It was a big month for Canadian cyber defence and Canadian defence overall with the release of Canada’s Defence Policy Update.
Canada’s Defence Policy Update - North, Strong and Free: A Renewed Vision for Canada’s Defence
I have already written that Canada is creating a CAF Cyber Command here. The TL;DR is that the creation of a CAF Cyber Command is a very long time coming, and was something I recommended in my appearance before the House of Common National Defence Committee in 2023.
Soldiers had to rely on food donations because of lack of military support during Ottawa training
On April 2, the Ottawa Citizen reported that Canadian Armed Forces (CAF) soldiers sent to Ottawa for specialized cyber training at Willis College had to rely on donated food, among other difficulties, while living in Ottawa. No one should have to rely upon donated food, but the fact that CAF soldiers were required to rely on these donations and other help while specifically training to defend Canada is a level of insult that sickens me. These soldiers were taking courses at Willis College, where the CAF’s cyber forces take some of the most advanced courses on cyber including offensive security courses to prepare soldiers to conduct offensive cyber operations. To put things into perspective, these same soldiers would be earning significantly more than they are now if they were in the private sector. These people have chosen to join the military for whatever their purpose and have gone into the CAF’s cyber forces, which are almost always in need of people. This is not how to retain personnel; this is not how you treat people.
I have been reliably informed that we can expect more cyber-related CAF stories from David Pugliese.
Microsoft’s ‘cascade of security failures’ blamed for Chinese hack of U.S. officials
Those who know me have likely heard me criticize Microsoft at some point. Part of this is motivated by a former NSA hacker whom I have conversed with who has gone to lengths to discuss the terrible security architecture of Microsoft Azure, Microsoft’s cloud platform. Another part of this is informed by those involved with procuring Canada’s secret cloud platform being critical and uncertain of Microsoft’s ability to achieve/meet the requirements of the CAF’s ITI in Sp of C2 (the CAF’s project to procure secret cloud). Now this is also informed by the terrible cybersecurity posture of Microsoft, which the US Cyber Safety Review Board has confirmed. The report states that Microsoft needs to completely overhaul its security culture to ensure that “preventable” breaches don’t happen again.
Trudeau announces $2.4 billion for AI-related investments
The Government of Canada announced that it would be investing $2.4 billion for Artificial Intelligence-related activities. $2 billion is going to “provide access to computing capabilities and technical infrastructure,” $200 million to boost the adoption of AI in sectors like “agriculture, health care and clean technology,” and $50 million to an AI safety institute, and more.
Some have criticized these announcements for lacking governance frameworks. I suggest reading the likes of Michael Geist, he is usually wrong, but he’s a top voice in Canada. He critiques the amount of funding for this plan, citing industry estimates of approximately $200 billion on AI. However, what he misses here is that this spending is led by major corporations, and SMEs largely lag behind. In addition, as many rush to adopt AI, this will increase computing costs unless there are major investments to increase efficiency and to increase Canada’s capacity overall. Nevertheless, I fully agree with the need for better governance, which AI companies have been begging for and that Bill C-27 does not address sufficiently.
We must remain cognizant of who is leading the private sector in AI development and implementation, largely by major corporations. Many details are yet to be released, but there is significant potential for this $2 billion to have a significant impact on SME capacity to adopt more AI. The greatest cost associated with the adoption of AI/ML is in computing costs, which will, without a doubt, increase in cost unless significant investments are made to increase Canadian computing capacity.
A Chilling Near Miss: The Secret Backdoor In XZ Utils
For those who are already aware of the story behind the XZ backdoor, we are probably not surprised The Economist wrote a story on it. For those unaware, when The Economist writes about how an exploit/backdoor in software was implemented, you know it was serious.
Information security and hacking circles exploded this month with stories about how a security researcher found that someone had embedded a backdoor in XZ Utils. XZ Utils is a nearly ubiquitous software in Linux systems used for compression. A backdoor in this utility would allow the operator untold amounts of access into internet servers worldwide. The researcher, Andres Freund, noticed small changes in related software and decided to investigate, which is when he found the backdoor and helped prevent an untold amount of harm.
My favorite security researcher The Grugq (Go subscribe to his newsletter) has commented on this case and has some great commentary. Grugq suggests that this was likely a state intelligence operation due to the length of time the author spent on the XZ Utils open source project and due to multiple accounts appearing to encourage the maintainer of the XZ Utils project to retire from the project so that the perpetrator of the
A Meta-Review of Security Control Effectiveness
A bit different to the types of things I cover every month, this academic article is worth a read for people in policy and operations. The authors of this article conduct a meta-review of empirical studies concerning the efficacy of cybersecurity controls. Although the results are not likely to be surprising to those familiar with security controls, it helps to confirm and reinforce the efficacy of these methods and the importance of layered defences and controls.
