Canada is an ‘Attractive Target’ for Cyber Spies
The following are the transcribed remarks of John Forster, chief of Communications Security Establishment Canada, at the government technology conference GTEC 2013 in Ottawa on Oct. 9. Portions have been translated from French.
Today I would like to talk to you about cyber security and the government of Canada. First I’m going to provide a little bit of background information on my organization, the Communications Security Establishment, [and] describe the rapidly evolving cyber environment which we in government work—both the good and the bad.
I’d like to talk about the four categories of cyber actors out there, [and] discuss what all of this means for the government and what CSE is doing about it. And finally, what departments could be doing to better protect themselves.
Unique technical capabilities
The Communications Security Establishment is Canada's national cryptologic agency. Under the National Defence Act, we are mandated to provide the government of Canada with three key services.
First, we collect foreign communications signals intelligence to support the government in national security, defence, and foreign policy.
Second—and this is the area that we’ll focus on today—we provide IT security products and services to help government systems and networks and their information be secure.
We also work with Public Safety and the private sector to protect critical infrastructure of vital importance to the nation.
And finally, because we possess unique technical capabilities we also assist, where warranted, law enforcement and national security agencies.
Our first mandate, our foreign signals intelligence role, is certainly being talked a lot about in the media these days. I used to go on much longer to introduce CSE to an audience, because very few people had heard about us, and my introduction is much shorter now.
I’d like to talk a little bit about it, although because of the classified nature of our work, I am sure you can appreciate that I won’t be able to say too much.
But I did want to stress, given the recent reports: everything that CSE does in terms of its foreign intelligence mandate, follows Canadian law.
Second, I can tell you, we do not target Canadians at home or abroad, in our foreign intelligence activities, nor anyone in Canada.
In fact, it’s prohibited by law. Protecting the privacy of Canadians is at the heart of everything we do.
And finally, everything we do—and I mean everything we do—is reviewed by an independent CSE commissioner. He and his office have full access to every record, every system, and every staff member, to ensure that we follow Canadian laws, and respect Canadians' privacy.
In 2011, we became a standalone agency reporting to the minister of national defence. And although we are part of the defence portfolio, it is critical to note we work on behalf of all of the government.
For the past 20 months, it has been a privilege to lead what I’ve found to be a most remarkable organization. CSE employees are some of the country's most highly skilled mathematicians, engineers computer scientists, translators, and analysts. We speak over 64 different languages, and I can tell you, they are dedicated, professional, and committed to protecting Canada and Canadians from foreign threats every day.
Hooked on the net
The world in which we work, cyberspace, is changing so rapidly. And you may not know that actually, Canada invented cyberspace. Well, at least the term.
It was first coined by Canadian science fiction writer William Gibson in 1982. He defined cyberspace as "the consensual hallucination that takes place when humans interact with computers.”
“Consensual hallucination”—I think he nailed it.
And now, we’ve got 2.7 billion Internet users. Every day, 200 billion emails are sent, 1.1 billion Facebook accounts. The Bank of New York alone processes three trillion transfers each and every single day.
The tremendous growth of the Internet has become a fundamental part of our lives. It underpins how our economy functions, how we provide government services, how we communicate, even our daily social interactions.
But as cyberspace has grown, the security of these systems, and the information they contain, has become an urgent priority.
And boy are we hooked! More than 85 per cent of Canadians are online. We learn, shop, bank and socialize instantly with the click of a mouse. In fact, Canadians spend more time on-line than any other country, double the average. It probably has something to do with our cold winters.
Internet technology is transforming our economy. Canadians placed orders for more than $20 billion in online sales in 2012. And Forrester Research predicts this will climb to almost $34 billion in 2018.
All sectors of Canada's critical infrastructure rely on digital technology. Computer networks help deliver oil and natural gas, operate power stations, deliver water, underpin public transportation, and air traffic control systems.
So this pervasive use of systems: what does it mean for Canada? As a market economy, heavily dependent on trade and foreign investment, we rely on secure and open networks of communications.
People, governments and business depend on the rapid, reliable transmission of ideas, information and data through cyberspace.
