Know your enemy. It’s an old cliché, but with the array of teenage basement hackers, organized criminals, non-state terrorists and nation states all conducting operations across a domain prized for its anonymity, it’s no small task.

For the Royal Canadian Mounted Police, however, understanding the scope of the cyber crime landscape in Canada is the first step in an effort to define its roles and responsibilities in cyberspace; cyber crime can cut across multiple branches of the Force and, as the 2007 denial of service attacks on Estonian infrastructure demonstrated, criminal networks of infected computers can be used to steal credit card numbers as well as threaten the national security of a country.

Last fall, the government announced a national cyber strategy and, with it, provided the RCMP with the funding to develop its response to cyber threats to critical infrastructure and national security.

Though the money and the directive are new, the domain is not. The RCMP’s Critical Infrastructure Criminal Intelligence (CICI) section in the National Security Criminal Investigations program has been working with other branches of the Force and private industry for several years to lay the foundation for a national law enforcement strategy, albeit with limited resources. Cyber, however, played a background role to a larger and longer-term effort to grow the office’s critical infrastructure protection (CIP) strategy.

“When I came in two and half years ago, I rearranged the section to address priorities under the CIP strategy based on where we were seeing the greatest criminal threat. We couldn’t ignore cyber even though there wasn’t a cyber strategy,” said Wendy Nicol, the officer-in-charge of the CICI section. “In the critical infrastructure strategy, it was clear that cyber was going to be a fundamental component of that – I don’t think it’s a coincidence that the cyber strategy has followed right after the CIP strategy.”

At the heart of this effort is the new Cyber Crime Fusion Centre, which will gather and share criminal intelligence on cyber threats to Canada. Its initial task is to develop a series of reports to “describe the cyber criminal landscape to better quantify how big the issue is,” said Dr. Tiago Alves de Jesus, a senior criminal intelligence research specialist with the RCMP. “Our principal deliverable in the next few years will be a solid business case for the government on the resources required to effectively fight cyber criminality. This is a new criminal landscape and we don’t have resources to reallocate. It’s not simply that criminals are doing something different. We’re now seeing criminals from around the world using sophisticated and powerful techniques to threaten our economic and national security.”

“We’re very much in the preliminary stages with the fusion centre, but I think it has tremendous potential,” Nicol added.

Mutual education
The government’s national cyber strategy rests on three pillars – securing government systems, partnering to secure vital private sector systems, and public education. Due to its relationship building on CIP, the RCMP is well ahead of the curve on the second pillar.

“A lot of what we do is education for the private sector: what is up and coming, what we are seeing that is manifesting itself in new or different ways,” explained Nicol. “We have a private sector that is very aware of the possibilities but perhaps not quite as aware of how those might manifest. Most of our team looks at physical threats and Tiago has been looking at cyber threats. So the strategy is an opportunity for us to do that properly with a few more resources.”

“There are two major threats to national security in cyber space: one is threats to critical infrastructure systems, and the other is espionage,” Dr. Alves added. “I’ve been giving talks for the past two years about the different cyber threats. If companies are targeted for precise political or economic espionage, that’s a national security matter. So we’ve been actively partnering to share information within this framework. We’ve also partnered with private control systems security companies and DRDC’s Centre for Security Science to sponsor a research project which brings together critical infrastructure stakeholders and security vendors to improve our ability to protect, intercept and interdict threats against vital control systems.”

Not long ago, government agencies faced tremendous reluctance by the private sector when it came to information sharing – often it seemed like a one-way street. The CICI has managed to turn that around in the past few years, working with other federal departments to get private sector security clearances and set up a data system that facilitates two-way information sharing.

“The commitment we have made is that they don’t just give us information; we’re actually sharing it,” Nicol said. “We’re taking what they provide, looking at that with our intelligence data, and then providing them with information on threats they may be facing to develop their own risk assessments. We both face risk and we have to recognize that. They are sharing some proprietary information with us and our commitment to them is that they are not going to see themselves somewhere. Every six months we put out a report on the types of threats trends we are seeing. One of the best compliments came from one of our corporate stakeholders who wrote to say, ‘I was halfway through before I realized we were the company involved.’ That’s our goal, to figure out how to get that information out without compromising anything – an investigation or proprietary data.”

