This piece originally appeared in The Hill Times on October 26, 2022.
Russia’s war on Ukraine has critical infrastructure operators around the world on red alert. As tensions rise, IT professionals everywhere are bracing for Kremlin-backed cyber attacks. But while hackers use new tactics to wreak havoc abroad, here in Canada, old vulnerabilities lie dormant in some of our most important networks.
Earlier this year, CIRA detected a huge spike in malicious traffic inside the network of a critical infrastructure operator with an extensive IoT network. The culprit was the notorious Mirai Botnet—a six-year-old form of malware that attacks vulnerable IoT and smart devices. Mirai was actually responsible for one of the largest cyber attacks in history back in 2016.
Thankfully, our DNS Firewall service was able to help this organization stop the bad traffic at its source. Otherwise, the attack could have interrupted the lives of millions of Canadians.
Dormant vulnerabilities exist across the country, and many of them are not new—in fact, in “internet years,” many are practically geriatric. But each is a ticking time bomb ready to go off if the right bad guy finds them.
Of course, technological land mines are not the only problem; changes in business operations, like the pivot to hybrid and remote work, also increase cyber risks.
Over the summer, CIRA surveyed over 500 information technology (IT) and cybersecurity decision-makers from organizations across the country—the results were eye-opening.
Half (50 per cent) of the organizations we polled said they have a hybrid work environment, and a similar number (55 per cent) said they felt their organization was more vulnerable to cyber threats as a result.
Other findings from our survey appear to support this. For example, the number of security breaches in Canadian organizations has nearly doubled from 18 per cent to 29 per cent since the pandemic began in 2020.
It’s easy to focus on technological vulnerabilities, but, all too often, human beings are the weakest link in an organization’s cybersecurity defences. That’s why experts recommend that companies invest in cybersecurity awareness training for their staff.
Creating a corporate culture of cyber awareness is not a one-and-done—it requires frequent refreshers and an updated curriculum as new threats emerge.
Unfortunately, our survey found that most organizations (87 per cent) only conduct cybersecurity awareness training quarterly or less. Increasing the frequency of training will go a long way towards protecting organizations.
With threats on the rise, many are wondering how the federal government can help. During Public Safety Canada’s recent consultation on the National Cyber Security Strategy, we recommended a handful of steps the government can take.
First, government agencies can and should provide threat intelligence data to trusted cybersecurity service providers to raise the baseline level of cybersecurity across the country. Increased collaboration will boost our ability to head off threats before they interrupt Canadians’ lives.
Second, the Government should continue to fund the adoption of cybersecurity technologies for organizations of all types, like they do with the Canada Digital Adoption Program (CDAP). We know from our own work that underfunded IT departments are one of the greatest cyber threats facing the public sector and other institutions. That’s why CIRA supports the continuation of the CDAP and wants to see other programs targeting important sectors like critical infrastructure.
Third, the Government must work to educate individual Canadians on the cyber risks they face and practical approaches to mitigate these. The Canadian Centre for Cyber Security is producing excellent materials, and we’d like to see them in the hands of as many people and organizations as possible.
As the volume of cyber threats and geopolitical tensions continue to rise, the National Cyber Security Strategy is a golden opportunity to bolster the security of Canada’s networks and ensure that our critical infrastructure operators are ready for cyber offensives no matter where they come from.