Canada's cybersecurity threat landscape

This discussion of Canada’s cybersecurity threat landscape is taken from a uOttawa PhD thesis (2020, pp. 1-16) completed at the School of Electrical Engineering and Computer Science (EECS), Faculty of Engineering, on the topic of ethical hacking sociotechnology titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society (thesis advisory committee: uOttawa professors Rocci Luppicini, Liam Peyton, and Andre Vellino).

Cyber attacks on the rise
Canada’s cybersecurity threatscape
Increasing cyber threat exposure
Cybercrime at the business level
Cybercrime at the individual level
Surveillance: Invading privacy

You may also be interested in Social digitization.

Cyber attacks on the rise

Cyber attacks on information assets in the private and public sectors is a growing and evolving threat, warns Public Safety Canada (2013A, 2013B, 2013C). The evolution of cyber-attack tools and techniques has accelerated dangerously in the recent past. The frequency of hacking attacks increases year after year. And every year “those seeking to infiltrate, exploit or attack our cyber systems are more sophisticated and better resourced than the year before” (PSC, 2013A).

Cyber attacks include the unintentional or unauthorized access, use, manipulation, interruption or destruction (via electronic means) of electronic information and/or the electronic and physical infrastructure used to process, communicate and/or store that information. The severity of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security.
(PSC, 2013A)

The increasing reliance on cyber technologies makes Canadians “more vulnerable to those who attack our digital infrastructure to undermine our national security, economic prosperity, and way of life” (PSC, 2013A). Cyber warfare involves “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” (Clarke, Richard A., 2010). Cyber warfare acts against government or business interests can take the form of espionage or propaganda, or they can involve sabotage (e.g., Stuxnet), malware attacks on financial institutions (e.g., WannaCry and Petya), DDoS attacks, or attacks on power grids and critical infrastructure such as national defence facilities and hospitals.

Cybercrime can manifest in various ways, including cyber warfare, cyber terrorism (e.g., Eid, 2010; Minei & Matusitz, 2011), cyber espionage (e.g., Deibert, Rohozinski, Manchanda, Villeneuve, & Walton, 2009), cyber theft and fraud, including identity theft, information theft, and intellectual property theft (e.g., Roberts, Indermaur, & Spiranovic, 2013), and cyberbullying (e.g., Thompson & Cupples, 2008).

Cybercrime, also called computer crime, is the use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. Cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment, and government.
(Britannica Online Encyclopedia, 2013)

Cybercrime costs worldwide are projected to grow from US$3 trillion in 2015 to US$6 trillion by 2021. Global spending on cybersecurity products and services for defending against cybercrime is expected to exceed US$1 trillion between 2017 and 2021 (Morgan, 2018). U.S. losses to ransomware have jumped from US$25 million in 2014 to over US$8 billion in 2018 with no signs of slowing down. Intellectual property theft in the US costs taxpayers around US$11 billion annually (CSIS & McAfee, 2018).

The cybersecurity risk continues to rise as businesses increase their dependence on IT, IoT devices, and mobile and wireless technology, making information security the most pressing IT concern for organizations today. Cybersecurity will be the main focus of this decade, says Germany’s defense minister. Cyber attacks are the greatest challenge threatening global stability, Ursula von der Leyen told CNBC (Paganini, 2018). Network and data breaches “are happening so often it’s now a question of ‘when,’ not ‘if,’ a business organization will face a security incident. At the same time, the United States is facing an acute shortage of cybersecurity experts” (Cyber Fasttrack, 2019).

Information security can be understood as a process of applying security controls to protect the confidentiality, integrity, and availability (CIA) of information assets within information systems (Dhillon, 2007; Engebretson, 2011; Reynolds, 2012; Stamp, 2011; Sterling, 1993). For this discussion, cybersecurity is information security concerned with protecting the CIA of privileged information within “Cyberspace” (see Figure 1: The 15 Layer Cyber Terrain Model).

The cybersecurity threat landscape can be understood within the context of an emerging surveillance society, spanning three broad risk areas: 1) Cybercrime or risk of information security/privacy/confidentiality attacks on individuals, businesses, and government, 2) political economic or business surveillance risk to the political autonomy/privacy of individuals, and 3) political risk or state surveillance risk to the political autonomy/privacy of individuals.

