CYBER SECURITY REPORT - How secure is Canada?
BY JAMES CARELESS
Canadian Cyber Security and the Threats We Face
How secure are Canada’s cyber resources, and how serious are the cyber attacks battering the defences of this country and our allies? For this year’s Cyber Report, CDR decided to focus on the view of four truly expert organizations to answer these questions and others. Here’s what they had to tell us.
CAF CYBER FORCES ON THE FRONT LINES
Rear-Admiral Luciano (Lou) Carosielli is the Cyber Force Commander of the Canadian Armed Forces (CAF). As such, he is on the front line of Canada’s military cyber defences.
“I am responsible for a very unique grouping of teammates that covers the Cyber, Signals Intelligence and Electronic Warfare team,” RAdm Carosielli told CDR. “As it pertains to Cyber, I am responsible for the force generation, force development and commanding the various CAF cyber forces and their elements on behalf of the Chief of Defence Staff (CDS).”
The CAF’s Cyber Forces are responsible for protecting DND/CAF networks at home and abroad, plus responding to cyber attacks on those networks. “We do this through the conduct of full spectrum cyber operations to include defensive and offensive cyber operations in coordination with allies, partners and host nations,” said RAdm Carosielli. “It is a global force that is involved in operations 24/7. We support Government of Canada cyber priorities, the CDS's operational priorities and we also are prepared to provide cyber effects to operational commanders such as CJOC, CANSOFCOM and NORAD. We work closely with allies and are a fully integrated partner with the Communications Security Establishment (CSE) as it pertains to all cyber operations.”
Russia’s invasion of Ukraine has not affected the CAF’s cyber readiness, said RAdm Carosielli. But it isn’t from a lack of trying on Vladimir Putin’s part. “The conflict in Eastern Europe has seen every type of cyber incident imaginable in both the pre-conflict and conflict stage and all western nations must be prepared to face these types of incidents in the future,” he said. “Specifically, Russia targeted Ukrainian critical infrastructure in order to disrupt systems and gain intelligence. Following the invasion, Russia used a blend of conventional and unconventional means to target Ukraine's digital infrastructure. For example, Russia used cruise missiles to target Ukraine's government data center and other ‘on premises’ servers, and also deployed destructive malware against various sectors, including government, financial, and energy. Russia has not limited its malicious cyber activities to Ukraine and has ramped up its efforts against nations and entities who support Ukraine.”
In response to the Russian invasion in early 2022, the CAF immediately stood up a Cyber Task Force to help Ukraine bolster its cyber defence capabilities. This Cyber Task Force supplies Ukraine with cyber-security expertise, cyber threat intelligence, software tools, and technical solutions to help them to better defend their networks against cyber attacks. The CAF has also deployed a Cyber Task Force to Latvia to conduct joint defensive cyber operations with them for the same reason. “In fact, our Cyber Task Force in Latvia recently worked in tandem with a team of cyber experts from the US Cyber Command on defensive cyber threat hunting operations focussed on Latvian critical infrastructure,” RAdm Carosielli told CDR.
As well, CAF cyber forces have worked with cyber experts from Belgium, the EU Agency for Cybersecurity (ENISA), Latvia, Ukraine and the US, to name a few. “In addition to nation-state cooperation, the war in Ukraine has also shown us how critical partnerships with the private sector can be,” said RAdm Carosielli. “Cyber threat intelligence and information sharing remains essential to anticipating, mitigating, and countering malicious cyber actions.”
So, who are the ‘bad guys’ that the CAF Cyber Forces are up against? When it comes to Russia, there are a myriad of actors at play. They include state-sponsored cyber attackers such as Russia's three intelligence services, pro-Russia cyber threat actors, cybercriminals and hacktivists. But that’s not all: “The National Cyber Threat Assessment 2023-24, published by the Canadian Center for Cyber Security (CCCS), highlights that the state-sponsored cyber programs of China, Russia, Iran and North Korea continue to pose the greatest strategic cyber threat to Canada,” RAdm Carosielli said. “Canada's critical infrastructure continues to be a prime target for state-sponsored actors, proxies as well as for cyber criminals.”
Speaking solely for the CAF, RAdm Carosielli feels that “we are ready” to face the current level of cyber threats. This being said, “Strong, Secure, Engaged directed the CAF to assume a more assertive posture by hardening our defences and developing and using offensive cyber capabilities,” he noted. “The CAF continues to meet this direction including through the Cyber Mission Assurance Program, which aims to increase the cyber-resiliency of CAF capabilities and assets, and by conducting cyber operations in support of military operations, including in partnership with the Communications Security Establishment (CSE).” 
