cyber criminals to operate in their countries are being publicly called out. International law enforcement operations and criminal prosecutions have been undertaken and countries have announced initiatives to enhance the security of software supply chains. This is a good start, but there is more to be done.
The private sector is playing its part. Cyber security is now on the agenda of many boards of directors. Companies realize cyber security needs to be considered as any other business risk – it’s not just the responsibility of the corporate technical team. Companies recognize that cyber risk is more than just the loss of data. A cyber attack can impact the operational capability of the entire business.
Companies have also come to recognize the value of collaboration and sharing threat information. The Canadian Cyber Threat Exchange (CCTX) was established by the private sector to enable its members to collaborate on reducing financial, operational, and reputational risk though access to timely, relevant, and actionable cyber threat information. Participating member organizations recognize that collaboration is another tool to help alleviate their cyber talent shortage. Working on a cross-sector basis with organizations of all sizes, CCTX members can engage their supply chain and customers to increase cyber resilience and augment their cyber defences.
Individual organizations can significantly increase their cyber resilience. The CCCS provides guidance for small and medium organizations to reduce risk. Measures include patching operating systems and applications, backing-up and encrypting data, using strong user authentication, and developing an incident response plan and exercising it.
We can all do our part to increase our cyber resilience: be aware of the risks, think before you click and share what you know with others. If we support each other, we will all be stronger.
Robert Gordon is the Strategic Advisor with the Canadian Cyber Threat Exchange (CCTX), Canada’s Not-For-Profit, Private-Sector Cyber Threat Sharing Hub + Collaboration Centre. Connect with him on LinkedIn
 Shelly Bruce, Chief of the Communications Security Establishment, Speaking May 18, 2021, at the Centre for International Governance Innovation
 “Canadian Security Intelligence Service Public Report 2021”
 “National Cyber Threat Assessment 2020”, Canadian Centre for Cyber Security https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020 accessed 2022 07 04
 “Cyber security and cybercrime challenges of Canadian businesses, 2017” https://www150.statcan.gc.ca/n1/pub/85-002-x/2019001/article/00006-eng.htm accessed 2022 07 04
 “Canadian Cybersecurity Trends Study 2021” – Blakes, accessed 2021 06 06
 Sami Khoury, Head of the Canadian Centre for Cyber Security, Canadian Defence Review, Volume 28, Issue 3, page 70 and NCSC pins Viasat cyber attack on Russia (computerweekly.com) accessed 2022 06 08
and Cyberattack hits Ukrainian banks and government websites (cnbc.com) accessed 2022 04 13
 https://www.theregister.com/2022/05/10/us_eu_russia/ accessed 2022 05 25
 National Cyber Security Action Plan 2019-2024 (ntnl-cbr-scrt-strtg-2019-en.pdf (publicsafety.gc.ca)) accessed 2022 07 06
 Canadian Cyber Threat Exchange: “Baseline Cyber Security Controls for Small and Medium Size Organizations” ( Baseline.Controls.SMO1_.2-e .pdf (cyber.gc.ca)), “Get Cyber Safe Guide for Small and Medium Businesses” ( Get Cyber Safe Guide for Small and Medium Businesses – Get Cyber Safe ), and “Top Measures to Enhance Cyber Security for Small and Medium Organizations”, (Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) accessed 2022 07 06