Securing Canada’s cyberspace

Released: Monday February 6, 2017

While Canadians have openly embraced a new era of digital and technological innovation, the advent of the Internet has ushered in threats formerly unimaginable. Is Canada equipped to handle the adverse effects of this amplified connectivity?

For a printable PDF version of this report, please click here.

INTRODUCTION

In a 2014 interview, Stephen Hawking observed that digital technology has ushered in a new era in human history. “We are all now connected by the Internet,” he said, “like neurons in a giant brain.”[1] Advances in bandwidth, processing and storage, as well as the emergence of affordable technologies, are helping to erase traditional socio-economic and geographic barriers. In their place, a global network has emerged that is connecting people and ideas in ways that were unimaginable only a few years ago.

Canadians have widely embraced this new digital era. A 2016 report by Smart Insights found that 91 percent of Canadians are active Internet users and approximately 58 percent of the population, or 21 million people, use social media. [2] More than just a social activity, Canadians are also engaging more in Internet commerce, with sixty percent of respondents indicating they had purchased a product or service online in the past 30 days.[3]

Canadian governments and businesses have also been quick to move their operations online. Social media and the Internet offer relatively low-cost options for improving services and connecting with end-users. A 2013 report by Cisco projected that the Internet of Everything (IoE) economy is set to create $14.4 trillion in value by 2022.[4]

That this shift towards greater connectivity is generating great prosperity is well known. But it is also true that the Internet has amplified the threats we face while spurring new ones. In the rush to adopt new technologies, there has been no commensurate movement to educate people on how to responsibly use online tools. Many Canadians are unaware, for example, that engaging in seemingly-harmless activities, such as posting an image or blog, can lead to harmful consequences. Studies show that too many of us, both in our professional lives as well as at home, fail to practice basic safety etiquette that protects against many online threats. And many organizations fail to develop cybersecurity strategies or allocate enough resources to execute them.

The consequences of being under-prepared or unable to counter malicious online threats have been profound. Each year, thousands of attacks target Canadian businesses, governments and individuals, costing $3 billion in economic losses each year.[5] While there is no shortage of examples of cybercrime, highlighting a few high-profile attacks can help demonstrate the severity of the issue:

In 2011, Finance Canada, Treasury Board Secretariat and Defence Research and Development Canada — organizations central to the federal government’s economic, organizational and defence operations — were forced offline after hackers gained access to private information.

More recently, the Canada Revenue Agency and National Research Council (NRC) both experienced intrusions that resulted in the theft of 900 social insurance numbers as well as valuable research and development data.

Together, these breaches raised significant concerns among private sector partners about the reliability of government systems and the security of Canada’s critical infrastructure. According to many assessments, including a 2012 report by the Auditor General of Canada, governments are simply not doing enough to protect themselves from ever-changing digital threats.

The same could be said for many Canadian businesses. A study by the UK-based International Cyber Security Protection Alliance found that 69 percent of Canadian companies experienced a security breach in 2014.[6] These attacks range from malware and viruses to phishing and unauthorized access to corporate assets. In many instances, valuable client information has been compromised, resulting in millions of dollars in lost revenue and reputational damage.

While governments and businesses have committed large investments to addressing these threats, Canadians are at a greater risk of an online attack today than they were even a few years ago.

Why?

Part of the reason is that much of the dialogue on cybersecurity has focused on answering the same set of questions. Namely:

  • What is cybercrime?
  • How is it perpetrated?
  • What impact does it have on businesses, governments and individuals?
  • What are the components of an effective cyber-strategy?

Revisiting these questions from time to time is essential to understanding the constantly changing threat environment in which Canadians find themselves. This report briefly explores them in the next section to provide context for the pages that follow. But our research indicates that a deeper examination is needed on a different set of questions, including:

  • Why — despite greater awareness of cybercrime and the components of an effective cybersecurity strategy — are businesses, governments and individuals still not adequately protecting themselves from online attacks?
  • What barriers inhibit effective action?
  • How can stakeholders remove these barriers that are preventing Canadians from carrying out proven cybersecurity strategies and practicing safe online etiquette?