However, it is a space that was designed without security in mind. There are no geo-spatial boundaries, no rules of behaviour, and anyone can easily hide their identity or cover tracks of their nefarious activities.
Four groups of concern
So this growing interconnectedness of systems, that brings such tremendous and rich benefits, also makes our systems more vulnerable to those who would seek to access, compromise, manipulate, or even destroy your information.
Reports estimate there are 60,000 new malicious programs identified every day. One in every 200 emails contains malicious software. Former FBI director Robert Mueller testified last year that cyber threats will surpass terrorism as the number one threat facing the United States.
Think about it. You can now go online and buy a botnet for as little as $250 with a credit card—and, get 24/7 support. And one botnet is reported to have stolen the credit card and banking information from almost 13 million people.
So who and where are the primary cyber actors of concern in securing your systems? We generally identify four groups.
Hacktivists: These are activists who use computers and networks to promote political or social causes. You’ve heard of some of them, like Anonymous and LulzSec.
They use technology to produce results similar to conventional protest, activism, or civil disobedience. They usually involve overloading your target's website, altering it to get your message out, or to publicly shame their target.
And although this activity is increasing, proper cyber security measures and Internet service providers are getting better and better at mitigating their disruptions.
Criminals: the Internet is home to a huge underground economy rooted in criminal activity. The 2013 Norton Report, that just came out, estimates that cyber crime cost Canadians $3 billion in the last 12 months. That’s up $1.4 billion from the year before.
An estimated seven million people in Canada have been victims of cyber crime, and global losses are estimated at $1 trillion, far greater than the drug trade.
Terrorists: Cyberspace is used by terrorist organizations as a conduit for funding, recruiting, planning, intelligence and training. It is cheap, less risky and anonymous, making it a very attractive option. And as a more technically knowledgeable generation emerges, it is not unreasonable to assume some may begin to use cyber as a disruptive tool.
Nation states: We estimate more than 100 countries possess the human, technology and financial resources to conduct cyber operations on a persistent basis to collect intelligence, disrupt, or in some cases damage your IT infrastructure.
As the government of Canada IT professionals, this is the world you live in. Every day, you are working to protect your government networks, and Canadians' information, against one, some, or all of these groups. It's our job at CSE to try and help you do it successfully.
What we do
As you can imagine, the government of Canada is an attractive target for these actors because of Canada's strong economy, our technology, online government services, our international role.
Canadians want to deal with governments online, more and more. And more and more of our government services are going there. More than 130 government services are now online. You can do your tax return, file for unemployment insurance, and now do your passport.
And Canadians don't just want, they expect, when they deal with their governments online, we’re going to protect their information and their privacy. This is the fundamental challenge for everyone in this room.
Cyber actors are constantly probing government systems millions of times each day in fact to discover vulnerabilities—they are looking for weaknesses and openings into government and information.
The issue is not going away. Last year, the number of detected cyber incidents on government of Canada networks tripled in one year. Part of that is due to much better detection.
The good news is, the rate of actual incidents has dropped significantly because security is improving across departments.
In 2010, the government announced its Cyber Security Strategy, the first pillar of which, and the one where we’ve been focusing the most in the past two, three years, is securing government systems.
It’s not a simple task, when you consider the disparate nature of the government's networks—377,000 public servants, with more than 57,000 servers, and about 9,000 Internet connections.
Shared Services is making impressive progress in consolidating email, data centers and communications networks. And while one of the drivers behind consolidation was for greater efficiencies and savings, it has been an amazing success in terms of better securing our networks and information.
As Shared Services transforms the government’s IT infrastructure, CSE is working hand in hand with them to ensure security is built right in from the start.
Security requirements are being embedded into the procurement processes. For example, security is baked into the design and procurement of the new government-wide email system.
Thirdly, CSE operates the government of Canada’s Cyber Threat Evaluation Centre, known as CTEC. We deploy detection and discovery capabilities for sophisticated cyber actors.
We then share that information with Shared Services, with departments, so they can understand what’s coming at them, and how to best mitigate it. We also work with Public Safety, to share that information with private sector, to protect critical infrastructure in Canada.
