The head of Canada’s cyberspy agency says Canadian individuals, organizations and critical infrastructure all face an increased threat from cybercriminals looking for economic advantage or to punish people for supporting Ukraine.
In her first interview as head of the Communications Security Establishment (CSE), the federal agency responsible for signals intelligence and cyber-defence, Caroline Xavier told CBC’s The House that ransomware attacks have become increasingly popular among cybercriminals. And security services can’t fight back without the public’s help, she added.
“It can’t just be on the government. We all have to do our part,” Xavier told host Catherine Cullen during the interview, which airs Saturday.
Even simple steps like keeping software updated and being aware of commonplace scams can help reduce risk across the board, she said. The CSE has compiled a series of guides for individuals and organizations across the country to enhance their online defences.
“We talk about phishing and emails that could be coming into your organization and paying close attention to who sent it to you,” Xavier said. “We tell you that for a reason, because all it takes is one click to be into a whole new game that you weren’t expecting.”
The CSE has warned Canadians about online risks before, but the threat has become even more apparent in recent years due to a series of high-profile attacks.
The agency said earlier this year that at one point, a cyber actor “had the potential to cause physical damage” to a piece of critical infrastructure in Canada. Hydro-Québec was the victim of a cyberattack on its website in April. Attacks on disparate targets such as Newfoundland and Labrador’s health system and the bookseller Indigo have shut down important systems or exposed Canadians’ personal information.
Hackers temporarily shut down a series of Canadian government websites earlier this year, coinciding with the visit of Ukrainian Prime Minister Denys Shmyhal.
“It’s not uncommon for Russian hackers to target countries as they are showing their steadfast support for Ukraine … so the timing isn’t surprising,” Prime Minister Justin Trudeau said during a joint news conference with Shmyhal in April.
Xavier cited the Colonial Pipeline attack in the United States last year as an example of a dangerous assault on critical infrastructure. The CSE issued a report this week outlining the threat to Canada’s oil and gas industry posed by bad actors online.
“Just imagine that if you get to a gas distribution and the pressure mounts, it could potentially explode and that could be really harmful to a local neighborhood, for example, or people that are surrounding it,” Xavier said.
The likelihood of such an attack by a state-sponsored actor in the absence of outright hostilities is very low, said the CSE report.
Still, the pace of attacks by foreign actors has increased since Russia’s invasion of Ukraine last year, she added.
“We’re definitely seeing a rise in cyber crime or people that are potentially passionate toward the cause of the Russians rather than Ukrainians, who are perhaps wanting to leverage these opportunities to do harm to those that are mostly supporting Ukraine,” she said.
Steve Waterhouse, a cybersecurity expert and information security lecturer at Université de Sherbrooke, told CBC in April that the Hydro-Quebec attack did not seem to be about gaining access or acquiring information — “at least not at this time.”
“It’s really just to protest against Canada’s involvement with Ukraine,” he said.
3 authorizations for cyber operations
In 2019, Canada armed the CSE with the legal ability to strike back against cyberattackers, although such actions require authorization from the minister of defence.
The CSE has disclosed that in 2021, it received three authorizations for cyber operations. (It may disclose further operations in its 2022 annual report.)
“We have used our foreign cyber operations in terms of disrupting what we would see as cybercriminals potentially wanting to target some of our Government of Canada systems,” Xavier told Cullen.
Xavier did not provide additional details about the nature of the operations. According to its annual report, CSE’s actions disrupted the efforts of foreign-based extremists to “recruit Canadian nationals … operate online” and “disseminate violent extremist material.”
“The when and where we do it is not something we’re able to discuss,” Xavier said.
She also declined to say which groups or organizations — or countries — have been targeted by those actions, and downplayed the importance of the specific target.
“My focus tends to be [on] wanting to ensure that I’m following through on the actual action, versus being consumed on exactly who the actor is at that moment in time,” she said.
Canada’s intelligence agencies have repeatedly identified China, Russia, Iran and North Korea as the primary foreign threats in the cybersecurity sphere.