The newly released “National Cyber Threat Assessment” is the third in a series of biannual reports produced by the component of the Communications Security Establishment known as the Canadian Centre for Cyber Security (CCCS).
CCCS was launched in 2018 as a more public facing activity by the Communications Security Establishment, to allow for the sharing of information about cyber threats with the Canadian public, business enterprises and critical infrastructure stakeholders. This role was seen as important in the midst of misinformation, disinformation, confusion and obfuscation about the world of cyber aggression and in the face of degrees of national complacency. The CCCS proclaimed a desire to build partnerships with the private sector and work alongside other levels of government in Canada to advance cyber security goals. It was, and is, a tall agenda given the rapid acceleration of cyber threats, the multitude of malicious actors involved, the widening of what is called the “attack surface” for cyber aggression—basically the cumulative vulnerabilities of our digital infrastructure--and the increasing sophistication and availability of cyber attack tools.
The very first cyber threat assessment was produced in 2018 to mark the beginning of the CCCS effort. https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2018 It outlined the range of cyber threats that Canada and Canadians faced, ranging from cyber crime, espionage targeting both the private sector and the state, and foreign interference. It noted the vulnerability of the digital infrastructure supply chain and the fact that malicious cyber actors were adopting ever more sophisticated and advanced methods. In a nutshell, the worrying message was that cyber offense held the upper-hand over cyber defence. Among the range of threats, the one that the Cyber Centre identified as the most serious, because of its widespread societal and economic impact, was cyber crime. The only modicum of good news in the 2018 threat report was a note of cautious optimism that foreign actors were unlikely to target Canadian critical infrastructure, short of war. It suggested to Canadians that better cyber defence really depended on good cyber hygiene, a combination of applying technological tools and more attentive human behaviour online.
The 2018 threat assessment was a neatly presented document, replete with graphics and with short summaries of some of the more serious, known cyber attacks that targeted Canadians. Looking back, there is a shiver of recognition in the discussion of the NotPetya worm that was targeted by the Russian military intelligence agency, the GRU, against Ukrainian systems in 2017, but had wide-spread spillover effects, not least on the global shipping sector.
Two years later, the 2020 “National Cyber Threat Assessment,” stressed many of the same themes as its predecessor, but against a backdrop of a galloping threat. https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020 Once again it designated cyber crime as the principal threat facing Canadians, with an increasing concern about the proliferation and impact of ransomware attacks. But the report also gave more attention to state-sponsored cyber threats, which the CCCS identified as likely to be the most sophisticated type of strategic threat facing Canada. The principal state threat actors were named—China, Russia, Iran and North Korea. The utility of attempting to distinguish the public threat to Canadians from cyber crime and the strategic threat from state actors was not elaborated on or discussed in any detail, but reflected the dual mission of CSE, to defend state capabilities and protect national security—a long-standing and core mission--alongside the newer prominence given by the CSE to public threats and non-state actor cyber aggression. Whether this duality can be successfully maintained over the long term by CSE is an open question.
We now have the third iteration of the cyber threat assessment, released by the Canada Center for Cyber Security on October 27, 2022. https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2023-2024 As the new head of the CCCS, Sami Khoury, noted, much of the 2022 assessment repeated themes from the past. But the continuing acceleration of threats was a key message (more galloping), with particular attention to the exploitation of capacities for influence and democratic interference operations and of disruptive technologies that could present new opportunities, including through targeting digital assets such as cryptocurrencies and exploiting and deceiving machine learning efforts. These are some scary thoughts. Another scarifier--the potentially huge impact of quantum computing that lurks just over the horizon. The latest report also leans further into the threat posed by ransomware attacks—described as the “most disruptive form of cybercrime facing Canadians.”
Readers may have to reach for an (online) dictionary when confronted by the concept of “malinformation, ” or MDM. Malinformation is described is a key form of digitally enabled interference and influence operations that can bend democratic societies out of shape.
CSE distinguishes the spectrum of disinformation, misinformation and malinformation as follows:
Misinformation is false information not driven by an intent to do harm
Disinformation is the deliberate and knowing use of false information to manipulate and deceive
The concept of malinformation, however, is more slippery. CSE defines it as “information that stems from the truth but is often exaggerated in a way that misleads and causes potential harm.” MDM leverages algorithms and botnets to spread and amplify messages. It can be used to tap into social media to covertly promote influence activities. The space between all three forms of “bad” information can be narrow, which makes the challenge of dealing with them collectively all the more difficult in any democratic society devoted to the protection of free speech. Worse still all three branches of untruthful information may increasingly be infected by deep fake technologies. Women are especially at risk of being victims of deep fakes in synthetic pornography.
CSE notes that “throughout the Russian invasion of Ukraine, we have observed synthetic content being distributed alongside a concerted disinformation campaign by Russia.” One of the most notorious examples was a deepfake video that circulated on social media platforms in March 2022 presenting Ukrainian President Zelensky asking Ukrainian soldiers to surrender to Russia. This may not have been a very sophisticated propaganda attempt, but more clever efforts are no doubt to come. If you think this stuff just happens somewhere “over there” think again. CSE notes that in April 2022 Russia attempted to spread MDM about Canadian armed forces members committing war crimes in Ukraine and using fake images to back up false narratives about Canada’s involvement in the contact.
Canadians on social media inevitably trip over ubiquitous Russian malinformation. One study by a team of researchers at the Toronto Metropolitan University (formerly Ryerson) has found some worrying trends that suggest that Russian propaganda has made inroads in convincing Canadians that NATO expansionism is a cause behind Russia’s invasion of Ukraine and that right-wing Canadians and groups are more likely to buy into Russian messaging and to be reliant on more closed social media networks. https://theconversation.com/russian-propaganda-is-making-inroads-with-right-wing-canadians-186952
What is left largely unsaid in this and earlier versions of the cyber threat assessment are the tools that CSE and the Canadian government might have, or might need to develop, to defend the country and its national interest against all manner of cyber threats.
How should Canada fight back against cyber crime, state sponsored activities, whether in espionage or influence operations, and drain at least some of the swamp of misinformation, disinformation and now malinformation, given all the tech tricks that enable the corruption of truth?
The Cyber threat assessment 2022-2023 offers a bit of an apple-pie outlook, as did its
predecessors. The CCCS head argues that cyber risks can be mitigated and the “vast majority of cyber incidents can be prevented by basis cyber security measures.”
Practising good cyber hygiene may protect government, businesses and citizens from losing all their teeth. But somehow this wholesome doctrine seems at odds with the times, with the reality of geopolitical threat, organized crime, and the nature of the tech threat.
Increasingly we will need a pre-emptive capacity to target nefarious cyber actors at their source, to go after cyber crime in the courts, to assert some control over the application of bent technology, and to launch a civics campaign that stresses understanding of democratic principles and prosocial responsibilities. Little of this lies at the feet of CSE; a lot more of it lies at the feet of government, with societal partners. But CSE could help with a little less wholesomeness and a little more worry in its biannual threat assessments.
CSE should be encouraged to keep these threat assessments coming, especially to continue to identify and document the most important cases to hit Canadian interests, as a way of hooking readers into the new normal of national security threats. We just need more information about proposals to play defence, given former CSE chief Shelly Bruce’s public comments that, “the best form of defence is…defence.” It’s a good line. Now we need to see the tools and the action.