Canada’s cybersecurity threatscape

The Communications Security Establishment (CSE) keeps a close watch on the cybersecurity threat environment facing Canadian individuals, businesses, and broader society. The CSE (2018) identifies two key cybersecurity threat areas to society: “Increasing Cyber Threat Exposure” due to the expanding interconnectedness of ICTs and their digital integration with industrial control systems, making an attack on critical infrastructure more likely/risky, and “Public Institutions and Sensitive Information” (the targeting of sensitive information and essential services institutions–governments, higher education, hospitals, etc. by malicious hackers). The CSE (2018) identifies “Data Breaches,” including commercial espionage and social engineering, and “Exploiting Trusted Relationships” as two key cybersecurity threat areas to businesses. Finally, the CSE (2018) identifies “Cybercrime” and “Malicious Online Influence Activity” as two key cybersecurity threat areas to individuals.

Key findings of the CSE’s National Cyber Threat Assessment 2018 are 1) society is facing an “Increasing Cyber Threat Exposure.” “Canadians’ exposure to cyber threats increases with the growing number of Internet-connected devices” (CSE, 2018, p. 11); 2) cybercrime is the cyber threat that Canadians and Canadian businesses are most likely to encounter in 2019; and 3) cyber threat consequences at the broad social level can be “severe and wide-reaching” with the potential to compromise public safety and national security, for example, by targeting Canadian critical infrastructure. At the businesses level, cyber attacks can result in reputational damage, productivity loss, intellectual property theft, large-scale theft of personal information, operational disruptions (e.g., to the financial sector), and recovery expenses. And at the individual level, consequences of a cyber attack can span financial or privacy damage. Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society summarizes the cyber threat environment in terms of Cybercrime, Political interference, and Cyber surveillance (hereafter surveillance).

Discussion of the cybersecurity threat here focuses on 1) the increasing cyber threat exposure as a broad societal threat, 2) cybercrime as the cyber threat that Canadians and Canadian businesses most likely to encounter in 2019, and 3) surveillance as a growing cyber threat to the privacy of individuals (to their information security and their political autonomy).

Table 1: Cybersecurity Threats Facing Individuals, Businesses, and Society (CSE, 2018)

Threat/Motivation	Social	Business	Individual
Cybercrime	1) Increasing Cyber Threat Exposure: “Canadians’ exposure to cyber threats increases with the growing number of Internet-connected devices” (CSE, 2018 p. 11). “As the number and variety of devices used to support, monitor, and control critical infrastructure become more interconnected, the likelihood of cyber threat actors disrupting critical infrastructure has increased” (CSE, 2018, p. 23). 2) Public Institutions and Sensitive Information: Cyber threat activity “against public institutions—such as government departments, universities, and hospitals—is likely to persist because of the essential nature of the services and the sensitivity of the information they manage” (CSE, 2018, p. 26).	Data Breaches (CSE, 2018): Data breaches Commercial espionage/commercial data theft Whaling/social engineering “Canadian businesses, especially those active in strategic sectors of the economy, are subject to cyber espionage aimed at stealing intellectual property and other commercially sensitive information.” This cyber threat activity “can harm Canada’s competitive business advantage and undermine our strategic position in global markets” (CSE, 2018, p. 19). “Foreign and domestic adversaries target higher education institutions that have military and government contracts” (McNamara March 15, 2019). The top higher education information security risks in Canada and the U.S. that are a priority for IT in 2016 (Grama & Vogel, 2017): (1) phishing and social engineering; (2) end-user awareness, training, and education; (3) limited resources for the information security program (i.e., too much work and not enough time or people); and (4) addressing regulatory requirements.	Cybercrime: Information theft Theft of personal and financial information is lucrative for cybercriminals and is very likely to increase (CSE, 2018). Cybercriminals profit at the expense of Canadians by obtaining account login credentials, credit card details, and other personal information. They exploit this information to directly steal money, to resell information on cybercrime marketplaces, to commit fraud, or for extortion. (CSE, 2018, p. 11)
Political interference Cyber warfare Cyberterrorism	State propaganda Trolling Mis-/dis-information (e.g., Russian interference in the U.S. general election in 2016) DDoS/CIA attacks on critical infrastructure such as the power grid, defence facilities, and health services.	Cyber warfare can involve sabotage (e.g., Stuxnet); Malware attacks on financial institutions (e.g., WannaCry and Petya ransomware attributed to North Korea).	Malicious Online Influence Activity Cyber threat actors can amplify or suppress social media content using botnets, which automate online interactions and share content with unsuspecting users (CSE, 2018). By spreading their preferred content among large numbers of paid and legitimate users, cyber threat actors can promote their specific point of view and potentially influence Canadians. (CSE, 2018, p. 15)
Cyber surveillance (Surveillance)	Opportunities: State surveillance (domestic surveillance) State intelligence (foreign surveillance) Threats: Espionage, Terrorism, Democracy (political autonomy)	Opportunities: Domestic: Innovation vs Privacy Foreign: International trade/business in BI Threats: Domestic: Innovation vs Privacy (duet of century) Foreign: Espionage, Information theft/crime, Sabotage Cyber campaigns launched by hackers from one country targeting firms of another country resulting in the theft of business information “such as bid prices, contracts and information related to mergers and acquisitions” (Onag, 2018).	Opportunities: Countersurveillance (securing personal privacy and autonomy) Threats: Domestic: Spying Foreign: International political economy, e.g., Facebook’s Cambridge-Analytica data scandal

