Cybersecurity threats and the concept of cyber warfare is certainly nothing new. The past few years have seen repeated attacks targeting western nations initiated by the likes of countries like Russia and China. Hacks like the supply chain halting incidents that victimized American entities Colonial Pipeline and JBS Foods displayed the sobering potential of the latest theater of warfare and should have sent a clear message to the U.S. and the rest of the world that shoring up cyber defenses should be a top national security priority.
Unfortunately, despite the disastrous potential hanging over western nations, American cybersecurity, along with Canada’s and most of the western world’s, are both thought to be severely lacking in manpower.
In the United States, a shocking June report from the Washington Post claimed that a panel of so-called experts believes that the U.S. is either just as vulnerable to cyberattacks or even more vulnerable today than it was five years ago. The reports of a shortage of capable cybersecurity professionals in America is particularly concerning as America’s Department of Homeland Security (DHS), which oversees the Cybersecurity and Infrastructure Security Agency (CISA) and is led by Director Alejandro Mayorkas, has itself been nothing short of an embarrassment, particularly in its handling of the crisis at the US-Mexico border since Biden was inaugurated.
Although many people would assume that the dysfunction and futility plaguing DHS would affect the Cybersecurity and Infrastructure Security Agency (CISA), the agency, which has had its work cut out for it over the past year and a half, may have actually helped to keep the U.S. a bit safer so far this year as opposed to 2021.
Changes at CISA that include the installation of Jen Easterly as Director may be contributing to what can possibly be called better results, as there hasn’t been a major infrastructure or supply chain hack at the level of the JBS Foods or Colonial Pipeline yet this year. That’s not to say that there haven’t been major attacks that the public may not be aware of, but new regulations in both Canada and the U.S. are working toward installing mandatory reporting requirements for private sector entities that are victimized by hacking incidents.
In Canada, a recently proposed bill would force organizations in federally regulated industries to report cyber events to the Canadian government’s Cyber Centre. The bill gives government regulators the authority to conduct audits on private sector entities to ensure that they are complying. Should audited entities fail an audit, they would face administrative monetary penalties of up to $1 million for individuals and $15 million for organizations.
The possibility also exists that those found to not be in compliance may also face summary convictions or convictions on indictment. Additionally, the entities in these selected industries would also be forced into the establishment of new internal cyber security programs intended to detect serious incidents and protect critically important cyber systems.
This bill follows the major news of a Huawei ban on Canadian 5G networks and is seen as key, especially as private sector organizations like cybersecurity certification group (ICS)2 claim that the global cyber workforce needed to grow by 65 % in 2022 to provide effective security for critical assets.
In addition to that ban, Canada’s Communications Security Establishment, announced earlier this month that it will expand its Security Review Program for telecommunications equipment and services in an effort to have the program apply more broadly to Canada’s telecommunications networks and to “consider risks from all key suppliers,”
Despite a lack of a major headline grabbing attack so far this year in either the U.S. or Canada, the existing threats from state-sponsored Advanced Persistent Threat Groups (APTs) and other unaffiliated cyber gangs are real. The Killnet hacking group recently announced that it has cut off as much as 70% of Lithuanian internet infrastructure from the rest of web in retaliation for blockade of trade between Kaliningrad and Russia. Besides these “big-game” attacks, the majority of cyberattacks globally are still focused on individuals, as ransomware groups like the infamous STOP/DJVU family have produced hundreds of variant strains and have raked in millions of dollars in ransoms from individual victims over the past several years.
Ultimately, both Canada and the U.S. must prioritize the cyber threat, especially as cyber power Russia, which has limited options for conventional attacks against western nations, continues to isolate itself from the rest of the world as a result of Vladimir Putin’s increasingly unpopular war.
Julio Rivera is a business and political strategist, the Editorial Director for Reactionary Times, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, has been published by numerous websites and he is regularly seen on National and International news programming.
For information on how to implement internal cyber security, please see:
Thank you, Doug Bohrer!
Elegant, inexpensive simplicity is usually passed over in favour of ugly and expensive complexity. The “simple” solutions are also usually less time-consuming, easier to implement, lower maintenance, and very reliable/run forever. We buy into the idea that high price equals high quality. Assumptions must be reevaluated frequently. Thanks for sharing your wisdom and experience.
Cyber Security should be like a jawbreaker not an M&M. Jawbreakers have lots of layers of hard candy. M&Ms have a hard candy shell and a soft chocolate center. There should be lots of layers of security, not a single layers of access control to enter the system. Just because hackers break in, it doesn’t mean they have to get everything or anything once they’re in.
Your employees’ access to data should be based on least privilege. They should have access to what they need to do their jobs, no more and no less. There’s a tradeoff here that takes effort to design well. Too tight, and employees can’t get to the data they need to do their job. Too loose, and anybody can get to the good stuff, whether they need it or not.
When the bad guys get in, they have to move around to get the good stuff. To stop them, you have to see them. This means monitoring suspicious activity, like the password decryption by ID’s not on the jobs I mentioned above.
Another example is using official channels, versus using unofficial access. Force everybody to use official channels to access secure data, and log all access. Then have a separate, low level system log that watches the same access from wherever it comes. Periodically do an automated match of the two logs. If they don’t match, something is rotten.