In 2016, the Public Policy Forum convened cyber-security experts from government, business and academia to explore these complex questions. Over a series of discussions, participants identified legal, philosophical, cultural, resource and education obstacles that deter Canadians from understanding cyber threats and implementing effective solutions. We believe that by understanding and removing these barriers, stakeholders will be better positioned to implement strategies that protect Canadians from online attack.


THE EVOLVING CYBER THREAT

“Like anything of value, information is also attracting the attention of adversaries looking for new ways to steal it, leverage it, and benefit from it. Although people often think of organized crime and other criminals, potential adversaries also include hacktivists, nation-states, and others not necessarily seeking direct financial gain.

As we look ahead to the personalization and consumerization of cyberattacks, adversaries may also include a competitor, political opponent, spouse, neighbor, or other personal nemesis, as well as the rising activity of chaotic actors who just want to see things burn.”

– McAfee Labs 2016 Threats Predictions


HOW CYBERCRIMINALS OPERATE

Economic theft and espionage

On the morning of November 24, 2014, the world awoke to news that one of the largest global companies was being held hostage.[7] Sony Pictures Entertainment’s internal servers had been breached by cyber-criminals who had gained access to data on employee records, executive salaries, unreleased films and private emails. The hackers demanded money lest the highly-sensitive information be made public.

Over the following week, Sony executives collaborated with the Federal Bureau of Investigation to track the source of the attack and disrupt the hackers’ ability to publish the material.

The efforts ultimately proved unsuccessful.

On December 1st, and continuing throughout the month, Sony’s privileged information was made public through a series of online data dumps. The released information unveiled secret conversations that proved embarrassing to staff and clients alike. It also had significant financial implications: in the weeks that followed, Sony’s stock fell by 10 percent and the direct costs of the attack were estimated at $50 million. The devastating and highly-public cyberattack underlined the very real danger that cybercrime poses for companies around the world.

Sony’s story is hardly unique. The number of companies that reported an unauthorized system breach has steadily risen over the past decade. Almost half of Canadian corporations that participated in a 2016 Pricewaterhouse Cooper study reported they had experienced losses of between $100,000 USD and up to $5 million USD within the past two years.[8]

Small businesses, in particular, are experiencing higher levels of malicious intrusions. With fewer resources to protect against and recover from security breaches, upwards of 60 percent of affected small businesses are at risk of going bankrupt after an attack.

With so much at stake, researchers at RSA Conference and ISACA surveyed 1,500 cybersecurity professionals to get a better sense of who is perpetrating these attacks. Organizations responded that the sources of attacks had a variety of motivations. Their findings suggest that attacks were disproportionately carried out by cybercriminals (45 percent) and hackers (40 percent), rather than aggrieved employees (28 percent), hacktivists (19 percent) or state actors (17 percent).[9]

Table 1: Which of the following threat actors exploited your enterprise in 2014?

Source: RCA Conference and ISACA,State of Cybersecurity: Implications for 2015

SABOTAGE

Over the past few years, attacks against water systems, energy grids and other critical infrastructure have grown in frequency and severity:

· In March 2016, the U.S. Justice Department indicted seven hackers tied to Iran with executing a coordinated attack meant to shut down a New York dam. The accused were also charged with targeting “dozens of U.S. banks, causing millions of dollars in lost business.”[10]

· A 2015 attack on Ukraine forced its electrical grid offline, leaving 700,000 people without electricity. The incursion represented the first significant attack on national infrastructure, prompting governments around the world to step up security on electrical grids, water systems and other critical assets.

· An attack on Anthem, a subsidiary company of BlueCross BlueShield, compromised approximately 10 million health records in the United States.[11]

· A synchronized wave of denial-of-service (DoS) attacks against Estonia in 2007 severed the Baltic country’s telecommunication networks over a three week period.[12]

· A 2009 pipeline explosion in Turkey has been widely attributed to a cyberattack.[13]

There is reason to believe that the scope and severity of these attacks could increase over the next few years. A recent report by Swiss Re, a multi-national insurance provider, found that the cyberattacks on energy infrastructure could cost oil and gas companies upwards of $1.87 billion by 2018.

