S3-Episode 7: Unmasking digital threats: How to guard against cyber crime

Hello, I’m Patricia Kosseim, Ontario’s Information and Privacy Commissioner, and you’re listening to Info Matters, a podcast about people, privacy and access to information. We dive into conversations with people from all walks of life and hear real stories about the access and privacy issues that matter most to them.

Hello listeners, and thanks for tuning in. From data breaches to phishing scams, the internet can be a haven for schemers and hackers lurking in the shadows. They’re always looking to steal sensitive data held by organizations or to trick individuals into disclosing personal information, compromising their privacy and financial situation. We hear about this almost every day with news reports of attacks targeting organizations, large and small, especially through ransomware, and the effects can be devastating. Affected organizations can be locked out of the data they need to operate, services that citizens rely on, and throwing open the door to identity theft, economic loss, and reputational damage. It takes years to build trust in an organization, yet only seconds for a cyber attack to bring it all crashing down.

In our increasingly connected world where data breaches and online threats have become all too common, it’s more important than ever to understand the digital threats that are out there. Whether you’re a tech enthusiast, a professional looking for insights, or a concerned citizen, this episode is for you. We’re taking a deep dive into the world of cybersecurity with our guest, Jason Besner. He’s the director of partnerships at the Canadian Centre for Cybersecurity. His group is responsible for managing strategic engagements with Canadian and international partners to protect the cybersecurity of Canadians. Jason, welcome to the show and thank you for joining us today.

Jason Besner:

Very happy to be here. Thank you.

PK:

To begin, can you share a little bit about your background and what led you to the fascinating work that you do today?

JB:

Well, I’ve been with the Communication Security Establishment of which the Cyber Centre is a part of for going on 21 years now. I joined just on the other side of 9/11 when there was a lot of focus on security, really aligned with my education, my value set, and was looking to join the public service, and so I joined on the security and intelligence side, working operations for about 13 to 14 years, three years of which was spent on the secondment to CSIS. I’ve been with the Canadian Centre for Cybersecurity now for going on eight years and been very lucky to lead fantastically talented teams in incident response, strategic threat assessments, analytics, discovery, and now partnerships.

PK:

Tell us what’s the mandate of the Canadian Centre for Cybersecurity?

JB:

In a nutshell, we’re the technical authority, we’re Canada’s technical authority for cybersecurity. We’re part of the communication security establishment. We’re the single unified source of expert advice, guidance, and services on cybersecurity for Canadians and Canadian organizations.

We of course don’t do this alone. We work with other Canadian government organizations and departments, critical infrastructure. We work with Canadian businesses, academia and our international partners, all to weave together each of our own talent skills and mandates to work together as a team to make Canada a harder target for cyber threats.

PK:

Hence your title, Director of Partnerships.

JB:

What I do.

PK:

In very simple terms, Jason, why does cybersecurity matter?

JB:

Cybersecurity matters because it’s a greater risk than most people realize, both for the personal information and to organizational information and to the critical services on which we rely. It matters because there are constant attempts and malicious actors looking to breach our systems, looking to steal information, whether it’s through impersonation, through fraud, through cyber attacks. This is a very lucrative business. It is generating a lot of money. It has grown into a very sophisticated business. There’s an entire underground marketplace where you can hire people to do this kind of work. It’s a big concern because, as you said, one attack, getting through can be absolutely devastating for an organization.

If I can just give you a quick number of detected incidents and reported incidents, there are about 2,000 in 22/23, and on average we block up to five billion malicious attempts on government of Canada systems a day. So roughly about a one billion to one win-loss ratio, but that one can absolutely wreak havoc on an organization not only on its current business, but its future business, its reputation, and on all of the data that it holds on its clients and partners.

PK:

Wow. Pretty stark numbers. Can you give us a very tangible example of how the Cyber Centre can help a Canadian organization following a cyber incident?

JB:

We have a number of services that we have available to us, but we do absolutely encourage any organization that thinks that it’s been a victim of a cyber attack to reach out. We have an incident management team that can provide forensics and analytics and even just general support on the process of incident management, to walk you through it, which today includes comms strategy, an internal strategy, a business continuity strategy. So there are a lot of facets that once you’re hit, if your data is locked up or if you’re shut down, you may not know where to start first and this is where we’re here to help you guide through it.

If it’s a criminal matter and something that’s better pursued with colleagues at the RCMP, we’ll make those connections for you. But we do use our full suite of powers and mandate and partnerships, we bring that to bear whenever we’re supporting. That includes our classified data sets from foreign intelligence, it includes information available to us from international partners. So there’s a lot of unique expertise and data that we can bring to bear to try and help.

