Canada’s Cyberattack Reveals Need for Greater Government Resilience

A woman works at a computer in a dark office (iStock).

Last Wednesday, the government of Canada was the target of a distributed denial of service (DDoS) attack that took down multiple federal websites, including those of the Departments of Justice, and Foreign Affairs. The hacker group Anonymous is claiming responsibility for the attack, stating in a tweet that it was executed to protest Bill C-51, the government’s then proposed anti-terrorism legislation.

Bill C-51, which is now law, has been a political lightning rod, attracting critical comment from a range of sources who argue that it fails to properly balance security considerations with competing factors such as the protection of civil liberties. Among the expressed concerns is the increased powers conferred upon the Canadian Security Intelligence Service (CSIS) to disrupt terrorist activities, particularly in the absence of heightened CSIS oversight. In a YouTube video released last Wednesday, Anonymous contended the bill was in “violation of the Universal Declaration of Human Rights” developed by the United Nations.

From a cybersecurity standpoint, Canada has had a rough run lately. The DDoS attack comes on the heels of a House of Commons warning issued two weeks ago to employees on its network, saying that they were “currently being targeted by several cyberattacks.” However, initial reporting of “the theft of large volumes of personal data” was subsequently refuted.

Cyberprotests on political or policy grounds are not a new phenomenon globally. Nor is this the first time that such a protest has been directed against a national government. Estonia was targeted back in 2007 and that incident, which unfolded over a period of weeks, affected both the public and private sectors. In its aftermath, Estonia redoubled its efforts to be cybersecure and resilient.

How quickly and how effectively will Canada rebound from the latest incident? And what will Canadian cyberstrategy and doctrine look like moving forward? These questions are critical as the spectrum of cyber-threats continues to widen and evolve, growing ever more sophisticated and ever more adaptive, in response to countermeasures that targeted countries and companies have put into place.

While “hacktivists” may seek to draw attention to their cause and embarrass their targets, other actors such as criminal groups or nation-states may strive to siphon or destroy data for a variety of purposes. These include the pursuit of simple profit, and complex espionage designed to map the target’s critical infrastructure. Canada is no stranger to these types of threat.

Researchers have estimated, for example, that the cost of cybercrime to Canada’s economy ranges into the billions. Likewise, Canadian authorities acknowledged last year that the country’s National Research Council—a hub of scientific and technological expertise—was the subject of a state-sponsored cyberattack attributed to China. And senior officials have been advised that cyberthreats to Canada’s energy infrastructure have been climbing for several years running. Unfortunately, this list is just illustrative, not exhaustive.

Canada is not alone, however. Worldwide, cybersecurity breaches are occurring at a staggering pace and volume. In the United States, for instance, implications from the recently announced massive breach by Chinese hackers of US government databases containing the most sensitive personal information of millions of federal employees, both past and present, continue to unfold.

The potential ramifications of these attacks are serious and wide-ranging. Indeed, former head of US counterintelligence for the Director of National Intelligence, Joel F. Brenner, has described the breach in the following terms: “This is crown jewels material … a gold mine for a foreign intelligence service … This is not the end of American human intelligence, but it’s a significant blow.”

The US breach set in train “a 30-day Cybersecurity Sprint” directed by the White House, intended to test and patch vulnerabilities in federal networks, cut back on users with privileged access, and exponentially increase the use of “multifactor authentication,” which provides more protection than a password alone.

The challenge for countries as well as companies is magnified by the nature of the cyberdomain, where the advantage lies with the attacker. A defender can spend billions on cybersecurity and must succeed every time, whereas the attacker must only succeed once.

At the same time, attribution and borders complicate responses. Cyberattackers may strive to mask their identity and geographic location, while the nature of cyberspace serves to facilitate this goal. The target, in turn, may have difficulty determining the source of the strike; and even if known, may have limited reach and recourse. Cross-border (and cross-sector) cooperation is therefore needed, in part to share information about threats, and to carefully calibrate effective response.  Notably, in this regard, Canada, the United States, and Mexico undertook “the first trilateral consultation on cyber policy” in a North American context just last week.

Against this background—in which any entity, public or private, is only as cybersecure as the weakest link in the chain, it would be prudent to make resilience a priority. Efforts in this area also pack a dual punch. Keep in mind that a powerful storm can be as big a threat to the power grid as an advanced and persistent cyber-actor. The ability to bounce back remains crucial regardless.

Turning back to Estonia, when the country was attacked in 2007, it took a creative and committed approach, sustaining its innovation and will over time in order to bolster its cyber posture. Today, the country is recognized as an international leader in this area. Among other things, the country’s capital city is host to NATO’s Cooperative Cyber Defence Centre of Excellence.

Canada, and other countries similarly attacked, could take a page from that playbook, drawing upon policy and technology talent from coast to coast, to turn challenge into opportunity.

Sharon L. Cardash is Associate Director of the George Washington University Center for Cyber and Homeland Security in Washington, DC.  She served as Security Policy Advisor to Canada’s Minister of Foreign Affairs from 2002 to 2004.