Increasing cyber threat exposure

The increasing interconnectedness of society raises security risks to critical infrastructure and industrial control (IC) systems. Public institutions are likely to face an increasing risk of exposure to crime or state-sponsored or business espionage operations because of the essential nature of the services and the sensitivity of the information they manage. The exposure of Canadians to cyber threats “increases with the growing number of Internet-connected devices, such as televisions, home appliances, thermostats, and cars. Manufacturers have rushed to connect more types of devices to the Internet, often prioritizing ease of use over security” (CSE, 2018, p. 11). “As the number and variety of devices used to support, monitor, and control critical infrastructure become more interconnected, the likelihood of cyber threat actors disrupting critical infrastructure has increased” (p. 23). WannaCry is a good example of how malware can pose serious risk to critical infrastructure. The CSE and partner agencies attributed the WannaCry ransomware to North Korean cyber threat actors (CSE, 2018). In May 2017, WannaCry hit hard infecting more than 200,000 vulnerable computers in at least 100 countries. Notably, the ransomware spread to 25 facilities in a national health organization that provides emergency services. The incident forced the cancellation of over 19,000 appointments, including surgeries (CSE, 2018, p. 17).

Cybersecurity risk for public institutions, such as government departments, universities, and hospitals–is likely to persist “because of the essential nature of the services and the sensitivity of the information they manage.” Public institutions are also “attractive to cyber threat actors because of their close connections with businesses and Canadians. Public institutions hold valuable intellectual property, sometimes belonging to partner organizations such as research centres or private firms” (CSE, 2018, p. 26).

Cybercrime at the business level

Cybercrime, especially data breaches, will be the top threat facing businesses of all sizes in 2019. Key sources of security threats for businesses are whaling, large databases, and commercial espionage. Cyber threat actors are increasingly using the whaling social engineering technique against businesses. This term refers to spear-phishing aimed specifically at senior executives or other high-profile recipients with privileged access to company resources. Whaling occurs when an executive with authority to issue large payments receives a message appearing to come from a relevant department or employee, urging them to direct funds to an account controlled by a cyber threat actor. This type of social engineering can lead to major financial losses and reputational damage. Like other social engineering techniques, whaling is designed to exploit predictable human behaviour (CSE, 2018, p. 17). Large databases containing personal information such as names, addresses, phone numbers, financial details, and employment information are valuable to cyber threat actors. In 2019 large databases “will almost certainly remain attractive targets for cyber threat actors seeking to sell information or support state-sponsored espionage. “Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Stolen information is held for ransom, sold, or used to gain a competitive advantage. Canadian businesses, especially those active in strategic sectors of the economy, are subject to cyber espionage “aimed at stealing intellectual property and other commercially sensitive information” Cyber threat actors “target commercial information so they can copy existing products, undercut competition, or gain an advantage in business negotiations” (CSE, 2018 p. 18). “We have observed some adversarial nation-states advance their defence and technology sectors by conducting cyber commercial espionage around the world, including in Canada” (p. 19).