The payoff from that collaboration is evident. Nine months ago, CICI published a paper on a person conducting radicalization over the Internet in English. “As a direct result, a very large infrastructure partner, that like many companies monitors its employee Internet traffic, found that two employees had been on these radicalization websites for what was considered to be an inordinate amount of time,” Nicol explained. “They notified the RCMP and CSIS. There was an investigation. It ultimately turned out to be theft of time. But we try to raise the level of awareness of what could be.”

That education effort has also extended to RCMP investigators, who are encountering more cyber-related activity within other areas of investigation. “Within our senior management there has been an awareness for many years of the cyber threat but I don’t think it has been as obvious as it is becoming now,” Nicol said.

With a significant amount of Canada’s critical infrastructure crossing the border, partnerships with United States agencies also play a key role in the RCMP’s planning. Nicol is part of a critical infrastructure intelligence sharing working group chaired by Public Safety and involving the Integrated Threat Assessment Centre and CSIS. She admitted information sharing across departments and across borders still faces some challenges because of legal restrictions, but she emphasized that collaboration has increased greatly in recent years. The RCMP is currently working with a private sector CI association to develop a cross border exercise to test responses to a cyber threat. “There’s no question that in all of these areas – in threat, in risk – we have to be looking at what others are doing and tapping into them as much as possible.”

Like most law enforcement and intelligence agencies, the RCMP is still trying to understand the implications of the Stuxnet virus. In a roundabout way, it might prove to be helpful, Nicol acknowledged. “For people who perhaps didn’t take this seriously, I think there is now stronger recognition of the threat. We deal mostly with corporate security people who usually report to a board of directors; sometimes that board is not as strongly convinced of threats as we would be. Stuxnet has opened some eyes as to the potential.”

Alves is willing to go a step further: “The implication is that Pandora’s box has been opened. We used to worry about someone hacking a secured control system. But hacking leaves a trail; now that trail is much harder to find.” But he agreed that it had raised awareness. “Since Stuxnet hit, I haven’t heard one person say ‘that’s not possible’ or ‘my system is secure’.”

New tools
If the nature of criminal activity has changed with cyberspace, so too have the legal requirements. In a world of VOIP and Skype, conducting a wiretap when there are no wires to tap becomes impossible without changing legal definitions and frameworks. “When we asked for a wire tap back in the day, it was not automatic – the Bells of the world did not have the infrastructure to allow us to listen,” Alves noted. “We had to propose legislation so we could get the authority to do that.”

Currently, two acts – the Investigative Powers for the 21st Century Act and the Investigating and Preventing Criminal Electronic Communications Act – sit before Parliament that will help the RCMP and other federal government agencies with the mandate to identify all Canadian network nodes through which data is transmitted. At present, the Force has no means to control how data is routed domestically, which means that a communication could leave Canada before returning to its end destination, making it impossible to track. The proposed legislation would force telecom providers to put in place infrastructure to control the routing if requested.

Alves admitted just how that would be done is still unclear, but it would “force ISPs to develop the technologies so that we can follow the data. The protocols that were developed for the Web were really for resilience, not for trackability.”

The proposed changes, which are in line with recent proposals in the U.S., U.K. and Australia, would increase the police’s ability to trace some communications on VOIP systems, email and botnets.

“We have to overcome these technologies and every country is struggling to do this,” Nicol said. “In my time in national security there have been two big changes: the ability to listen to cell phones and to intercept email. There was a lot of debate; we didn’t know what part of the criminal code we would approach email with. As the technology has evolved, we’ve evolved with it. But there is legislation that has to catch up and give us the tools we need to do this properly.”

Domain awareness
At a recent conference on privacy and security, Chief Superintendent Larry Tremblay, director general of RCMP National Security Criminal Operations, acknowledged that the Force is among many agencies “just starting to get our heads around this.”

The national cyber strategy might be a whole-of-government approach steered by Public Safety Canada, but each agency – from police to intelligence to the military – is coming to terms with its own role and responsibilities in this new domain.

“The report that the fusion centre will be putting together will help us to determine our priorities – that’s really not clear at this point. There are a lot of players in this and we need to know our legitimate community and bring all those people together as partners. We have to develop a firm understanding before we decide how we’re going to move forward,” Nicol said. “Our investigators are encountering this every day. I don’t just say that from the point of view of the RCMP, but from the point of view of everyone who is working in this area. Because the criminals are faster than us and they are working without our restrictions.”