Read on Twitter
The @cybercentre_ca released their National Cyber Threat Assessment today. Here’s a crude summary + thoughts on it.
But first: this is a very well done report. The team that was involved in writing/managing its development deserves congratulations for the excellent work.
But first: this is a very well done report. The team that was involved in writing/managing its development deserves congratulations for the excellent work.
The report is available at: https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020
The report’s divided into 3 components: 1) the evolving threat landscape; 2) threats to individuals; 3) threats to Canadian organizations.
This report neither evaluates the accuracy of predictions/assessments in the 2018 threat assessment, nor does it specifically propose policies to mitigate threats assesses in the 2020 report.
I’ll put my thoughts in brackets to distinguish my thoughts from those communicated by CCCS.
Onto the evolving threat landscape!
Onto the evolving threat landscape!
States are licitly and illicitly upskilling their cyber capabilities; they’re leaning on companies like NSO as well as getting skilled operators to build up infrastructures, such as former NSA operators building up the UAE’s capabilities.
(Me: Unclear about extent(s) to which Canadians are also training up other nations’ intel agencies. Upskilling doesn’t just mean foreign operators are targeting Canadians, they’re also getting better at targeting human rights defenders at home and abroad.)
Positively, hacktivists are recognized as probably not all that sophisticated or advanced, with a few exceptions.
(Chris: This matters to tap down on excessive language from other agencies who have often trumped up the threats posed by hactivists. Though I wonder what this means for folks like Phineas Fisher and operators like them?)
While a lot of the adversaries facing Canada are named (ie: Iran, China, Russia, and sometimes North Korea) there’re no named countries associated with the section on countries that support/back espionage activities. It’s…notable given how commonly countries are named elsewhere
(Me: Guess GAC/ISED isn’t willing to name China, amongst others, for being behind some of these activities? Part of GAC’s dance with China concerning broader strategic considerations of trade and dealing with China’s seizure/sentencing to death of Canadians?)
Of little surprise, foreign operators are targeting espionage activities at aviation, technology and AI, energy, and biopharmaceuticals industries. Another reminder: Canadians are at the cutting edge of certain industries, have a lot to be proud of, and need to defend their IP!
CCCS rightly recognizes that the mass exfiltration of ‘de-identified’ data can be combined using data science to effectively re-identify information.
(Chris: At a basic level, I think this raises fundamental questions about the Government of Canada’s decision to (seemingly) permit broad-based ‘anonymized’ data collection under reformed privacy legislation that was just tabled...
...We’ve seen enough foreign operators’ activities to know that combining large datasets is just part of business these days…we should be trying to make it harder, not easier, to build the baseline datasets IMO)
Internet governance is raised in the general threat landscape section. Raising technical standards concerns—and, in particular, the New Internet Protocol—signals that GAC et al genuinely worry about the potentials of this protocol for enhancing existing surveillance capacities.
(Chris: I think (?) this is the most public raising of the issue, though possible that GAC et al has raised the issue in places/ways I’m not familiar with. Either way, good to raise the alarm. Now to get actual Canadians into spaces to shut down that standard…)
On to threats to individuals!
Medical and personal data is being targeted, in part to identify, profile, and track individuals. This can subsequently be leveraged to obtain access to controlled resources through credential stuffing.
Medical and personal data is being targeted, in part to identify, profile, and track individuals. This can subsequently be leveraged to obtain access to controlled resources through credential stuffing.
(Chris: left unstated, this information can also be leveraged by foreign intelligence services to identify weaknesses to capitalize on and potentially turn individuals into agents of a foreign power. Keeping this data secure is *really* important. Private businesses...
... need to do a lot better on this front. Maybe the fines envisioned in tabled privacy legislation will encourage better practices? #LetMeDream)
The discussion of online foreign influence made clear that CCCS sees platforms as able to massively change the ways in which these operations are conducted; changes by platforms can force operators to develop entirely new toolsets.
(Me: The efficacy of either the influence operations, or the responses from platforms, however remains challenging to assess by CCCS (or anyone else, really, for that matter). Efficacy about these operations isn’t raised in the report)
(Also me: as a bit of a caveat, academics are slowly gravitating ask whether influence operations actually shift opinion as breathlessly talked about in the media. Would disinformation be such a well-financed and published area of research ...
... had Trump not won the 2016 election, and liberals clung to the idea he was elected because of interference as opposed to the will of part of the American electorate? 
)
)
CCCS calls out the digitally mediated threats posed by stalkers and abusive partners. The report notes abused can exploit Internet-connected IoT systems and personal devices, such as fitness trackers, to facilitate abuse.