Cybercrime at the individual level

Cybercriminals continue “to adapt and improve their cyber capabilities to steal, commit fraud, or extort money from Canadians” CSE, 2018, p. 11). Over two-thirds of Canadian adults were subject to cybercrime in 2012 (PSC, 2013B). Identity theft is an increasingly common cyber threat targeting personal and private information, including intellectual property theft, whereby a malicious actor impersonates someone else to take advantage of their access privileges to vital information. Identity theft costs Canadians nearly $1.9 billion each year (PSC, 2013A). Stealing personal and financial information is lucrative for cybercriminals and is very likely to increase. Cybercriminals profit at the expense of Canadians by obtaining account login credentials, credit card details, and other personal information. They exploit this information to directly steal money, to resell information on cybercrime marketplaces, to commit fraud, or for extortion (CSE, 2018, p. 11).

Surveillance: Invading privacy

Cybercrime and cyber surveillance are both threats to the privacy of citizens (an infringement on their privacy rights). In cybercrime, a privacy attack is an information security “confidentiality” attack–that is, surveillance is a threat to the confidentiality of user data, such as PII, access credentials, sensitive documents, personal letters, etc. This is a technical definition of privacy. In state and business surveillance operations, a privacy attack is an attack on the liberty/autonomy of citizens–that is, surveillance is a threat to the social sensibility of one’s right to a reasonable expectation of privacy. Citizens have a “reasonable expectation of privacy” when they share information online. Canadian privacy law has long been reliant on the principle of “reasonable expectation of privacy.” Similarly, in the U.S. citizens have an “expectation of privacy.” More broadly and internationally, people have “a right to privacy.” This is a social definition of privacy. The United Nations General Assembly recognized the right to personal privacy as a universal human right in The Universal Declaration of Human Rights manifesto on December 10th, 1948. Article 12 says, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

State surveillance

Nation states run external and internal (foreign and domestic) security intelligence operations to support national security and political stability. The two operational domains of state surveillance are foreign surveillance and domestic surveillance.

Foreign surveillance.

There are three key security and intelligence agencies in Canada: CSIS, CSE, and CFINTCOM–that is, the Canadian Security Intelligence Service (CSIS), Canada’s primary national intelligence service, operating under the Public Safety portfolio; and the Communications Security Establishment (CSE) and the Canadian Forces Intelligence Command (CFINTCOM), both operating under the National Defence portfolio. CSE provides foreign signals intelligence (SIGINT) to the Government of Canada in response to the priorities the government has identified. CSE’s mandate and authorities as defined in the National Defence Act require CSE to: 1) Acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities; 2) provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and 3) provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties (Foreign signals intelligence, CSE, 2019). SIGINT is “the interception and analysis of communications and other electronic signals.” Today, “the world of signals intelligence includes any form of electronic communications, such as telephone calls and text messages, computer and internet communications, and satellite signals” (Foreign signals intelligence, CSE, 2019). SIGINT is one of several primary intelligence disciplines (Rosenbach, Peritz, & LeBeau, 2009, pp. 12-13):

SIGINT, or Signals Intelligence, which involves the interception of COMINT (Communications Intelligence) and ELINT (Electronic Intelligence).
HUMINT, or Human Intelligence, which is gathered from human sources, typically through clandestine operations.
GEOINT, or Geospatial Intelligence, which is based on the visual representation of activities on Earth.
MASINT, or Measurement and Signatures Intelligence, obtained by analyzing data such as missile plume signatures and uranium particles in the air.
OSINT, or open source intelligence, which gathers intelligence from public sources such as the Internet, public documents, media, etc.).

The US National Security Agency (NSA) is a national-level intelligence agency of the U.S. Department of Defense, operating under the authority of the Director of National Intelligence. NSA is responsible for “global monitoring, collection, and processing of information and data for foreign and domestic intelligence and counterintelligence purposes.” NSA consists of two branches: 1) Signals intelligence (SIGINT) and 2) cybersecurity (formerly information assurance). The NSA is responsible for providing foreign signals intelligence (SIGINT) to policy-makers and military forces. SIGINT plays a vital role in national security “by providing America’s leaders with critical information they need” to defend the U.S., “save lives, and advance U.S. goals and alliances globally” (NSA, n.d.). NSA’s cybersecurity branch works to prevent foreign nations from gaining access to sensitive or classified national security information–that is, to protect the U.S. communications networks and information systems (NSA, n.d.).

Domestic surveillance.

