Thursday, November 19, 2020

National Cyber Threat Assessment 2020 released

CSE's Cyber Centre released its second report on cyber threats to Canada, National Cyber Threat Assessment 2020, on 18 November 2020. The new report comes two years after the agency's first report on the topic, which I blogged about here.

"Key Judgements" in the report are as follows:
  • "The number of cyber threat actors is rising, and they are becoming more sophisticated. ..."

  • "Cybercrime continues to be the cyber threat that is most likely to affect Canadians and Canadian organizations. ..."

  • "We judge that ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. ..."

  • "While cybercrime is the most likely threat, the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada. ..."

  • "State-sponsored actors are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals. We judge that it is very unlikely, however, that cyber threat actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber threat actors may target critical Canadian organizations to collect information, pre-position for future activities, or as a form of intimidation."

  • "State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. ..."

  • "Online foreign influence campaigns are almost certainly ongoing and not limited to key political events like elections. Online foreign influence activities are a new normal, and adversaries seek to influence domestic events as well as impact international discourse related to current events. We assess that, relative to some other countries, Canadians are lower-priority targets for online foreign influence activity. However, Canada’s media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as a type of collateral damage."
Most of these judgements seem like fairly common sense—or what would be common sense if there actually were such a thing—and they're not wildly different from most of the ones in the first report.

But there are some interesting changes in detail.

This year's report cites China, Russia, Iran, and North Korea by name. Canada and its Five Eyes partners have been calling out these states increasingly often in the past two years so it's not especially surprising to see them named here now, but it is still a welcome development to see growing transparency around these issues. Also welcome would be a detailed statement of the government of Canada's views on the legal and ethical bounds on state behaviour in cyberspace, as has long been promised by the department of Global Affairs but has yet to appear.

The report's warning about the threat to Canada's electricity supply and other elements of critical infrastructure is also more detailed than in the past. On page 21 the document specifies that, in the agency's judgement, "state-sponsored actors are very likely attempting to develop the additional cyber capabilities required to disrupt the supply of electricity in Canada."

These activities, and similar ones targeting other aspects of critical infrastructure, pose a very serious threat to Canadians (although it should be recognized, as the report itself emphasizes, that such preparations probably do not imply any imminent intent to attack those systems).

Here I think it would be useful for the Cyber Centre not simply to warn Canadians about such threats, but also to explain what the government is doing and plans to do about them. Protecting the electricity supply is not something the average denizen of this land can contribute to; it's a job for the electricity industry and for the government, working together. But it would be useful for the rest of us to know what the plan is—maybe not in a threat assessment document, but somewhere.

The government does publish general cyber security strategy documents, such as this National Cyber Security Action Plan, every now and then. And the Cyber Centre publishes detailed alerts and guidance about very specific issues, which are of course a crucial part of the service the Centre provides. But if we're going to be told that the electricity supply is potentially at risk it would be nice to know a bit more concrete information about the plan to protect it—and maybe to receive some assurances that prevention, mitigation, and recovery plans are actually being put in place.

At the moment, we don't even know such basic information as the total amount of money the government is spending on cyber security this year, or even the amount the Cyber Centre spends. A figure for the Cyber Centre's spending in the last fiscal year, 2019-20, will presumably be reported soon in the next edition of the Public Accounts, but no information is made available on current spending, or on the amounts envisaged for future years.

[Update 2 December 2020: Actually, it's even worse than that: the "program spending" numbers that would tell us how much CSE spends on cyber security were last reported in the Public Accounts in 2018, covering fiscal year 2017-18. For now at least the breakdown still shows up online in the government's Infobase data, evidently updated sometime around the time the latest Public Accounts come out. But as far as I can tell there is no longer any document that formally reports this data to parliament or the public.]

This, however, is a topic for a different report.

The National Cyber Threat Assessment 2020 is a useful and informative document that is well worth giving a close read.

The plan at the moment is to update it again in two years' time, although officials at the Centre say that timeline could change if circumstances warrant.

In addition to the assessment, the Centre also released an updated version of its companion document, An Introduction to the Cyber Threat Environment, intended to provide "baseline knowledge about the cyber threat environment, including cyber threat actors and their motivations, sophistication, techniques, tools, and the cyber threat surface."

Media coverage:

Alex Boutilier, "Cyber defence agency says hostile states are developing ways to disrupt Canada’s power grid," Toronto Star, 18 November 2020.

Jim Bronskill, "Canada's cybersecurity agency warns of online threats that exploit COVID-19 fears," Canadian Press, 18 November 2020.

David Ljunggren, "‘State-sponsored actors’ could target Canada’s power grid, intelligence agency warns," Reuters, 18 November 2020.

Catharine Tunney, "State-sponsored actors 'very likely' looking to attack electricity supply, says intelligence agency," CBC News, 18 November 2020.

Rachel Aiello, "Cybersecurity agency calls out four countries as the 'greatest strategic threats' to Canada," CTV News, 18 November 2020.

Christopher Nardi, "China, Russia, Iran and North Korea are Canada's 'greatest strategic threat': CSE report," National Post, November 2020.

Marc Montgomery, "Canadian security agency warns of ‘state-sponsored’ cyber threats," Radio Canada International, 19 Novemer 2020.

Also highly recommended: Twitter commentary on the report by Citizen Lab's Chris Parsons.
You can also listen to Chris being interviewed about the report by Leah West for the Intrepid Podcast here.

Thursday, November 12, 2020

Even official historians do it

From Behind the Enigma, the recently released official history of GCHQ by Canadian John Ferris:
In 2003, the United States cut military cooperation over Canada's opposition to the invasion of Iraq, but not with the Canadian Security Establishment (CSE).
See also Everyone does it, media edition, Even NSA does it, Part I and Part II, and Even GCHQ does it.