Monthly Rewire - June 2024
Wiring you into the Canadian cyber defence stories I'm following this month
A lot of high-level developments this month to keep track of. Canada is presently in a transitionary period in its cultural understanding of cyber security, which will make it increasingly important to watch how government policy develops to address the myriad of issues. It is important that Canada looks internationally for best practices rather than repeat common mistakes.
Government of Canada releases statement on malicious cyber activity
On 3 June, After a series of unfortunate news, including that the RCMP is ill-equipped to handle cybercrime, Minister of Public Safety Dominic Leblanc released a statement on how the Government of Canada takes national security, including “malicious cyber activity and foreign interference,” very seriously.
Outside of boilerplate statements from the government, this interestingly specifically names the primary threats through cyberspace, including the People’s Republic of China (PRC), Russia, Iran, and the Democratic People’s Republic of Korea (DPRK; North Korea). It even calls the PRC the “most extensive state-sponsored” threat.
Oddly, the statement makes no mention of ransomware. By all accounts, the most destructive and damaging malicious activity today is ransomware. Ransomware affects governments and the private sector alike, but the private sector takes the biggest brunt of this. While this statement is all and good, the fact that it does not mention ransomware is odd and may highlight some gaps in the Minister’s office in understanding malicious cyber activity.
This is concerning because Public Safety is one of the primary leads in advancing the Government of Canada’s national cyber security. If such a statement lacks attention to ransomware, to what degree will the upcoming National Cyber Security Strategy be lacking as well?
Cybersecurity standards emerging in Canada as ransomware business booms
This is a great article detailing the growing prevalence of ransomware in Canada. It particularly targets small and medium businesses and other organizations that do not have the same resources as major businesses or the government to protect themselves.
Brett Callow is often quoted throughout the article as one of Canada’s leading experts on ransomware. I was glad to see that he mentioned multiple times that ransomware payments should be banned. I have long been skeptical of this, but as ransomware attacks continue to grow, I am increasingly in agreement that it is necessary to consider making them illegal.
As a quick primer for non-technical folk: Ransomware works by a threat actor gaining access to a network, at this point, they will attempt to download as much valuable data as possible. They will then encrypt the systems they access and keep them locked unless you pay them. Many organizations pay because they cannot allow the data to be public, but many times do so to avoid embarrassment and avoid notice. However, in some cases, the threat actor does not unlock the systems. Or they will still release or sell the information later on. Ultimately, these are criminals. As much as they function on reputation as a group, this reputation only goes so far until it does not work in their favor. Paying ransoms feeds into this system.
All this money given to criminals should instead go towards cybersecurity, which could help reduce the problem. This is the overall point of the article: the status quo of ransomware is not good. Businesses and people are suffering, which is a net negative on human security and the economy. The article notes that banning ransomware payments is still a minority position, but it is increasingly changing. There is a dire need to improve baseline cybersecurity expectations and standards to reduce money flow to criminals that fuels the problem.
China ‘aggressively’ trying to lure West’s military trainers: Five Eyes
On 5 June, Global News reported that a joint advisory from Five Eyes countries (Australia, Canada, New Zealand, United States, and United Kingdom) warning that China’s People’s Liberation Army is working through private companies in South Africa and China to recruit military personnel by offering “exorbitant salaries.” Although the article and many warnings about this topic over the last decade have focused on military pilots being the most sought-after. However, it is important to note that China, and others for that matter, are pushing hard to recruit former government and military cyber operators and hackers.
The most widely known case is with the United Arab Emirates (UAE). Through the private company DarkMatter Group, the UAE was able to develop its own Cyber Command with offensive and defensive capabilities by learning directly from former NSA operators. This is really just the tip of the iceberg, as DarkMatter is also connected to the rapidly growing private business of selling spyware. Those found to have been targeted include the wide of an imprisoned UAE human rights activist, the Prime Minister of Lebanon, a British journalist, and many others. DarkMatter is also accused of being connected to the brutal murder and assassination of Jamal Khashoggi.
There are significant implications for assisting countries in developing more advanced means for intelligence or defence, that can cause more problems than they create. While our attention is on the big toys with the pilots and fighter jets, but more damage is being done currently with the growing proliferation of offensive cyber capabilities.
On 7 June, the Department of National Defence (DND) released a story about the Canadian Armed Forces (CAF) participation in the NATO cyber defence exercise LOCKED SHIELDS 24.
Locked Shields is a yearly exercise that NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) hosts. Over 4,000 people were involved this year across 18 teams from different countries. The exercise puts defence “Blue Teams” to defend the fictional state of Berylia against an aggressor “Red Team.” The exercise makes the Blue Teams defend systems and infrastructure such as gas and power networks.
The CCDCOE has existed since 2008, but Canada did not join the NATO organization until 2019 despite donating $1 million to develop the Locked Shields exercise in 2014. This made Canada one of the last NATO countries to join the organization, very much emblematic of Canada’s military approach to digital threats.
Few are picking up on something important in Minister Blair’s statement: that a major component of Canada’s Indo-Pacific strategy is working with partners to improve cyber capabilities.
There have already been some developments with the Philippines in January, but this is unlikely to stop there and will increase as Canada further develops its capabilities to help others.
We can look at Canada’s hunt forward operation in Latvia as an example of one way to work with regional partners to address cybersecurity. Although this is a military approach, the Communications Security Establishment and the Canadian Centre for Cyber Security will likely lead this area.
Modern Approaches to Network Access Security
On 18 June, The Canadian Centre for Cyber Security joined the United States CISA and FBI, and New Zealand’s GCSB and CERT-NZ to publish Modern Approaches to Network Access Security.
I recommend you read it as I think it is a very good introduction to cybersecurity basics for anyone, especially as it is, as the name says, a “modern” approach. It is good to keep in mind that those of us who developed an interest in cyber security before 2010 will have a dramatically different understanding and perception of the threat environment and security than those entering the field today.
CSE Release its Annual Report 2023-24
I plan to do a longer look at this report, but some highlights for now:
Conducted its first defensive cyber operation
Conducted “a series of active cyber operations that helped to
tackle cybercrime at the roots.”
Canadian Centre for Cybersecurity “gave early warnings about potential ransomware compromises to over 250 Canadian organizations, before any damage was done.”
This is something I think other countries don’t talk about enough, so I am glad that CSE is connecting these operations directly to how they’re helping organizations before damage can occur.
“CSE intelligence informed our active cyber operations against violent extremists and organizations”
CSE used offensive cyber operations “to counter foreign groups involved in both ideologically motivated and religiously motivated violent extremism.”
This is very interesting. It’s been known for years that Western intelligence organizations have targeted IS, Al Qaeda, and other Islamic terrorist groups, but this might be the first time I have seen a mention of offensive cyber operations being used against ”ideologically motivated violent extremism.”
I am trying out a new section for the Rewire: a list of noteworthy procurement or contract news related to Canadian Armed Forces and cyber defence. There is not much to say about these in many instances, so I will include them here to let them speak for themselves with an occasional comment.
Procurement and Contract News: