OTTAWA — The Canadian government was warned in 2019 to expect more “aggressive” cyber attacks from the Chinese and Russian governments that will fall “just below the threshold of armed conflict,” according to a previously unreleased report reviewed by the Star.
The constant barrage of cyber attacks against government and private sector networks will be nearly impossible for the Canadian government to defend against alone, the report suggests. It urged the government to reach out to the private sector and across its own siloed security and intelligence agencies to co-ordinate the defence.
The report also suggests the threat could escalate based on Canada’s relations with those countries. For instance, the report claims the Canadian government saw an uptick in cyber activity after the 2018 arrest of Huawei executive Meng Wanzhou, which set off a diplomatic row with Beijing that is still ongoing.
The report by Clairvoyance Cyber Corp, a company run by former senior intelligence official David McMahon, paints a bleak picture of a rapidly escalating cyber arms race that Canada and Canadians are not yet prepared for.
“The threat is sophisticated, multi-faceted and dangerous. Canada is subject to continuous cyber exploitation and attack, purposeful interference in our national critical infrastructure and foreign influence in the democratic process,” reads the report, which was obtained by Concordia’s Institute for Investigative Journalism and shared with the Star.
“Through the theft of intellectual property, misinformation and deception, Russia seeks to re-establish itself as a major world player in a multi-polar world while China seeks to gain increasing economic and political advantage.”
The threats cyberwarfare poses to Canadian national security are more varied than hackers shutting down a network or stealing sensitive information — they include things like information warfare and propaganda, efforts to shape domestic political discourse to advantage foreign interests and efforts to destabilize Canadian society.
It’s those kind of “hybrid” techniques that Canada is behind in being able to counter, McMahon told the Star in an interview Wednesday.
“The government is not well positioned under current (laws) to support industry and individuals in cyber (attacks) … The government is well positioned to protect the government,” said McMahon, who worked with the Canadian military and intelligence agencies before moving to the private sector.
“We’re getting very good at putting protection in place for basic network hygiene, security … (But) the threat has moved up the scale and is essentially targeting the ‘wetware,’ people’s minds, knowledge, their perceptions.
“That’s why we have the anti-vaxx movement, we have conspiracy theories, we have all of these sorts of things and behind some of that, too, are nation states that are just stirring the pot.”
The CSE, Canada’s electronic espionage and cyber defence agency, reported in 2020 that hostile governments are “very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure” like electricity grids. However, the agency said it was very unlikely that those actors would intentionally use those capabilities outside of “international hostilities.”
That doesn’t mean cyber measures are without cost, however. The Clairvoyance report estimated that the Canadian economy loses as much as $100 billion annually to cyber crime and hacking, whether by criminal hackers or hostile governments like that of North Korea.
Canadian police services reported 33,000 cyber security incidents in 2017, according to Statistics Canada. It’s likely that number significantly undersells the true scope of the problem — the statistics agency reported that in that same year, just 10 per cent of businesses that were hit by a cyber attack reported it to police.
Canada’s larger companies and critical sectors — such as financial institutions, telecoms and, increasingly, the energy sector — are generally very well defended said Stephanie Carvin, a professor at Carleton University and a former CSIS analyst. Carvin said that Canadian intelligence officials are more concerned with small and medium-sized businesses.
Carvin also said the lack of a federal cyber foreign policy means Canada’s effort to engage on these issues internationally is “a hot mess.”
In a statement, the CSE said cyber attacks are a “continuous threat to Canada and Canadians, both at home and abroad.”
“Cyber security is one of the most serious economic and national security challenges countries face. Canadians must trust that they can safely work and live online,” wrote Evan Koronewski, a spokesperson for the agency.
“Canada has the appropriate authorities to conduct cyber operations and has been exercising those authorities in support of defence, security, and international affairs objectives, while at the same time deterring malicious foreign cyber actors from targeting Canada, and promoting and protecting Canadian values.”
The Chinese and Russian embassies did not return requests for comment Thursday.