“DND is currently updating its defence policy,” RAdm Carosielli added. “Shoring up the capabilities needed for modern conflict, by exploring and adopting emerging technologies, will be one of the key themes. When wielded effectively and responsibly, digital technologies can bring operational opportunities that can give Canada a critical edge over adversaries. This is why advancing DND/CAF's adoption of digital technology, AI, and big data will be critical to our future success. Likewise, creating a stronger environment for defence innovation, including through partnerships with industry and academia, is an area where we have room to improve.”
Given Russia’s proven ability to learn, improvise, and adapt its tactics, this degree of change – and likely more – will be required for the CAF to keep up with this adversary and other hostile players. “Russian behaviour is increasingly opportunistic and unpredictable and cyber operations will certainly remain one way in which Russia will pursue its objectives,” said RAdm Carosielli. This being the case, “Ukraine and its allies, including Canada, will need to stay vigilant and continue to strengthen existing international cooperation to make sure we remain able to adapt to any sudden changes in Russia's behaviour and to the needs of Ukraine. The future is not bleak however, advancements in technology and reliance on digital infrastructure do increase vulnerabilities, but also present opportunities. After all, our adversaries are just as dependent on digital technologies as we are. We have to position ourselves to plan for and seize opportunities when they come.”
CCTX SAYS CANADA IS COPING
Established by the private sector, the Canadian Cyber Threat Exchange (CCTX) is Canada’s not-for-profit, cross-sector cyber threat sharing and collaboration hub. It currently provides vital cyber security information to its almost 170 member companies and organizations. “Learning from each other, having a trusted group to discuss challenges, and sharing experiences — that’s how our members improve their cyber posture and resiliency and reduce their cost of security,” said CCTX Strategic Advisor, Bob Gordon.
According to Gordon, the Russian invasion of Ukraine introduced ‘hybrid warfare’ to military confrontations. This means that “kinetic warfare now includes the cyber domain,” he said, which does not lie within defined physical boundaries. This means that anyone who aids one side of the conflict is open to attack by the other side, no matter where they may be located geographically. As a result, “the private sector runs the risk of becoming part of the extended cyber battlefield and in doing so, a legitimate target,” he told CDR. Attacks can come from “traditional government institutions, such as military forces, and private entities, some of which act on the direction of governments and some acting on their own as electronic partisans.”
Based on CCTX’s information, the cyber attacks being staged by Russia against Ukraine and its allies have focussed on hindering the functioning of the Ukrainian government and parts of that country’s critical infrastructure, along with “influence operations” to weaken the morale of the population. “Techniques include the use of destructive malware designed to deny access to essential data, and distributed denial of service (DDoS) attacks to prevent access to on-line services thereby disrupting people’s daily lives,” said Gordon. “Attacks against NATO countries have been undertaken to conduct reconnaissance operations against critical infrastructure, to launch denial of service attacks, and undertake ransomware attacks.”
This being said, Russia isn’t the only hostile player cyber attacking Canada and our allies. “We continue to see state-sponsored cyber attacks from nation states such as China, North Korea, and Iran as well as ongoing attacks from criminal organizations,” Gordon told CDR. “The challenge is distinguishing whether an attack originates from a purely criminal enterprise, or whether it is operating as a cyber-proxy for a foreign government. Their objective is to provide the sponsoring government with a veil of plausible deniability that they were behind the attack.”
Despite the current wave of cyber attacks, Bob Gordon said that Canada’s cyber defences are coping. As far as he can see, “CAF, DND, and the Canadian government are well prepared to deal with the types of attacks resulting from Russia’s invasion; however, the need to be vigilant remains high.”
The reason that Canadians need to remain vigilant is because hackers are constantly probing our defences and searching for our weaknesses. “Although the technical capability of Canadian entities is generally well suited to deal with these types of attacks, the human element of the cyber defence strategy continually requires reinforcement,” Gordon told CDR. “Attackers constantly target the human part of the defence equation — the first line of defence. Periods of heightened stress increases the likelihood that a phishing attack [where someone in a secure organization unwittingly clicks on a seemingly-benign link or attachment within an email that actually allows hackers in] will successfully trick a victim into doing something that enables a successful cyber attack.”
To make this vigilance meaningful, Canadians need to get serious about cyber security, both on the job and at home. According to Gordon, enacting and consistently following basic cyber resiliency practices are the most effective defence mechanisms. “Best practices include establishing and exercising a cyber incident response plan, backing-up data, using multifactor authentication and applying software patches as soon as possible,” he said. As well, “guidance to Canadians has been provided by the Canadian Centre for Cyber Security and its Five-Eyes Partners during specific periods of heightened alert, e.g. on the anniversary of the Russian invasion.”