PK:

You mention that you’ve been in this game for a long time. In fact, you started in this area shortly after 9/11, so you’re in a good position to describe how the landscape of cyber threats has changed over the years and in particular since the pandemic. How do you think things have changed?

JB:

It started moving under its own momentum. It started creating bigger payouts and started lowering the bar for access for cyber criminals. This is something that we saw when we saw the marketplace develop and we saw that services, malware, software infrastructure platforms, all the things that you need to launch a successful attack and to profit from it, were made a lot easier. It used to be that you had to be a fairly sophisticated act or you’re acting on your own or you’re a group that had experience in doing this, but the bar has been lowered, so a lot more people are entering it.

At the same time that it’s become more accessible to more threat actors, the pandemic really accelerated the number of potential access points or what we like to call the threat surface. So it expanded the threat surface by taking what used to be an enterprise level control of a security architecture and extending that network to people’s homes. Where you used to have fairly locked down work devices and servers and networks, you now had to very quickly contend with all of these new connections into that network, all of the new devices into that network.

We like to say threat surface might be like a house, whereas every time you add a new door or you add a new window, you’re adding a certain number of access points, but potential access points to your home. With the proper locks, the proper alarm systems, et cetera, you can control that. The pandemic introduced a larger threat surface, but that doesn’t mean that it can’t be mitigated, that it can’t be protected, but people just need to think in terms of what they’re introducing and how to protect them.

PK:

You’re referring particularly to, of course, remote work that was forced as a result of the pandemic, but organizations didn’t necessarily have all the tools in place, including the VPN and the security systems, to accommodate all of that change in such a rapid short period of time. Do you think things are getting better now?

JB:

I think things are stabilizing in terms of the recognition of what needs to be done, there’s also a larger global shift in workforces to work hybrid or slowly come back to the office. I think that they’re trying to accommodate the best of both worlds from a business and personnel practice, but I do see a lot more organizations, whether they’re public or private, starting to take that a little bit more seriously and have stricter standards for how you connect things to the enterprise network, introducing better segmentation, better access privileges. All of these things are designed to keep bad actors out, or if they do happen to get in, to limit the damage that they can cause.

While the trends are continuing, I mean we just have to look at the recently published cyber crime report or our national cyber threat assessment, we’re doing more and more in connecting with more and more partners to grow the team, the defense team, but the numbers continue to trend up. I am encouraged when I meet with groups one-on-one or teams or organizations one-on-one, but we can’t take our eye off the ball for one minute.

PK:

Looking a little bit forward towards the future, are there any evolving trends that the centre is seeing on the horizon? What are some of the evolving risks that we will be seeing in the next few years?

JB:

I can certainly start with the geopolitical risks. A certain level of volatility will introduce conflict between two nations, for example. We will also see commensurate cyber activity rise with those traditional conflict mechanisms. It’s something, for example, that we’ve seen between Russia and Ukraine. We will see conventional warfare means being matched by escalating cyber warfare.

What I would say to Canadians and what I’d say to those that are not directly impacted by the conflict, is that cyber threats are not necessarily controlled in a certain environment or in a certain theater. A good example of that was the WannaCry ransomware that was released by North Korean developers in order to raise funds. It wound up getting out in the wild and going worldwide until it knocked out the UK’s National Health Service. That wasn’t the intention whenever the malware was developed, but it’s something to think about, is as these actors are using a particular technique against an energy grid, then that’s a good sign for all people in the energy sector to start buttoning up and taking a look at their own defenses.

PK:

And sadly, of course, we’re seeing more conflict in the Middle East and it’s scary to think of what will come out of that. What are some of the basic things institutions, big and small, can do to level the playing field against cyber criminals?

JB:

The first thing I would do is make room for it at the C-suite table. There needs to be a champion, it doesn’t have to be entire department if you’re a smaller organization, but there needs to be a champion for cybersecurity, somebody that’s responsible essentially for engendering a culture of security, a culture of awareness, a culture of good training, and good basic cyber hygiene practices. It can’t be thought of as a problem that the service desk or the IT folks are going to solve for you, this really takes advantage not only of technical vulnerabilities, but this space takes advantage of human behavior, something we call social engineering. So it really is everybody’s responsibility to consider what their role is, to know what to do if they happen to be victimized.

And pay attention to the basics. I would tell any large, small, medium organization or an individual, that you will defend yourself against most cyber threats by doing the basics, having strong and unique passwords using multifactor authentication and making sure that any internet exposed or externally facing equipment or hardware or architecture is properly patched and has all of its security fixes.