Joint Advisory on Deploying AI Systems Securely
The Communications Security Establishment and Canadian Centre for Cyber Security joined the NSA and other international partners to release Deploying AI Systems Securely. Nearly everyone is in a rush to adopt AI/ML tools, with concerns about their security and actual utility being an afterthought. AI models and systems present a new threat environment that professionals and organizations must secure similarly to networks.
The great people from Mandiant have compiled a very extensive report on Russian government threat actor Sandworm, which they have now deemed APT 44. APT 44/Sandworm is a sub-unit of the GRU, which is the Russian military’s primary intelligence arm. Sandworm took the lead in offensive cyber operations against Ukraine. I highly recommend reading this report to better understand how Russia uses cyber operations in war.
Some preliminary research I have been conducting for my PhD dissertation, and confirmed by others, is that Russia attempted a more “Western” style of cyber operations at the start of the war. It did not meet Russian leadership's expectations, one part due to poor integration with physical operations, but also a major part of this is because of United States and other allies (including Canada) conducting hunt forward operations to help defend Ukraine’s infrastructure.
Defence and academic circles in Canada often downplay cyber operations as not being useless in strategic or tactical applications, but overall, this lacks an understanding of how cyber operations are deployed in conflict. In addition, how the United States and Russia uses cyber operations are dramatically different, with Russia focuses more on information operations and information security. use cyber operations are dramatically different, with Russia focusing. There is nuance in how cyber is used in war, and categorizing cyber in existing boxes of defining what is viable or useful in war is anachronistic to actually engaging with cyberspace as a domain of warfare.
‘Cybersecurity incident’ leads to closure of London Drugs stores in western Canada
Canadian retail and pharmacy chain London Drugs is the latest victim of a major cyberattack. So far, London Drugs has released few details and has only said it was a “victim of a cybersecurity incident.” In a previous statement, London Drugs said it was experiencing an “operational issue” that led to the closing of London Drugs stories in Western Canada. London Drugs is a bit of an oddity of an organization, well known for their archaic point of sale systems are, and many are already thinking this is a ransomware attack based on London Drug’s response thus far.
When retailers have been hit with ransomware previously, they would still operate with reduced capacity. The fact that London Drugs has closed all its stores in Western Canada speaks volumes. This is either a massive and severe attack on the organization or a massive failure in London Drugs’ security. Or likely both. Although not all of these stores are pharmacies (a surprise to me when I first moved to Canada), this is likely to have a significant impact on the health of those who rely on London Drugs as their pharmacy.
Belarusian Cyber-Partisans Claim to Have Breached Belarus KGB
The Belarusian Cyber Partisans are a group of hacktivists that formed in 2020 after Belarus president Alexander Lukashenko again won shame election. Since their formation, the Belarusian Cyber Partisans have been attacking government institutions, which has included the attacks on the rail system due to Belarus’ support for Russia’s invasion of Ukraine and stealing of Belarus’ passports. My favorite part of this second one was they turned key Belarus government figures as NFTs.
Their most recent target was Belarus’ KGB, which is actively repressing Belrusians. The report states that the official Belarus KGB website has been offline since Fall 2023 due to the attack by the Cyber Partisans. I say keep up the good work!
If curious for more, I highly recommend this interview between the Glasshouse Center crew and Belarusian Cyber-Partisans and Yuliana Shemetovets.
MPs Call for Hearings on Chinese Hack Targeting Legislators
The Globe and Mail reported that Parliamentarians had learned that they were the target of APT 31, a Chinese state hacking group, due to FBI disclosures. The MPs stated they were never informed of this attack, and are now calling for hearings.
The problem with this is that the attacks/targeting of these MPs were through phishing attempts. Everyone that has an email is likely to receive phishing attempts. Most are criminal in nature, but some are from state actors. All MPs should assume they are being targeted in this manner by China, Russia, Iran and any threat actor. It is not reasonable to expect hearings for every phishing email received. If it was a specific campaign, it would be understandable to inform the MPs so they could be more proactive in defending themselves depending on the circumstances. Except…
It turns out that CSE did inform Parliament CSE says it shared information on Chinese hacking of parliamentarians in 2022 and said that the phishing attempts were not successful. “In this case, he adds, the agency determined that the risk-mitigation measures had successfully prevented any attack, and that there were no cybersecurity impacts to any members or their communications.”
While I will not discount there are likely some communication errors here, I think at the root of the problem is MPs are ignorant of how cyber defence works. It is unreasonable to want a hearing on every phishing attempt or campaign that targets MPs, else they would only be in hearings 24/7. There needs to be a mature discussion about this, but MPs need more education to have one.