Canadian infrastructure has not been immune to cyber sabotage. In September 2013, Telvent Canada Ltd., a large electric utility company that helps manage pipelines, was hacked by criminals who stole internal records and data.[14] According to Francis Bradley, vice-president of the Canadian Electricity Association, “there is a growing appreciation among utilities that this is real, and it is part and parcel of doing business now.”[15]

RANSOM

Canada ranks among the top 10 countries most affected by ransomware. In May 2016, the University of Calgary was infected by malware that locked academic administrators and professors out of the school’s digital network. Fearing that the hackers would prematurely publish or corrupt years of research, the school paid the equivalent of $20,000 CAD to regain access to the systems.

A few months before the attack in Calgary, a Los Angeles hospital fell victim to a malicious cyberattack that locked administrators out of their patients’ digitized medical records. The hospital was forced to pay the hackers a ransom of $17,000 to release the privileged records.[16]

Evidence suggests that the impact and sophistication of ransomware is increasing. Symantec, the security software firm responsible for Norton Antivirus, has warned that crypto-ransomware — which encrypts a victim’s files so that they cannot access them — is quickly becoming the weapon of choice for cybercriminals.

Perhaps more worrisome, technology is making extortion simple for even novice hackers to carry out: “the advent of ransomware-as-a-service (RaaS) means a larger number of cybercriminals can acquire their own ransomware, including those with relatively low levels of expertise.”[17]

HARASSMENT

The tragic stories of Rehtaeh Parsons and Amanda Todd, two Canadian teens who took their own lives after being subjected to vicious online bullying, helped cast a national spotlight on the human cost of cyber abuse. Unfortunately, theirs is a familiar story in Canada. A 2013 study by Ipsos Reid found that almost 10 percent of Canadian teens have been victims of cyber bullying on social media sites. Nearly a third have witnessed online bullying or read an inappropriate comment posted about someone else.[18]

A growing number of celebrities have also fallen victim to harassment. In September 2016, Justin Bieber was forced to shutter his Instagram account after receiving abusive comments. Similarly, actress Leslie Jones famously closed her Twitter account in the summer of 2016 after receiving numerous death threats, racial slurs and other abuse from countless sources. While social media has been an instrumental tool for connecting people, it has also served as a platform for malicious harassment and hate.

EXPLOITATION

Child exploitation has also grown over the past decade as more youth gained access to the Internet. Studies show that young Canadians willingly share their information, post pictures and chat with strangers in online forums. These activities increase the risk of online sexual exploitation and exposure to unwanted sexual material and solicitation.

THE COMPONENTS OF A CYBERSTRATEGY

A general consensus among cybersecurity experts has emerged that individuals and organizations need a multi-pronged approach to security, which includes being prepared for inevitable breaches. At the organizational level, this requires a commitment among decision-makers to put in place an intentional plan that devotes resources and attention to education, technology and coordination within and across organizations. At the individual level, Canadians must be ever-vigilant by practicing safe online behaviour. Experts agree that Canadians should do more to protect their passwords, upgrade software and report suspicious activities, for example.

Numerous studies have suggested that an effective cybersecurity strategy should include the following components:

· Coordination: Ensuring that systems and departments across organizations are in sync to be able to spot, contain and respond to threats.

· Detection: Adopting technology and knowledge in place to easily identify threats as they emerge.

· Prevention: Training employers and employees in proper online etiquette and how to identify and respond to cyber threats.

· Response: Establishing clear protocols on how to respond to various types of cybercrime to secure Canadians’ physical safety, information and assets from attack.

· Recover: Having systems in place to ensure that assets, information and individuals are able to recover in the event of an attack.


BARRIERS TO IMPLEMENTING AN EFFECTIVE RESPONSE

“We know what to do but we are facing obstacles that are stopping us from putting plans in place. The lack of education, resources, coordination and other issues need to be resolved before our cyber strategy can be truly effective.”