These are things that will defend you against the lion’s share of the threats. And whether you’re a nation state, a very sophisticated cyber criminal group or just a hactivist, you’re always going to use the cheapest and lowest profile way to get into a network. You’re not going to use your top shelf, five years in development, zero day malware if somebody’s running a web browser, which is out of date, and you can walk right in with malware pulled off the internet.

PK:

It used to be, I think that the victims or targets of cyber criminals were the large private sector organizations with deep pockets, but we’re seeing more and more public institutions being attacked by cyber criminals, in particular municipalities, universities, schools, hospitals, governments. How is that trend evolving? Why is it happening and how resilient are public institutions to these kinds of cyber threats?

JB:

I would think that it’s evolving for two reasons. One, the tactics of those perpetrating ransomware have changed a little bit from just locking down information until somebody can pay a ransom in order to have access to the information. They really moved to threatening to expose information, as personal identifying information of their clients for example, something that will cause real reputational damage. So they’re targeting organizations that simply can’t afford to take that risk, in the hopes that it would lead to a faster negotiated payout.

They’re also targeting public organizations that simply can’t afford to be offline. We’re talking about hospitals, we’re talking about police services. These are emergency services, they’re lifesaving services that people need, and unfortunately, cyber criminals know that. They know that they cannot be offline and that the pressure will be on immediately if they can have a successful attack. Those are two reasons, a change in tactics and a little bit more sophistication in target selection that we’re seeing from cyber criminals.

I would say five years, it was very much a “pay and spray” type technique, as they would find a vulnerability and they would just launch attacks at any vulnerable system. They didn’t even know necessarily which organizations would be vulnerable until they landed a first level hook into the system, and that would report back to say, hey, we’ve got a system to attack. Now, as you say, they’re going a lot more for these deep pockets, but also organizations unfortunately that are emergency services and other of the like that can’t afford to be offline.

PK:

In fact, I think we’re seeing trends in the number of attacked organizations that do pay out ransoms and in the size of the ransoms that they pay. Is that correct?

JB:

That is absolutely correct. The average ransom payment in 2022 was over 250,000 Canadian dollars. So that has definitely trended upwards over the last few years.

PK:

Wow. That’s a lot of money for any organization, let alone public institutions that are strapped for resources. Your title is Director of Partnerships, so let’s dig into that a little bit. With whom do you partner and what does partnership with the Cyber Centre look like?

JB:

We partner with Canadian critical infrastructure, but my mandate really in partnerships is to work with organizations that may not have heard of CSE in the past and make them aware of the Cyber Centre, make them aware of what we can do. I want to connect organizations that need our services with the full weight of the Cyber Centre, which is backed by all of the missions in CSE. It’s backed by unique classified intelligence and services and expertise that are gold standard when it comes to cyber defense teams. So it’s an awareness campaign to make people think about the threat seriously, invest commensurately, prioritize commensurately, and make sure that they’re considering cyber risks on par with other risks to their organization, and then trying to make the advice, guidance and services of the Cyber Centre available to as many Canadian organizations, academia, research, other levels of government that we can. So it’s trying to make those connections essentially.

We can’t do that in terms of a one-to-one relationship, so a big part of my strategy and what we’ve learned over the last four years of the Cyber Centre is to find aggregators and amplifiers. As much as possible, we try to work with organizations that can then amplify our message about taking their cybersecurity more seriously.

PK:

That includes, I imagine, third party service providers, on whom many organizations rely and I think are also increasingly the target of cyber attacks because they can, with one fell swoop, shut down many organizations that rely on those service providers. Is that fair to say?

JB:

Absolutely. One of the critical infrastructure sectors with whom we have deep relationships is the information and communication technology sector, which includes a lot of these large technology vendors and managed security service providers, which do have hundreds of thousands or hundreds of thousands of clients. We try to work with those as well so that we might be providing advice and security that is protecting Canadians that they don’t know about, because we always want to know, in the electricity sector and the health sector, know who is it that you’re relying on? What technology are you relying on? And maybe we’ll work with them, you have a job to do, your strapped for resources. We’re going to try and make indirect progress in order to amplify the results and the impact for Canadians.

PK:

Right. Parliament recently enacted a law, the Critical Cyber Systems Protection Act to protect Canada’s critical infrastructure through risk mitigation and mandatory reporting, and to foster the kind of collaboration you’re speaking about between government entities and operators of critical infrastructure through information sharing among other things. How are things likely to change with that law?

