We live in an increasingly digital world, and 2022 will not slow down the magnitude of this shift. However, there is always a risk of skidding when you take a turn at full speed. This is just as true when it comes to the digital shift. In this first article of a series of three: the case of Canada, a prime target of global cyber warfare.
Faced with the growing scale of cyber threats, the US government will this year strengthen the constraints imposed on companies established on its territory to better fight against these attacks. The United States does not openly claim to be in cyberwar, but it is just like. This could make Canada and its own companies a prime target for cyberattacks.
Washington, which until now has limited itself to encouraging the adoption by companies and its own organizations of best practices in terms of computer security, wishes to turn this into requirements: software must be updated, breaches must be closed and flaws should be disclosed.
This strengthened position will mainly affect companies in economic sectors deemed crucial in the United States: energy, transport, food, etc. However, this will not fail to percolate to Quebec companies that do business in these sectors in the United States, notes Benoît Gagnon, vice-president Cyber investigations and intervention in the event of incidents for the Montreal security firm Forensik.
“In 2022, computer security is the new price to pay for doing business in the United States and Quebec,” he says. Data protection requirements will be increasingly stringent for providers. Better act now, before it blows in their face. “
That said, even without additional government directives, the Canadian business sector has an interest in arming itself against cyber threats, which are targeting it more and more frequently. The reason is mostly geopolitical, says the Communications Security Establishment (CSE), the federal agency responsible for computer security in the country. In a report published last December, the CSE concluded that Canada is a prime target because it is a close ally of the United States which does not have a cybersecurity policy as bellicose as its neighbour.
The risks of targeting its assets are perceived, by hackers who get caught, as lower than if they went after US elements directly. The CSE has also listed 235 ransomware cyberattacks in the country between January and November 2021. This makes it the third most targeted country in the world by this type of attack, adds the IT firm NordLocker.
One more price to pay
The CSE is well aware of the seriousness of the situation, but its powers are limited. He would not have the means to impose on Canadian companies a decree like that of President Biden. The Treasury Board of Canada and the Ministry of Innovation, Science and Economic Development should be involved in such a gesture.
That said, the newly adopted provisions in the United States could represent a lesser burden for companies doing business in Quebec who have already submitted to the directives of Bill 64 adopted by the Legault government last fall. It tightens the protection of personal information and privacy to minimize the risks associated with handling this data in an increasingly digitized business context.
This new reality adds further pressure on the growth of Canadian businesses, says Benoît Gagnon. Especially on SMEs, “which do not have the same resources” as the largest companies to adjust, and which must moreover deal with a double shortage of manpower: expertise in computer security is still more difficult to find than skilled workers in other fields of activity.
There is currently a shortfall of some 2.7 million cybersecurity experts worldwide, according to a pre-Christmas report by the International Information System Security Certification Consortium, or (ISC) 2, an international benchmark in the field.
As you might expect, the emergence of teleworking and the digital shift caused by the COVID-19 crisis have exacerbated the situation. “Companies have quickly adopted remote work tools and systems that do not all have the same level of security,” fears Benoît Gagnon.
national security
Since the spring of 2021, the US government has more than once accused China and Russia of ordering computer attacks against its infrastructure or against companies deemed essential to the proper functioning of the US economy. Both countries have denied their involvement, but the table is set for a new form of Cold War, where what is at stake is more about cybernetic borders than geographical ones.
The main strategy: to weaken the supply chains of its rivals with great blows of malware or ransomware attacks. In recent months, key infrastructure in the US energy, food and cloud services sectors have been the target of such maneuvers.
US Homeland Security Secretary Alejandro Mayorkas now considers ransomware, snippets of code that lock down computer systems and demand a ransom to restore them to function, a national security threat. Last summer, President Joe Biden issued an executive order that forces an ever-growing number of businesses to adopt best practices in cybersecurity. They must also report any attempted cyberattacks targeting them.
Chris Inglis became the United States’ first National Director of Cybersecurity last July. Its role: to develop and orchestrate the deployment of a defense strategy against cyber threats that engages both government agencies and American private companies.
Experts expect him to publish directives in the coming weeks framing several sensitive sectors (food, aviation, aqueducts, etc.) to prevent them from being the next victims of this cold war in cybernetic publishing. Canada will sooner or later have to adjust to this new cyber reality.