What Does State-Sponsored Hacking Mean for Canada?

By September 26, 2016 No Comments

A string of cyber attacks on U.S. based organizations were perpetrated by hackers with alleged ties to the Russian government.

The leak of World Anti-Doping Agency (WADA) medical records this past month, including those of Serena Williams, Simone Biles, and the Canadian Olympic Women’s Soccer Team, is the latest in a series of high profile hacks linked back to Russia this summer. The WADA hack, allegedly done in retaliation to the organization’s ban of much of the Russian Olympic team from Rio,[1] comes in the wake of the much-publicized hack of the Democratic National Committee in June.

The two hacks have been traced by cyber security firms back to two separate, and possibly competing hacker groups, Fancy Bear and Cozy Bear, also known as APT 28 and APT 29, respectively.[2] While Russia has firmly denied being behind these hacks, various forensics indicate likely involvement. Cyber security experts have pointed out that the methods used in these hacks are identical to those used in other hacks linked to Russia, and traces in the metadata indicate that the documents were translated from Cyrillic.[3] Fancy Bear has been tied to GRU, Russia’s foreign military intelligence service, while Cozy Bear appears to be linked with the FSB, Russia’s internal security service.[4]

If these hacks were indeed sponsored by the Russian state, they are hardly outside of the norm. Cyber warfare appears to have become an increasingly common weapon in Russia’s arsenal. Russian hackers who are caught are given the choice between jail time and working for the country’s intelligence community, and while there has rarely been official confirmation, signs point to their work playing an important role in Russia’s increasingly aggressive foreign policy. In 2007, a disagreement between Russia and Estonia led to a wave of cyber attacks across the small Baltic state, later linked back to Russia.[6] Russia’s invasion of Georgia in 2008 was accompanied by cyber attacks that shut down communications and news agency websites.[7] Russia’s annexation of Crimea in 2014 was accompanied by a deluge of mainly low-tech cyber attacks on over one hundred government and industrial organizations in Ukraine and Poland.[8] Ukraine later blamed Russia for the cyber attack that shut down much of the country’s electrical grid in December of 2015.[9]

“Cyber warfare appears to have become an increasingly common weapon in Russia’s arsenal.”

The hack of the DNC is also not the first time that Russia appears to have extended its cyber attacks to target the United States. Just last year, these same hacker groups were blamed for the hacks of the White House and State Department unclassified email systems, as well as those of the Joint Chiefs of Staff.[10]

The United States finds itself in a difficult position in dealing with these cyber attacks. While many security and intelligence experts have identified Russia as being behind the hack of the DNC, the American government has not officially done so. This differs from the approach that the White House has taken with similar cyber attacks, such as the North Korean hack of Sony in 2014, which led to official condemnation and sanctions. This is likely due to the United States having a far more complex relationship with Russia than with North Korea. While “naming and shaming” Russia runs the risk of revealing American sources and investigative methods, it also threatens to further chill an already icy relationship between the two countries, especially as the United States seeks Russian cooperation in Syria. Further, the United States appears hesitant to start a cyber arms race between the two countries, which it fears will only make matters worse. The continued use of cyber attacks by Russia threatens the emerging norms surrounding cyber security, and makes it harder to define what is and is not an acceptable target for state sponsored hackers to strike.

“It will be important to assess Canada’s vulnerabilities and develop defensive strategies as such hacks become more frequent, or are the result of a foreign powers”

Russia’s seeming willingness to mount cyber attacks, and the precedent that it sets for other countries is a serious issue for the United States, but it is also something for Canada to consider as the country’s Ministry of Public Safety establishes a three-month public consultation on cyber security that began this past August. While the odds of Canada being the target of state-sponsored cyber attacks may seem low, it already faces the issue of criminal hacking, and it will be important to assess vulnerabilities and develop defensive strategies as such hacks become more frequent, or are the result of a foreign power.

Canada, like many developed countries, is increasingly reliant on critical infrastructure that depends on technology to function. Electrical grids, financial services, and transportation are reliant on electricity and the Internet, and present potential targets for hackers. Public Safety Canada has spent $245 million since 2010 on defending government computer networks and safeguarding critical infrastructure, and has earmarked $142 million to continue to do so over the next five years.[11]

Despite this expenditure, experts have warned that Canada is falling behind other countries when it comes to defending its citizens and businesses against cyber attacks. Documents obtained by the Toronto Star showed that the Canadian Border Services Agency has warned the Minister of Public Safety Ralph Goodale that a cyber attack on the organization’s facial recognition or fingerprints databases could result in barring innocent people from Canada, or letting in the wrong people.[12] A 2015 cyber security survey by Deloitte found that most Canadian organizations are not prepared for a cyber attack, and that 70 per cent of Canadian businesses have already been the victim of hacks, with an average cost of $15,000 per incident.[13]

While Canada has made headway on providing funding for the defense of critical infrastructure, it will be important to assess and address vulnerabilities that remain.  Given the fast pace of technology, it can be difficult to legislate or plan policy against hacking, but there are steps that can be taken. This summer the Obama administration unveiled a policy to organize government responses to major cyber attacks, which included a streamlined colour-coded system to assess the severity of hacks of American companies, government agencies, and organizations, with the top ranking on the scale reserved for attacks against critical infrastructure. Critics have warned that the policy oversimplifies cyber security and underestimates the threat of thefts of information or money.[14] If Canada is to develop a similar policy in order to manage government response to cyber attacks, something it currently lacks, it will need to ensure that the plan reflects the complex nature of such attacks.

Canadian businesses need further education on the issue of cyber security. Researchers at the global technology firm, Symantec noted that while larger financial firms in Canada have taken steps to secure sensitive data, smaller companies, who often do not believe that they are of any interest to hackers, are the victims of 60 per cent of targeted cyber attacks.[15]  Canada has been slow to implement laws that would require companies and organizations to disclose hacks or thefts of data, meaning that many cyber attacks may be going unreported.[16] Addressing this gap in Canadian law by developing a reporting mechanism would allow for a better understanding of the hacks that are taking place, and how they can be prevented. Cyber security will only become a more pressing concern as states continue to use it as a tactic in foreign policy, and Canada will need to prioritize it if it is to keep critical infrastructure, businesses, data, and citizens safe.