JB:

It’s certainly advancing a lot of conversation, which I think is excellent. The conversations that we’re having with our sectors now are talking about standards, they’re talking about baselines, they’re talking about when and with whom to share information to get support, and at what point. These are all excellent conversations to have. All of the Cyber Centre’s advice, guidance, expertise and services are voluntary. We are not a regulator and it’s not compulsory to follow our advice. So I think having these discussions is very important to understand what that threshold is, what you can manage yourself, how you’re responsible for some information that belong to Canadians, some information that belongs to partners or critical services that you rely on, and it behooves us as a society to work together on this and make sure that there’s a baseline of security that is adopted in order to protect these systems.

What the Bill is proposing is to essentially set a standard for four sectors that have been identified. This is the telecommunications, the finance sector, the energy sector and the transport sector, and then to have regulators establish standards and enforce compliance. The Cyber Centre’s role is to provide advice, guidance and expertise, providing to owners and operators of critical infrastructure systems. We’ll also be providing that advice and guidance to regulators.

In essence, our role is to help all that involved to make sure that the standard and the threats are pragmatic and born out of experience. And there’s also going to be a reporting function where system operators will be required to report cyber incidents and the nature of the incidents. It is going to start a regime of information sharing so that the Cyber Centre can have a better picture, because of course our aperture is foreign. We have a foreign intelligence mandate, and then we have a ministerial authorization that allows us to defend federal government departments. When it comes to critical infrastructure, we are very much reliant on sharing of information. We need Canadians to report that to us. We need sectors to report information to us so that we can understand the threat from their lens and make sure that our advice and guidance is relevant and actionable.

PK:

Historically or traditionally, organizations have been skittish about sharing information with government with respect to cybersecurity matters. Do you think that’s changing over time?

JB:

I think that there’s some hesitance not only to share with government, but also even to share within their own sectors and their own communities. And there’s a certain weight of competition and business reputation. Where we will see other variables enter the fray, our legal privilege as well as contractual obligations should an organization already have retained services of a managed security service provider. That’s something that we have to contend with.

We’ve made a lot of progress in certain sectors to have what would be competing organizations set that aside, because everyone knows that if a cyber threat actor is knocking on your door, it’s likely going to be your neighbors next. We’ve done well to bring together communities of interest within the sectors and encourage them to share amongst themselves where we’re there as an enabler. We’re there to provide our expertise, but it really works the best whenever they share information amongst themselves. It takes a long time to build that trust. I think with organizations working with the government, of course they have to see value, and that’s what we try to provide. We try to provide unique value and insights with these organizations and hopefully it catches on.

PK:

Let me segue now to the growing spread of misinformation and disinformation online that seems to be becoming ever more pervasive. Has the Cyber Centre observed any particular trends related to the spread of false information online?

JB:

We started paying a lot of attention to it, as most of the world did, in 2016 during the US election. We started paying a lot of attention to it in terms of election interference, but one of the trends that we rapidly saw was the perceived successes of some of those tactics, and they started spreading beyond election interference or misinformation strictly around the political sphere. We started seeing misinformation in the news and echo chambers developing all over the internet in all kinds of topics. That’s something that we saw, is that there was a perceived success there, and so a lot of others started adopting it to amplify their message or their position, not necessarily grounded in acceptable facts.

What we’re seeing more recently is the use of AI techniques and tools that are available and free to further amplify that and to get the purported message out even further. So we are seeing a big increase in it. It’s concerning. It’s concerning as a cybersecurity professional, it’s concerning as a citizen and taxpayer, that a large portion of the population don’t necessarily get their information from the news. I think in our first national cyber threat assessment, there was a significant amount of Canadians received their news from social media. Staying ahead of that, identifying it and looking at information with a critical eye is probably more important now than ever it was.

PK

AI can certainly help enable the cyber criminals, but what about how AI can help enable mandates like yours?

JB:

Well, I’m glad you asked. We’ve actually been using machine learning, which is a subset of AI at the Cyber Centre for some time. We say that our defenses run 24/7, and while we do have people working shifts 24/7, most of our defenses are automated and they run 24/7 without human intervention. That is the first level analysis layer, and we have two ways to detect incidents and we’ll call them deterministic, where we know of a specific website or a specific IP address that is known badness. And so the action we take is don’t let your networks connect to this location, but then they will just move. Usually that information is relevant only for a matter of hours before the threat actor will adapt their techniques.

It makes a lot more sense to gear your defenses around anomalous behavior or systems or processes within your networks that are not behaving as expected, so you introduce a little bit of open variables there, or non-deterministic variables. We use machine learning, essentially, to program models to say, this is a model that is acceptable behavior and this is a model that is suspicious behavior. And if we’re certain that we can identify suspicious behavior with no false positives or a very, very low rate, then we can take action on it. But if the false positive chance is higher, then it gets triaged for human analysis.