– Public Policy Forum roundtable participant, March 2016


Over the course of our research it became clear that a number of barriers have emerged that are limiting Canadians from protecting themselves online. These barriers require greater examination so that stakeholders can better recognize them and put in place practices, policies and programs to overcome them.

THE SKILLS BARRIER

Some experts have estimated that there are over 2 million vacant cybersecurity positions worldwide and that this number could reach 10 million by the year 2020. Stakeholders who participated in the Public Policy Forum roundtables agreed that their inability to hire well-trained cybersecurity professionals has left their systems vulnerable to attack. Faced with a low supply of skilled talent, companies and government often compete with one another for the few cybersecurity experts that are available. According to some participants, this has created an uneven competition whereby governments, small-medium enterprises (SMEs) and non-profit organizations are often unable to secure cybersecurity experts because they cannot compete with large private sector companies that can offer more generous remuneration.

In 2016, the Center for Strategic and International Studies (CSIS) surveyed people in eight countries — Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom and the United States — to try to better understand this labour deficit. The findings suggest that the challenges facing Canadian employers are becoming universal. Over 80 percent of respondents indicated that their countries do not have enough skilled talent to address the cybersecurity challenges they face. Three quarters (71 percent) said that the talent deficit had inflicted “direct and measurable damage,” with some suggesting that their organization had become targeted due to the talent gap. Perhaps unsurprisingly, the vast majority (75 percent) of respondents indicated that their governments are not doing enough to address this challenge.[19]

“Running a company without enough trained cybersecurity professionals is like driving a car without seatbelts. Every bump leaves you vulnerable. Minor issues can generate catastrophic consequences.”

– Roundtable participant

THE LITERACY BARRIER

Most cyberattacks are preventable. The emergence of sophisticated security programs has made penetrating networks increasingly difficult for attackers. Instead, cybercriminals are increasingly relying on human error to bypass next-generation perimeters that protect organizational networks. Studies demonstrate that this approach has been effective. The average Canadian makes common mistakes that compromise the integrity of their individual and organizational networks. They include: opening suspicious emails or hyperlinks, plugging infected USB sticks into corporate computers and sharing passwords. According to the 2015 Verizon Data Breach Investigations Report, 97–98 percent of attacks could be avoided through proper education programs.

Yet many organizations do not require their employees to attend cybersecurity courses or take the preventative steps that are often necessary to protect themselves online.

Many Canadians fail to report online security breaches, or do not know how to do so. It’s also becoming more difficult to detect threats that are organized online, as the recent attacks in Paris, San Bernardino and Brussels, among others, demonstrate.

THE LEGAL BARRIER

In many ways, the Internet resembles a modern day incarnation of the Wild West. The lack of clear rules and laws in cyberspace has made it easier for some people to commit criminal acts online. While police do have an online presence and play a vital role in apprehending cybercriminals, inconsistent policies across jurisdictions make it difficult to establish order, reinforce social norms and enforce the law.

Even if the rules were clear, police often don’t have the resources to enforce them. Roundtable participants expressed concern that the law enforcement community is working with outdated models that do not allow them to appropriately respond to threats that rapidly appear and disappear. For example, the practice of segmenting crime by offence may not be useful for cybercrime, which often intersects with many different areas of the law.

Participants suggested that the existing segmented model creates artificial silos between law enforcement sections and divisions that can complicate the understanding and prosecution of cybercrime.

How we understand and discuss cybercrime also varies among law enforcement, technology experts and the general public. Stakeholders routinely differentiate between traditional crime and cybercrime, implicitly suggesting that the latter is somehow divorced from existing laws, including the Criminal Code. While stakeholders should seek to update legal frameworks, participants suggested that the false dichotomy between cybercrime and other criminal activities is inaccurate and unnecessarily creates misperceptions.

“There should be no special designation for cybercrime. Crime is crime no matter the platform that is used.”

