The Canadian government, businesses, and individuals have developed an inextricable dependence on the Internet that has bestowed significant benefits to our day-to-day activities but also has left us vulnerable to cyber threats that endanger our national security, economic prosperity and way of life.
Tucked away in chapter 5 of Budget 2016, the section on enhancing public safety details spending of $139 million with only $27 million of that earmarked for enhancing the security of government networks and cyber systems, over the next three years beginning in 2016. It proposes $77.4 million over five years to implement new measures that will ensure that the government can “better defend its networks and systems from cyber threats, malicious software, and unauthorized access.”
Although cyber attacks have been rising, the stature of cyber security appears to have been downgraded-well below that of the arts.
Compared to Budget 2015, which called for investments of $36.4 million to support vital cyber systems, $58 million to further advance protection of essential systems and critical infrastructure and another $142 million in July 2015 in response to a rash of high-profile cyber attacks, Budget 2016 spares very little for cyber security.
Funding is one factor, and strategy is another – even in 2015, cyber security practitioners and leaders in policing and IT were concerned that cyber security funding and the federal strategy were too high-level and too focused on national threats, ignoring the massive growth in corporate and retail breaches and email scams.
In 2010, the Government released Canada’s Cyber Security Strategy and identified cyber security as the core priority in protecting the Canada and addressed several key initiatives that included securing government systems, partnering to secure vital cyber systems outside the federal government, and helping Canadians to be secure online.
Since then, Public Safety Canada has spent over $245 million in meeting these key initiatives and defending government computer networks, safeguarding critical infrastructure and educating the public. However, given the slow pace of government acquisition, many of these countermeasures take months upon months to implement, often rendering the new technology and threat definitions out of date by the time they are rolled out.
Considering how much we have spent – and now what we won’t be spending – on net new countermeasures instead of on developing and maintaining a robust infrastructure and agile, up-dateable safeguards, it’s concerning that we are still struggling to keep up with cyber threats. Meanwhile, cybersecurity costs continue to rise.
Incapsula, a cyber security firm, released figures in 2015 showing that the approximate real-world cost of a cyber attack is $40,000 per hour for most organizations and can cost upwards of $15 million when all recovery measures and damages per attack are factored in.
Currently, malicious insiders, Web-based attacks, and Distributed Denial of Service (DDoS) attacks account for the costliest of cyber crimes.
With the proliferation of botnet technologies launching a DDoS attack has become cheaper. Incapsula, estimates that the price of launching a DDoS attack has dropped to just $38 per hour and the growth and ease of access to the “darknet” (where tools and methods can be shared in forums or bought in online marketplaces) have brought hacking to a whole new level where new hackers brought into the fold daily.
With cyber crime affecting all industries and all markets, recent trends show that cyber attacks have been increasing in their sophistication and frequency.
For malicious actors who are too busy planning larger attacks or who are in need a quick cash infusion, there is a thriving hacker-for-hire industry that purveys attacks, code, methods, as well as spoils from exploits, such as credit card information and verified bank accounts.
Cybercrime tools are coming in fast and furious. A recent bonus to hackers was the hacking of the Italian surveillance company, Hacking Team which set free a number of “zero-day” exploits and unknown security flaws in common software. It is still unclear whether patches have been issued by software vendors to address all of these no known vulnerabilities.
What do these game-changing factors amount to?
It’s little more than a guesstimate, but the global cost of the over 90 million cyber attacks per year is $575 billion or more and that figure is poised to surge yet again.
At the RSA Conference in 2013, Ed Skoudis and Johannes Ullrich of the SANS Institute identified the five main concerns in cyber security, which are also barriers to closing the threat gap:
- The rise of offensive forensics
- The kinetic impact of attacks
- Large-scale DDoS attacks
- Continued password breaches and leaks
What is most interesting is that of these five, only one – DDoS – is technology dependent. The other four are based on tactical capability and degree of harm.
What does this mean? It means malicious actors are looking beyond the technology and have intellectualized their tradecraft to exact creative, asymmetric, and effectively convert persistent attacks.
Once more, the government is placed in a position of having to select a representative fraction of the problem rather than taking a hard cut across the middle and addressing the most common and critical threats.
More importantly, the government also needs to revisit our national cyber strategy and government security policies and directives.
In fact, prior to Budget 2016, the new government had already committed to a review of cyber security but only on critical infrastructure and for only seven departments.
One has to ask: Are we doing it again – creating siloed, local approaches to deal with a serious, growing global problem?
It’s not for the faint of heart. Government security, that being the protection, assurance, credibility and of assets, information and services within government and to the public and partners, requires an aggressive strategy that raises the bar for accountability, mandatory compliance and recognizes the horizontal interconnectivity of systems and networks with stakeholders.
If Budget 2016 carves out critical infrastructure from inextricably connected systems, selects only a handful of the over 40 federal departments, slices these strata into budget-friendly components and focuses on the immediate threat landscape instead of the one we must evolve to years from now, the efforts to develop effective cyber security countermeasures will be futile. Again.
Valarie Findlay has over a decade of senior expertise in Canadian federal government and is president of HumanLed Inc., (www.HumanLed.com). She is currently developing the Threat Information Gathering and Incident Reporting System (TIGRIS) and its algorithm, with Alphinat and their Smart-Guide solution. She has also produced research papers and preliminary studies on cyber terrorism, security capabilities, and vendor markets in Canada, and recently, her dissertation, The Impact of Terrorism on the Transformation of Law Enforcement. She has a master’s in Terrorism Studies and is currently working on her doctoral thesis, the sociology of terrorism and the Elias process of civilisation. She can be contacted at firstname.lastname@example.org