Canadians are becoming increasingly reliant and interconnected with technology, especially in daily interactions. While this certainly has benefits, such as fueling innovation and improving communication, it also allows for greater cyber threat activity that has the potential to impact Canadians significantly. Due to this, cyber threats are a pressing issue. While cyber threat actors have a myriad of victims to select, critical infrastructure (CI) is increasingly becoming a favoured vulnerable target because of society’s dependency on it. The failure of one or more CIs can result in destructive consequences for a state.
Last year saw a string of high-level cyber-attacks in various countries. In October, the MercyOne Des Moines Medical Center in the US was targeted by an apparent cyber-attack that caused delays in medical treatment and emergency services. In November, a hacker group targeted and disrupted the Danish State Railways’ train operations. While only two examples, they nonetheless highlight the significant threat that CI-focused cyber-attacks bring to a state. As vital sectors such as communications, manufacturing, and energy increasingly rely on connectivity, they become more vulnerable to cyber-attacks that can potentially affect the lives of millions of people.
The loyalties and motivations of the cyberhackers that engage in these activities vary. They range from ideologically driven terrorist groups to criminal gangs pursuing purely economic interests. However, the Canadian Centre for Cyber Security has acknowledged that the state-sponsored cyber programs of China, Russia, Iran, and North Korea are the greatest threats to Canadian security. In addition, the US Intelligence Community and the Canadian Centre for Cyber Security have identified China as the most significant state-sponsored cyber actor.
A major trend in cyber incidents is the use of ransomware, a type of intrusive software that hackers use to steal data. One incident involving ransomware is the Colonial Pipeline case. The company was targeted by a pro-Russian hacker group that demanded payment of US $5 million. As they did not know the extent of the infiltration, Colonial Pipeline responded by shutting down its entire network, including distribution. The disruption to the company’s daily oil production created a gas shortage in many major cities.
Although it took place in the US, the case provides Canada with a reminder to ensure it maintains strong defences on the cyber front, especially in CI sectors like energy. In 2019, Canada averaged 4.9 million barrels of oil per day. The implications of a complete shutdown in production in the event of a cyber-attack could be severe. Incidents like the Colonial Pipeline attack highlight CI’s vulnerability and the consequences of its disruption. It also demonstrates the difficulty of detecting and understanding the extent of attacks.
These concerns are shared by Canada’s allies in NATO. A recently published report by the Defence and Security Committee of the NATO Parliamentary Assembly has acknowledged the increasingly difficult task of defending CI against cyber-attacks. The establishment of NATO’s Cyber Operations Centre in 2018 and cooperative exercises in cyberspace, such as Cyber Coalition, demonstrates the organization’s commitment to facing cyber threats. Canada has attempted to follow its NATO allies in upgrading its capabilities to meet these issues.
In 2018, the Canadian government released its second National Cyber Security Strategy (NCSS), which it plans to implement from 2019 to 2024. The plan aims to fulfill three goals: upgrading capabilities, improving cyber skills and innovation, and bolstering coordination between Canada and its allies. Yet, Canada lacks a centralized policy that CI providers must follow when encountering cyber threats.
The Canadian government set up the Regional Resilience Assessment Program to provide CI owners with free-of-charge assessments to measure their defence capabilities against cyber threats. Unfortunately, many companies do not utilize this program as it is voluntary. With a lack of government insight, companies construct security measures independently. In addition, under Canadian federal law, privately owned companies, including CI, are not obligated to share their cyber-security information. This has led to an unnecessary situation that hinders cyber-threat mitigation and leaves Canada’s CI vulnerable.
Despite this, the future of Canada’s cyber security measures does not look bleak. The NCSS has completed some of its initiatives. For example, in 2018, the NCSS created the Canadian Centre for Cyber Security and launched the International Cyber Engagement Working Group, among other accomplishments.
The most pressing issue Canada needs to address is securing the systems that ensure the functioning of CI. The Regional Resilience Assessment Program provides a good starting point, but greater enforcement is needed to ensure CI providers are equipped against cyberattacks. The government has taken steps in this direction with Bill-C26, which requires vital industries to report cyber incidents and reinforce their security. As of 2023, the bill has yet to pass and is still being reviewed in the House of Commons. The success of Bill-C26 would be a significant step forward in protecting Canada’s essential infrastructure from cyber threats.
Although it still has quite a journey until completion, its existence proves that the Canadian government understands the necessity of having an effective cybersecurity apparatus. Yet, the technological capacity of cyber threat actors will only keep increasing. While no severe harm resulted from the cyber-attacks listed above, that doesn’t mean it can’t happen. Only time will tell if the measures in place can defend against future threats.
Photo: ‘Red and white tower under blue sky during night time’ by Maksym Kaharlytskyi. Licensed from Unsplash under Unsplash.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada.