PK:

That’s a great example of a way of combatting really what is an ever-changing and morphing threat that never reappears exactly in the same form. That’s a great example. Thank you for that. I want to turn now to focus in on individuals, people like you, me, people listening to this podcast. What in very practical terms can individuals do to better protect themselves against cyber threats?

JB:

I’ll address the social engineering aspect, because it’s not very technical and it’s more in the realm of fraud, good judgment, critical thinking. The single most popular entry vector for ransomware and other cyber attacks remains phishing. That is using an email or communication designed to trick the recipient into clicking a link or downloading an attachment that will introduce malware to the system. The way that phishing succeeds is by catching someone off guard, catching someone distracted. We saw a huge explosion in these attempts during the pandemic because certainly threat actors knew we were working from home, we were juggling a lot of things, people were concerned, and so you saw an increase of this and you saw individuals or users that wouldn’t normally click on something, click on it because they were doing too many things.

That’s the advice that I would give is, think about how you’re receiving communication and how maybe a partner with whom you have business or you have a personal relationship would be asking you for information. Does your bank normally ask you to provide this type of information in this medium? Do you normally get a text from the Canada Revenue Agency asking you to verify credentials? These are not typical ways that mature organizations will act or try to receive information. There are certain red flags no matter how well written or how well crafted it is, if it doesn’t feel right, ask questions and investigate. If you’re working for an organization, report it to your IT department, ask them to take a second look at it because it looks suspicious.

The other thing that I would point Canadians to is all the resources at getcybersafe.gc.ca. These resources are really designed for anybody to be able to use and to adopt into action. As I said before, the basics will thwart the majority of malicious cyber attempts. This is, how do you use your mobile phone securely, using a VPN to encrypt your traffic if you’re traveling instead of using public wifi, for example, paying attention to where you download your apps from, to making sure that they’re secure, making sure that you don’t say no when an app asks you to use multifactor authentication. These are all very user-friendly guides that can take you through the basics and really just make you a harder target. The great mass and the great volume of these attacks are not terribly sophisticated, so with these few steps that you can take to protect yourself, you just want to encourage an actor to move on.

PK:

There are some great practical tips and takeaways there. Finally, Jason, I want to ask you, what advice do you have for us as information and privacy regulators? What can offices like mine do to help individuals and organizations combat cyber threats?

JB:

We’re trying to get Canadians to realize the value of the information they hold. When we’re looking at data sets for an individual, for example, you have privacy information, identifying information, you’ve got your financial information, if you move out a layer there, you look at an organization. An organization has all of the valuable information that a person has, but they also have intellectual property, they’ve got their own banking and financial information, they’ve got research, they’ve got proprietary technology. Expand that out again to governments and critical infrastructure, and you’re talking about critical infrastructure services added to that valuable information. So everybody holds that information and everybody holds value for cyber criminals.

The message I would say is information and bringing people along makes a lot of sense, and also having standards. Regulators are there to set standards and enforce compliance, and cybersecurity is no different than physical security in terms of what we should be paying attention to and prioritizing to protect those valuable assets.

PK:

Well, Jason, thank you so much, and before we close, I just want to ask you, any parting thoughts you’d like to share with listeners?

JB:

Of course, we’re always hiring. As we well know, the industry is facing a bit of a talent and skills gap in some of the areas that I covered today. So if you’re thinking about a career in STEM or in technology, please pursue it. There’s lots of exciting opportunities, and if you’d like to see some of the streams that we’re hiring in, please visit our website and apply.

PK:

Thank you, Jason.

JB:

Thank you for having me.

PK:

For listeners who want to learn more about the resources available from the Canadian Centre for Cybersecurity, there are links in the show notes, and as Jason said, you can read more at getcybersafe.gc.ca. My office also has a variety of technology and security resources, including fact sheets on how to protect against phishing and ransomware, and they’re available on our website at ipc.on.ca. We’ve also included a link to another Info Matters episode about how you can protect yourself from phishing. And you can always email or call our office for assistance and general information about Ontario’s access and privacy laws. Well, that’s a wrap folks. Thank you so much for listening, and until next time.

I’m Patricia Kosseim, Ontario’s Information and Privacy Commissioner, and this has been Info Matters. If you enjoy the podcast, leave us a rating or review. If there’s an access or privacy topic you’d like us to explore on a future episode, we’d love to hear from you. Send us a tweet @IPCinfoprivacy or email us a [email protected]. Thanks for listening and please join us again for more conversations about people, privacy and access to information. If it matters to you, it matters to me.