– Roundtable participant

THE STANDARDS BARRIER

The absence of uniform baseline standards on data retention and storage has created an environment in which companies prematurely delete information and improperly store records. Participants suggested that companies are seeking assistance on data governance, risk and compliance, but require guidance from government.

The lack of an explicit set of standards was one barrier identified, and presents a substantive obstacle to ensuring Canada’s cyber-infrastructure is properly prepared to handle potential intrusions

Many businesses are more focused on being compliant with existing security and information standards than seeking to enhance their security. Participants suggested that some organizations provide very basic protections simply to “check it off” the list of items they feel compelled to complete. Participants suggested that tax options could provide incentives for companies to improve their information and data practices beyond mere baseline standards.

Inconsistent data preservation practices across organizations and jurisdictions is a source of significant concern. In an effort to protect Canadians’ privacy, the Governments of British Columbia and Nova Scotia prohibited, with certain exceptions, government bodies from transferring domestically-collected data outside of the country. These laws prevent schools, post-secondary institutions, hospitals, government-owned utilities and other public bodies from using foreign services when personal information could be accessed from or stored outside of Canada. For privacy advocates, these laws have helped secure Canadian information from being sent to jurisdictions with weaker data and privacy standards. However, the policy has led to some unintended consequences. Residents of British Columbia and Nova Scotia, for example, find it much more difficult and expensive to access outsourced services as a result of the data restrictions.

Canada does not have sufficient standards, laws or policies to compel software engineers to ensure that stringent safety safeguards are incorporated into the development of new technologies. Pressed by limited time and resources, many entrepreneurs and technologists focus more on the functionality of their technology than on potential security and privacy vulnerabilities.

“We need a broader perspective on data governance that lays out how to collect, store, categorize and share information.”

– Roundtable participant

The absence of digital standards means that many companies do not engineer adequate security default settings into their products. Participants suggested that ordinary consumers do not often have the technical knowledge to know when their devices are unprotected. This can leave them vulnerable to cyberattack.

Over the past decade, the federal government has introduced regulations to protect Canadian data that is transferred and stored outside of the country. Updated privacy standards have also spurred a number of corporations to establish data centers on Canadian soil. These centres represent an important development for security and privacy champions seeking to better secure Canadian data. However, project participants suggested that governments should seek to work closely with the private sector to determine what can be done to incent more businesses to store their data in Canada.

The ability to positively identify people without disclosing private information could reduce incidences of online fraud and identity theft. The Government of British Columbia has been a leader in developing positive identification tools. The province plans to release a new B.C. Services card that a service provider can scan to validate an individual’s identity. The cards do not contain any personal information nor any government records. They can also easily be deactivated if they are misplaced or stolen. Governments could use this type of technology in other contexts to safely and securely provide positive identification.

THE DATA BARRIER

Measuring the risk of cybercrime is a complex undertaking. Online criminal activities evolve faster and can exact more damage than traditional criminal activities. In the current Internet of Things era where everyone has a smartphone, threats have become increasingly more amorphous and ubiquitous. As a result, many Canadians struggle to predict, track and counter online attacks.

What’s more, risk can vary considerably across organizations. Software, networks and online processes differ considerably across Canadian companies. This heterogeneous digital architecture can provide security against uniform online attacks — since companies operate on different systems, hackers are often unable to deploy the same code to gain access to computers across an entire industry. However, companies that customize their computer systems, networks and processes can inadvertently create weaknesses that are unique to their organization. This can make it difficult to measure the risk a company faces without conducting a full analysis of its digital architecture. Without such an assessment, however, leaders are unable to accurately gauge the severity of the threats they face, or how they can best allocate limited resources to protect themselves and their customers.

The costs of measuring risk can also be prohibitive. Cyber metrics and modelling offer one option that can help organizations identify and measure technical, behavioural and economic factors that can compromise networks. Yet many organizations do not have the resources to keep abreast of constantly changing threats or to manage complex cyber risk programs. This is particularly true for small-medium enterprises.

In a 2015 interview, Elizabeth Ireland, Vice President of security software company Tripwire, summarized the challenges posed by the data barrier by saying:

“An organization needs a framework to make decisions against — this protects against unlimited spending or under spending, and clearly ties investment to what matters to the business… setting the level of acceptable risk is a part of good management, and while the cybersecurity team should have input, it is the business that needs to accept the risk — in many organizations this is a challenge as measuring cyber-risk is a new discipline.”[20]

THE RESOURCE BARRIER

Every company has financial and labour restrictions that limit how they can respond to online threats. To be sure, Canadian business leaders have devoted funding to cybercrime education and prevention programs over the past decade. These efforts are important as companies shift more of their operations online.

However, additional funding and programs are needed.

A 2016 study by PricewaterhouseCoopers suggests that “while it is encouraging that Canadian business spending on safeguarding against cybersecurity threats increased by 84 percent year over year, that increase is outpaced by the spike in incidents, and still only represents 5 percent of total spending on Information Technology.”

Costly attacks on the Government of Canada, Sony and the United States Department of Defense demonstrate that large investments alone do not necessarily guarantee cybersecurity. However, leaders from across sectors could benefit from exploring how they can better share their assets to improve cybersecurity.

THE COORDINATION BARRIER

Studies suggest that Canadian governments, businesses and post-secondary institutions have traditionally found it difficult to share information. In the absence of a comprehensive approach that provides all stakeholders with equitable access to tools, knowledge and partnerships, hackers have been able to exploit gaps.

In the winter of 2015, nine large Canadian companies and the Canadian Council of Chief Executives announced the launch of the Canadian Cyber Threat Exchange (CCTX), a non-profit organization that will “allow firms to share information amongst themselves, government and research institutes about cyber attacks.”[21] The establishment of CCTX is an encouraging sign that leaders recognize the importance of collaboration.

However, additional partnerships and coordination will be needed. John Proctor, Vice President of the global cybersecurity firm, CGI, recently suggested that many Canadian companies choose to address cybercrime themselves rather than pass the information along to the RCMP or local authorities. This lack of information-sharing makes it difficult for police to track and prosecute crimes. Moreover, CCTX and other networks will need to include smaller companies, which are often unable to benefit from knowledge that has been acquired by larger organizations.

Cyber-criminals have been extraordinarily proficient in changing their tactics and targets. Canadian leaders need to be just as dynamic. Partnerships and information-sharing could provide one cost-effective way to improve an organization’s online security. Greater discussion is needed, though, to determine the types of arrangements that could be most useful.


RECOMMENDATIONS

“The threats have changed dramatically over the last two decades. It used to be enough to have thugs at the gate to protect us from physical attacks. Today, we have to be Merlin in the castle to protect against invisible ones.”

– Public Policy Forum roundtable participant, March 2016


RECOMMENDATION: DEVELOP A LONG-TERM, HOLISTIC AND MULTI-SECTOR STRATEGY

Participants agreed that Canada needs a comprehensive cybersecurity plan that applies to all sectors of society. The approach should identify long-term goals, and the short- and medium-term milestones that will be required to achieve them. It should also clearly define roles and responsibilities for each stakeholder. Participants agreed that the strategy should be proactive in nature, improving Canadians’ capacity to identify and protect against future threats.

RECOMMENDATION: INITIATE A NATIONAL CYBERSECURITY DIALOGUE THAT BREAKS DOWN SILOS AND MISCONCEPTIONS

Government, business, law enforcement and academic leaders need a long-term approach that leverages resources and expertise. A broad pan-Canadian conversation will be essential for fostering trust among stakeholders and partnerships to better secure information and data. Law enforcement should be a key player in this initiative to overcome misconceptions surrounding online activities and intent.

Conversations addressing the need for greater preparedness against cyber threats shouldn’t happen in isolation- they must take place across sectors, disciplines and organizations in order to optimally leverage resources and knowledge

RECOMMENDATION: WORK COLLABORATIVELY TO ESTABLISH A DATA GOVERNANCE REGIME

Canada requires clear rules on data sharing and storage. In today’s interconnected world, our country cannot establish data governance standards alone. Clearly-defined international standards are needed. Canadian leaders should seek to work with their global counterparts to establish common rules for data collection, transfer and preservation. Standards should be flexible enough to allow stakeholders to share information in ways that strengthen security.