On the ‘good news’ side of the current cyber warfare situation — if there can be such a thing — many of the cyber attacks associated with the Russian invasion have been carried out by criminal organizations and hacktivists. “Most of these attacks have not used some of the sophisticated techniques normally used by nation states,” said Gordon. “Consequently, the use of cyber security Best Practices has proven to be a very effective defensive tool.”
On the ‘bad news’ side, maintaining vigilance can be challenging the longer the crisis remains in effect. To counter this fatigue factor, the release of a refreshed Canadian government cyber security strategy and passage of legislation relating to critical infrastructure and cyber security will help to maintain awareness of Canada’s cyber risks, Gordon predicted. “These measures will encourage continued vigilance and set clear expectations for the public and private sector.”
As for the future? Expect more of the same cyber threats going forward — and worse. This is because cyber attackers are adopting advances in technology to enhance their attack techniques. For example, “evidence is emerging of hostile actors using artificial intelligence to improve the likelihood of a successful cyber attack,” said Gordon. “Defenders need to invest in this same technology. Failure to keep pace with the technology will ensure the attackers have the upper hand.”
In the meantime, Canadian defence companies need to put basic cyber hygiene measures in place now. “The focus must be on cyber resilience which acknowledges that the organization will likely become the victim of a cyber attack,” Gordon told CDR. “Procedures need to be established to safely resume business operations as soon as possible after the attack.”
This is where belonging to the CCTX can help. “Companies increasingly recognize that they cannot achieve cyber resilience on their own,” he said. “The value of collaborating with other organizations is becoming increasingly apparent. Sharing best practices, experiences and cyber threat information reduces financial, operational, and reputational risk. Cross-sectoral collaboration through organizations such as the CCTX, helps to reduce the cyber risk to all parts of the defence supply chain.”
SAPPER LABS SAYS CANADA NEEDS TO DO MORE
Headquartered in Ottawa, Sapper Labs Group is a veteran-owned Canadian intelligence and cyber defence company. It provides products and services in these realms to defence, government, and critical infrastructure operators to Canada and our allies.
For his part, Sapper Labs CEO Allen Dillon is not impressed by the Canadian government’s cyber defence policy and actions to date. “I would argue that the western world has been actively engaged in a persistent cyber conflict for years, to which we have largely been asleep at the wheel in Canada,” he told CDR. “While there are clear signs of change and more urgency brought about by the war in Ukraine and the ‘spicy’ global environment, we are stifled by a post-Covid bureaucracy grappling with any sense of accountability, disjointed departmental security mandates and overall Defence leadership challenges to produce the necessary focus and baseline to ‘force generate’ in the cyber and intelligence domains.”
To turn this situation around, Canada needs a dedicated cyber defence/intelligence training system to produce and develop its military cyber teams. “The current attempts using academic institutions and general commercial training providers is failing,” said Dillon. “We need purpose-built basing and advanced training for our cyber and intelligence defenders, and I believe it will take an alliance of DND (the Department of National Defence) and industry to create the necessary operator outcomes. Furthermore, we need to move away from archaic procurement policies for cyber and intel as the current process is designed for major crown procurements. We must move faster and more nimbly to meet with the adversary dynamics in these domains.”
According to Al Dillon, the Russians and their private military forces — particularly the Wagner Group — have been exploiting cyber warfare since the lead-up to the February 24, 2022 Ukrainian invasion. The good news is that “the Ukrainians did anticipate this dynamic and were supported by Western allies and white hat groups working to disrupt and counter their offensives,” said Dillon. “They did so very effectively, and they continue to do so to this day.”
The same can’t be said for western countries who have been bombarded by disruptive Russian propaganda via the internet; particularly via poorly-moderated social media sites. “Disinformation has been a favorite weapon of choice by the Kremlin and their supporters,” said Dillon. “The anonymity of the internet makes it easy for them to shape narratives and influence public opinion through disinformation campaigns.”
Even though there are cyber defence teams in the West reacting to these threats, “the laws/order of a rules-based society limits their capacity to deal with adversaries that have no such limitations,” Dillon observed. “It’s a global competition for resources and influence, so the adversaries use both active and delayed attacks on our institutions. These attacks may have the desire to steal IP, money, disrupt capability or simply destabilize, for example. We need only reflect on the effectiveness and disruption of Chinese investment and influence operations in Canada to realize the destabilizing effect it has on the government.”
ARTIFICIAL INTELLIGENCE (AI) 
Then there’s the emergence of artificial intelligence (AI) and the transformative advances it is enabling in information technology — including, unfortunately, hacking and cyber attacks. “The use of modern AI is arguably the most impactful technology of our lifetime, for both good and evil,” said Dillon. “Left unchecked, our adversaries will use it against us to gain advantage regardless of the risks to their own societies. It is reasonable to anticipate that our adversaries will employ AI in combat and against our nation when advantaged to do so.”
