Saturday, December 15, 2018

National Cyber Threat Assessment 2018 released

The Canadian Centre for Cyber Security released National Cyber Threat Assessment 2018, its first annual unclassified report on cyber threats to Canadian individuals, businesses, and critical infrastructure, on December 6th.

The intent of the assessment is "to ensure that as cyber threat actors pursue new ways to use the Internet and connected devices for malicious purposes, Canadians are well informed of the cyber threats facing our country."

"Key Judgements" reported in the document include:
  • "Cybercrime is the cyber threat most likely to affect Canadians and Canadian businesses in 2019."
  • "Cyber threat actors — of all sophistication levels — will increase the scale of their activities to steal large amounts of personal and commercial data."
  • "Canadians are very likely to encounter malicious online influence activity in 2019. In the coming year, we anticipate state-sponsored cyber threat actors will attempt to advance their national strategic objectives by targeting Canadians’ opinions through malicious online influence activity."
  • "State-sponsored cyber threat actors will continue to conduct cyber espionage against Canadian businesses and critical infrastructure to advance their national strategic objectives."
  • "It is very unlikely that, absent international hostilities, state-sponsored cyber threat actors would intentionally disrupt Canadian critical infrastructure. However, we also assess that as all manners of critical infrastructure providers connect more devices to the Internet, they become increasingly susceptible to less-sophisticated cyber threat actors, such as cybercriminals."
None of these judgements is likely to astound anyone who has been paying a modicum of attention to this stuff, but at least they confirm that Those-In-The-Know and the rest of us are all pretty much on the same page on these questions.

Aside from a few cases cited as examples, the document provides little information about past cybersecurity incidents.

This was deliberate. In a stakeholders teleconference held on the day of the release, CSE officials told me their intent was for the publication to be a "forward-looking" document rather than a report on past events or a source of statistical data. They did acknowledge that this may mean that future reports run the risk of being significantly repetitious. I guess we'll have to see how much the Key Judgements actually change from year to year.

One bit of new information that does seem to have slipped into this edition is that "In 2017, the Communications Security Establishment alerted partners in the United States to an energy sector [industrial control system] cyber compromise" (see p. 25). This compromise was made public earlier this year, but as far as I can tell this is the first time it has been suggested that CSE played a key role in uncovering it. (Please correct me if I've missed something.)

In addition to the assessment, the Centre also released a companion document on December 6th, An Introduction to the Cyber Threat Environment, intended to provide "baseline knowledge about the cyber threat environment, including cyber threat actors and their motivations, sophistication, techniques, tools, and the cyber threat surface".

News coverage:

Elizabeth Thompson, "Cyber crooks increasingly targeting home devices: report," CBC News, 6 December 2018.

Jim Bronskill, "Foreign countries will try to twist Canadian opinion online in 2019, feds warn," Canadian Press, 6 December 2018.

Howard Solomon, "Foreign countries ‘very likely’ to target Canada in election year, says Cyber Centre," IT World Canada, 6 December 2018.

"'Crazy' to expect consumers to guard against smart device hacks: cybersecurity expert," CBC Radio, 7 December 2018.

You can also watch Cyber Centre head Scott Jones's press conference here.

Update 16 December 2018:

The report is also discussed on A Podcast Called Intrepid episode 67, A Christmas Stocking of National Security Reports (15 December 2018).

Update 27 February 2019:

Also A Podcast Called Intrepid episode 77, Who Wants to Get into Your Data? (21 February 2019).


Post a Comment

<< Home