RECOMMENDATION: DEVELOP AN EXCHANGE TO SHARE INFORMATION ON CYBER THREATS AND SOLUTIONS

Participants suggested that Canadian utilities, businesses, governments and others need to establish a secure forum in which to share information. Participants acknowledged that some industries have created information commons already, such as the Canadian Cyber Threat Exchange.

However, a one-stop shop is needed that brings together all segments and all stakeholders, making it easier to discuss threats and share best practices. To help initiate such an institution, governments should explore how they can adjust liability regulations that can inhibit information-sharing.

RECOMMENDATION: ESTABLISH EDUCATION PROGRAMS THAT TARGET SPECIFIC SEGMENTS OF SOCIETY

A cybersecurity strategy is only effective if those charged with implementing it have the requisite knowledge and capabilities to do so. The most secure systems can be compromised if individuals do not practice proper online etiquette. Participants agreed that general awareness campaigns are needed to improve Canadians’ knowledge of cyber threats. Primary, secondary and tertiary school curriculums should also include courses that teach students how to recognize and protect themselves from malware, phishing and other online crimes. For example, British Columbia made coding classes a core part of its primary school curriculum. These and other similar courses will help the next generation develop valuable skills that can be utilized to secure Canada’s critical infrastructure.

Education campaigns are also needed to inform decision-makers on the specific threats they face and how they can be mitigated. Participants suggested that the objective should be to share information and help escalate cybersecurity onto the agendas of presidents, CEOs and board members.

Continue educating the public on cybersecurity and work with the provinces to provide educational campaigns in order to raise awareness in the general population about the threats of cybercrime.

More targeted initiatives are also needed. Study participants suggested that the provincial governments should explore how they can introduce cybersecurity courses into primary, secondary and tertiary schools to raise awareness and train the next generation of security experts.

Ethics courses should also be more systematically introduced into engineering programs to train students to incorporate security considerations when they are developing software and devices.

RECOMMENDATION: UPDATE LEGISLATION AND STANDARDS TO INCLUDE NEW SECURITY PROVISIONS

Study participants recommended that the Government of Canada, in collaboration with the Canadian Standards Group, should create standards that ensure that software and computers developed and imported into Canada include advanced default security settings.

Ottawa should also consider how it can make it easier for Canadian law enforcement agencies to work with their international counterparts to share data and apprehend criminals. Participants noted that it can take a significant amount of time for Canadian police to receive information from other countries on suspected criminals.

Additional rules are needed around the design of software and computer networks. Participants suggested that new regulations could ensure systems are engineered with superior security features and default settings. Participants also suggested that existing operating systems and business software, which may not accommodate the new changes, could be retrofitted with this capability. Governments could then enforce compliance on data preservation and retention, perhaps through certification.

Governments should also consider imposing rules that compel foreign companies to include stricter default security settings when exporting technology into Canada.

RECOMMENDATION: SUPPORT VICTIMS OF CYBERCRIME

The public, private, academic and non-profit communities should explore how they can better support victims of cybercrime. Privacy and security breaches can upset an individual’s life and, in some circumstances, lead to suicide. Participants suggested that a national, multi-sector program is needed to assist victims to overcome their experience and mitigate the adverse effects of the event.