To counter these cyber threats, Al Dillon is calling for new global conventions and treaties to tighten up on the loopholes being exploited by hostile players. The good news? “There are several initiatives underway,” he reported. “That said, we need our current Government of Canada leadership to care, and I fear this is not in the cards. DND leadership has recommended significant change and are poised to act on some meaningful structure in the interim.”
CMMC PROGRAM
One example of constructive DND action was the announcement of a Cybersecurity Maturity Model Certification (CMMC) program for Canadian defence suppliers serving DND, which was unveiled by DND Minister Anita Anand at CANSEC 2023 in Ottawa May 31, 2023.
Designed to mirror US Department of Defense (DOD) requirements for its suppliers, the Canadian CMMC will provide common cyber security standards for Canada’s defence industry, making them compliant with DOD requirements as a bonus.
“This will float all boats with a rising tide of security baselines,” said Dillon. “That said, the government should invoke some education and incentives to accelerate Canadian compliance and help to competitively position our industry and secure key economic engines. The industry, for its part, must genuinely adopt these standards.”
Nevertheless, Al Dillon believes that much, much more has to be done to bring Canada’s cyber security standards and practices to a meaningful, useful level, and that the ultimate responsibility for making this happen lies with Canada’s citizens and the leaders they elect. “We need to own this problem and demand responsible action from our leaders,” he declared. “These are basic fundamentals of democracy. I’m genuinely concerned about Canada’s ability to defend its citizens and its institutions in a modern global conflict that is arguably marching toward us. Our adversaries can reach out and touch us from afar. We must prepare and keep working the halls of diplomacy to quell rising tempers in the meantime.”
CADSI ADVOCATES FOR MORE CYBER SPENDING
The Canadian Association of Defence and Security Industries (CADSI) has long pushed for the federal government to buy more products from Canadian companies, including cyber security products and services. On March 10, 2023, CADSI President, Christyn Cianfarani, brought this message to the Canadian Parliament’s Standing Committee on National Defence, which is conducting a study on cyber security and cyber warfare. The following quotes are based on her statement to that committee.
According to Cianfarani, “Canada’s cyber security industry is world-class. According to studies carried out by ISED and Statistics Canada, between 2018 and 2020 the sector grew over 30% in terms of employment, R&D activity, and revenue. It is a fast-growing, global sector expected to quickly outpace traditional IT in spending.”
Then she dropped the bomb: “However, only 8% of the sector’s revenue is derived from Canadian government contracts. EIGHT PERCENT! The sector sells three times as much to our Five Eyes allies as it does to the Canadian government.”
“Those numbers speak to a central challenge we face in this country when it comes to cyber,” Cianfarani declared. “Our allies see more value in Canada’s cyber security sector than Canada does.”
“The other side of the coin is that Canada needs to procure at the ‘speed of cyber’,” she continued. “A slow procurement process is a recipe for buying out of date or even obsolete cyber technology. Innovation cycles in this domain are measured in months, or even weeks.”
CADSI’s President then offered a one word solution to both problems: Collaboration.
“Canada requires a much greater degree of cooperation, knowledge sharing, and co-development between government and the private sector,” said Cianfarani. She then noted that some progress has been made in this regard, “but we’re nowhere near where we need to be. While agencies like CSE are very capable, CADSI’s research has shown our government is falling behind our allies when it comes to working with the sector in an institutionalized way. Our allies are collaborating with industry in real-time right now in Ukraine.”
Fortunately, Christyn Cianfarani had some constructive advice on how to improve cyber cooperation between industry and Ottawa. First, “the Canadian government needs to establish a recurring forum for dialogue and discussion on cyber issues with all the key players — industry, DND/CAF, CSE, CCCS, GAC, and Public Safety Canada — at the table,” she said. “Canada also needs improved systems for threat-sharing that combine open sources with government and industry sources of information about breaches, indicators, and potential responses. This will mean rationalizing what is unclassified and what remains classified and who has access to what. Again, our allies are on the forefront of this type of activity.”
That’s not all: To improve not just industry/government cyber collaboration but the results of that collaboration, “we should consider sandboxes and collaborative lab spaces to test new technologies and capabilities together at scale and talent exchanges between the public and private sectors, like the UK’s Industry 100 program and a new talent exchange just launched by CSE,” said Cianfarani. “That could start to address the cyber talent shortages that we’re all facing because cannibalizing each other isn’t going to work. Reservists with cyber and computing skills that are employed by companies could be an attractive way to support re-constitution of the CAF, so long as the government does not claim the IP and patents that reservists create while employed in the private sector.”
She concluded by asking, “effective cyber defence at national levels is a team sport. If our allies can get this, why can’t we?”
James Careless is CDR’s Ottawa Bureau Chief