Fourth, CSE is leveraging our foreign signals intelligence to better understand cyber actors and thwart their efforts before they reach our networks. Our intelligence allows us to recognize malware and viruses that can go undetected by commercial anti-virus technologies.
We do that by leveraging information from an alliance called the Five Eyes partners—the United States, the United Kingdom, Australia, and New Zealand. We constantly, amongst those five countries, share information on evolving cyber threats, new actors, how techniques are changing, and ways to mitigate them. We tap into that vast pool of knowledge, and then help make it available to you.
Six, CSE plays a leading technical role in defining IT security standards, policies, and guidance working with the CIO at the Treasury Board Secretariat, Corinne Charette. We provide tailored advice for large government projects.
Seven, we work with industry, to help them make their commercial projects more secure, when they’re being considered for government use.
And finally, eight: training. We have an IT Security Learning Centre that provides training and awareness for all government IT professionals. If you haven't been to a CSE course, visit our booth, go online, see what courses are there for you and your teams.
And finally, CSE also provides solutions that protect the government's most sensitive and classified information with specialized encryption technology.
What departments can do
Better intelligence, better sensors, better technology, consolidation, will take us only so far. Human behaviour is also critical. Because, frankly, we don't always make it very difficult.
For instance, we unwittingly infect our networks by using the same thumb drive that contains malware on both unclassified, and then plug it in to our classified networks.
We’re not always using sophisticated and current administrator passwords. We’ve seen some passwords on administrator systems that haven’t been changed in over 10 years.
And we’re not alone—Canadians are very typical of that. Thirty per cent of them have never changed a password in their life.
Using outdated software: There are users of Windows 98 for which security patches stopped in 2004. This means vulnerabilities exist, and presents an open door. There is a big push in government to get everyone upgraded to Windows 7 by April 2014 that can be better secured.
You must focus on your most precious assets: your information. Canadians expect us to secure holdings that contain their private information, and you need to put your best security practices against your most targeted and valuable assets.
To help departments, we have developed the Top 35 Mitigation Measures. It provides the best practices to help mitigate against vulnerabilities in networks that facilitate cyber intrusions.
We believe implementing the top four of those 35 measures would prevent between 80 and 85 per cent of the intrusions that we see coming at the government of Canada. Do four things, you’re going to fix 80 per cent.
They are for example, application whitelisting. We all love apps, we all love to download apps, whether it’s at home, or on our mobile phone at work. But we need to make conscious decisions about allowing any unapproved software on government networks. If we can stop it at the front end, the issue is eliminated before it begins.
Always patch third party applications, to have the latest versions of software. This ensures that known vulnerabilities are patched and protected.
Third, patch your operating systems. Just like applications, updating your operating software will minimize those risks.
And finally, review your administrative privileges, and make sure they are current, up to date, and what you really need.
Cyber security becomes even more challenging with mobile technologies.
In Canada, over 74 per cent of us own and use at least one mobile device, and 62 per cent of those are smartphone owners. And one in four public servants is issued a Blackberry.
These technologies are absolutely fundamental, and they are the wave of the future for how we want to work, and how Canadians want to interact with government. But they introduce new vulnerabilities, and of course we need to take special steps to secure them.
As a final thought, let me leave you with this. You and I have an enormous challenge—how to protect an environment that is easy to attack, difficult to defend, has thousands of entry points, and operates at millisecond speeds.
One malicious cyber actor can cause significant and costly damage to our systems and put sensitive information at risk.
But cyber security is a team sport. It takes all of us, IT practitioners in government, specialists in industry, working together to ensure we can have a secure and agile government that is open, collaborative, mobile, and relatively secure.
Cyber security is here to stay. It is not going away. It is growing and getting more sophisticated. It is no longer the domain of the IT specialist, or the departmental security officer. It is now a critical responsibility of every CIO in every department, and every deputy minister as well.
Transcribed by Carl Meyer.
*This speech deviates from the prepared remarks that have been posted on CSEC’s website.