Endnotes

[1] Jon Swartz, January 12, 2014, “Stephen Hawking Opens Up,” USA Today, Accessed online at: http://usatoday30.usatoday.com/MONEY/usaedition/2014-12-02-QampA-with-Stephen-Hawking_ST_U.htm
[2] Simon Kemp, January 2016, “Digital in 2016: We Are Social’s Compendium of Global Digital, Social, and Mobile Data, Trends, and Statistics”, Smart Insights, Accessed online at http://www.smartinsights.com/social-media-marketing/social-media-strategy/new-global-social-media-research/
[3] Ibid.
[4] 2013, “Embracing the Internet of Everything to Capture Your Share of the $14.4 Trillion,” Cisco, Accessed online at: http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoE_Economy.pdf
[5] Symantec, 2013, “2013 Norton Report”, Accessed online at http://www.symantec.com/content/en/us/about/presskits/b-norton-report-2013.en_ca.pdf
[6] International Cyber Security Protection Alliance, 2014, “Study of the Impact of Cyber Crime on Businesses in Canada: Fighting Cybercrime Together”, Accessed online at https://www.icspa.org/wp-content/uploads/2014/12/ICSPA-Canada-Cyber-Crime-Study-Report.pdf
[7] 2015, “r/hacking,” Reddit, Accessed online at: https://www.reddit.com/r/hacking/comments/2n9zhv/i_used_to_work_for_sony_pictures_my_friend_still/
[8] 2016, “Global Economic Crime Survey 2016,” PwC, Accessed online at: http://www.pwc.com/ca/en/deals/publications/2016-02-Global-Crime-Survey-Canada.pdf
[9] RSA Conference and ISACA, “State of Cybersecurity: Implications for 2015,” Cybersecurity Nexus, Accessed online at: http://www.isaca.org/cyber/Documents/State-of-Cybersecurity_Res_Eng_0415.pdf
[10] Dustin Volz and Jim Finkle, arch 25, 2016, “U.S. indicts Iranians for hacking dozens of banks, New York dam,” Reuters, Accessed online at: http://www.reuters.com/article/us-usa-iran-cyber-idUSKCN0WQ1JF
[11] 2014, “Statement regarding cyber attack against Anthem”, Anthem, Accessed online at https://www.anthem.com/health-insurance/about-us/pressreleasedetails/WI/2015/1813/statement-regarding-cyber-attack-against-anthem
[12] “A cyber-riot”, The Economist, Accessed online athttp://www.economist.com/node/9163598
[13] Jordan Robertson and Michael Riley, December 10, 2014, “Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar”, BloombergBusiness, Accessed online at http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar
[14] Stephen Star, January 3, 2013, “Cyberattack threat in Canada’s oil patch raises risk of disruptions, stolen data”, Financial Post, Accessed online at http://business.financialpost.com/news/energy/cyberattack-threat-in-canadas-oil-patch-raises-risk-of-disruptions-stolen-data
[15] Shawn McCarthy, May 7, 2014, “Utilities face growing risk of cyberattack”, The Globe and Mail, Accessed online at http://www.theglobeandmail.com/report-on-business/expanding-electricity-grid-poses-cyberthreat-for-utilities/article18536720/
[16] Danny Yadron, February 18, 2016, “Los Angeles hospital paid $17,000 in bitcoin to ransomware hackers”, The Guardian, Accessed online at http://www.theguardian.com/technology/2016/feb/17/los-angeles-hospital-hacked-ransom-bitcoin-hollywood-presbyterian-medical-center
[17] 2016, “An ISTR Special Report: Ransomware and Businesses 2016,” Symantec, Accessed online at: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
[18] February 26, 2013, “Bullies taking to social networking as teens become more mobile,” Ipsos, Accessed online at: http://www.ipsos-na.com/download/pr.aspx?id=12507
[19] Center for Strategic and International Studies, 2016, “Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills,” McAfee, Accessed online at: http://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf
[20] Tripwire, June 22, 2014, “Overcoming Internal Barriers to Adopting Cyber Security”, Accessed online at http://www.tripwire.com/state-of-security/featured/overcoming-internal-barriers-to-adopting-cyber-security-2/
[21] Sarah Reid, December 11, 2015, “Canadian companies have a big new ally in the fight against cyber crime”, Financial Post, Accessed online at http://business.financialpost.com/fp-tech-desk/canadian-companies-have-a-big-new-ally-in-the-fight-against-cyber-crime?__lsa=601d-5f2c


Back to top