(Chris: This is a threat that needs a lot more attention, and it’s good to see stalkerware writ large is more on the government’s radar. Now to upskill authorities and judicial systems to actually respond to these threats in ways that empower affected persons, rather than ...
subjecting them to further mental and potentially physical distress or abuse. For more on stalkerware writ large, see: https://citizenlab.ca/2019/06/the-predator-in-your-pocket-a-multidisciplinary-assessment-of-the-stalkerware-application-industry/)
FYI! Organizations are also under threat!
Expect ransomware and other operations to be taken towards large enterprises and critical infrastructure providers. While operators have probed Canadian energy providers, as an example, there’s not evidence that ...
Expect ransomware and other operations to be taken towards large enterprises and critical infrastructure providers. While operators have probed Canadian energy providers, as an example, there’s not evidence that ...
Canadian energy infrastructure is in the crosshairs. CCCS assesses it being very unlikely (outside the outbreak of outright hostilities) that adversaries would attack infrastructure. However, prepositioning may (with no degree of certainty) take place as a mode of intimidation.
(Me: it’s worth noting our allies have been accused of pre-positioning in foreign infrastructures & operating ‘defensively’ by intruding into foreign networks and systems to intimidate or disable operators. Yay for operating just below the threshold of armed conflict!)
(Also me: noteworthy that ransomware costs are going up by 33% from 2019 to 2020. Cyber insurance is gonna keep getting more expensive, I’d bet...
... Though recent threats to arrest US executives who pay ransoms at the request of senior leadership indicates Canada needs to communicate the lawfulness of paying ransoms clearly ASAP)
Ransomware is expected to be used as a cover for state-sponsored operations, with some intelligence services using criminal groups as cut-outs to conceal their operations.
(Chris: And, as a result, it’s gonna be important to target state and non-state operators alike for criminal investigation. Though actually prosecuting people who hide out in Russia and other low rule-of-law countries will continue to be frustrating and challenging.)
IP theft is an ongoing serious issue, affecting health and biotech, energy, telecommunications, and defense most poignantly. Managed Service Providers continue to be an attractive target to facilitate such espionage operations.
It’s almost certain that Canadian organizations will be targeted where they are involved in the pandemic health response
IP theft is particularly problematic when Cnd companies must work with foreign state-owned enterprises (Chris: Chinese companies). However, CCCS also notes there are risks associated with the covert collection of information that passes through national networks ...
... and, thus, implicitly underscores the importance of defensive technologies to mitigate this mode of espionage
(Chris: in a truly predictable fashion, another well resourced security agency has implicitly emphasized the ongoing importance of making strong encryption available to protect data and Canadian interests. It’d be just lovely ...
... if the folks at Public Safety could read this report and take these warnings to heart instead of bumbling along with their buddies at Justice to call for encryption backdoors at FVEY Ministerials.)
CCCS notes that customer data can also be targeted so as to subsequently pursue dissidents, minorities, or espionage targets within or outside of the operator’s country.
(Chris: This should make clear that data should be protected as a baseline human rights issue in contrast to the position of certain-Canadian-lawyers-who-shall-not-be-named (*cough* Dentons *cough*)
Broadly, Canadian companies should expect criminal and state-sponsored efforts to obtain PII and other sensitive client data.
Supply chains continue to be a risk due to cruddy coding practices, tampering activities during compilation or production of software/devices, shipping stuff to its destination, exploiting failures in devices when they’re in operation, and targeting update mechanisms.
(Me: On the one hand this seems to scream certain Chinese telecom vendors. But…just ask yourself how much of what you use is equally poorly designed or can have its update system exploited...
... Pretty well any professional group who’s looked at routers, as an example, has needed to join at least one support group immediately after assessing their results.)
(Me also: more seriously, this assessment speaks to the *absolute and fundamental* need for Canada along with its allies to build up existent Information Assurance processes that are currently used to evaluate the (in)security of critical infrastructure and widely-used ...
... consumer products. And then ensure information is communicated to vendors to make stuff better and warn Canadians off the worst of it all.)
(Me: One small ask for future reports (an update to this one?): Please @cybercentre_ca include an appendix that lists different threats in the report alongside the probability of the risk. It’d mean folks like me don’t need to reproduce a chart I suspect you already have in hand
That’s it! Really, you should go read the report—check it out at: https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020
(Also: apologies for filling up people’s timelines!) https://twitter.com/caparsons/status/1329176973323759618