On one hand, governments/police and law enforcement agencies employ open source intelligence technologies to maintain national security and political stability, including to protect the public against crime or terrorism. Surveillance technologies that gather intelligence (useful or actionable knowledge) help policymakers/governments counter domestic and foreign threats, for example, via data mined from social media and keyword analysis to understand domestic and foreign public views on different subjects. Governments use algorithm and AI/ML (hereafter AI) based digital surveillance technologies to gather intelligence in attempts to intervene before crimes are committed, which falls under the banner of intelligence-led policing (Koops, 2013), for example, by monitoring social media platforms for certain keywords and pictures to help prevent crimes before they escalate or to assist in criminal investigations, child crime, kidnapping, homicide, terrorist threats, and high-level computer intrusions.

On the other hand, surveillance is a growing cyber threat to the privacy rights of citizens. The ability of digital surveillance technologies to track the location and activities of users–generally, to profile users–has turned them into a formidable tool in the hands of police states and authoritarian governments eager to monitor and control activities that threaten power structures including activities of human rights activists. AI “enables large-scale surveillance of often vulnerable populations” (Shoker, 2019). The Edward Snowden revelations highlighted the extent of domestic state surveillance in the U.S. and the extent of business-state political economic collusion. Snowden revealed that the CSE used free airport Wi-Fi service to spy on the communications of all travelers using the Wi-Fi service and to track them after they had left the airport, all without a warrant. The number of Canadians affected by this surveillance is unknown. While some surveillance technologies are useful or beneficial, left to the unregulated market forces, surveillance has come to threaten the core of the liberal political tradition especially the autonomy of citizens and their freedom from political economic oppressive influence (e.g., manipulation of behavior).

Business surveillance

A distinction can be made between business intelligence (BI) and business surveillance. Corporations gather intelligence to help them predict technology or social or regulation trends that can affect their current operations and future growth. According to Forrester Research, BI is “a set of methodologies, processes, architectures, and technologies that transform raw data into meaningful and useful information used to enable more effective strategic, tactical, and operational insights and decision-making” (Evelson & Nicolson, 2008). Thus, BI can encompass information management (data integration, data quality, data warehousing, master-data management, and text- and content-analytics). BI systems combine data gathering, data storage, and knowledge management “with analysis to evaluate complex corporate and competitive information for presentation to planners and decision maker, with the objective of improving the timeliness and the quality of the input to the decision process” (Springer-Verlag Berlin Heidelberg, 2008).

Competitive intelligence and business analytics can be understood as sub-sets of BI. BI and competitive intelligence both support decision making. BI uses technologies, processes, and applications to analyze internal and external structured data and business processes, while competitive intelligence gathers and analyzes information situating a company vis-à-vis its competitors. Business analytics focuses on statistics, prediction, and optimization, rather than the reporting functionality.

Surveillance technologies are becoming increasingly sophisticated and prevalent and are being developed to detect and respond to behavioral patterns in real time. Surveillance technologies are wide ranging and begin with the core Internet communications protocol “IP,” or more broadly the Internet protocol suit TCP/IP, and how it governs and structures communications on computer networks. IP addresses are comprised of two parts: Network address and host address (a host is a specific device on a network). Open source intelligence/surveillance technologies are widely used in the field of advertising. The advertising industry is based on collecting user data, on profiling users according to behavioral patterns or choices so as to micro-target them with effective messages. For example, cookies, or persistent identifiers are used in web browsers to track user activities. Third-party cookies enable companies to track users across different media platforms. The data broker industry aggregates user data from across public platforms then sells them to marketing and advertising companies. For example, Acxiom Corporation, Little Rock, Arkansas, USA, operates twenty-three thousand computer servers that collect, collate, and analyze more than 50 trillion unique data transactions every year and have amassed profiles on over 700 million consumers worldwide (Goodman, 2016). While BI can be understood to refer to ethical sales and marketing practices, including assessment of the business risk environment, business surveillance is associated with intrusive intelligence gathering techniques that transgress the privacy rights of users of ICTs (the citizens).

Business surveillance applies the same data mining and analysis technologies and techniques of BI to profile users through data aggregated from social media and public records allowing retailers to micro-target and influence or manipulate user behavior. A “shockingly extensive, robust, and profitable surveillance architecture” (Schneier, 2015, p. 56) has emerged out of this technological infrastructure, and is behind the trend of privacy breakdown during the past five years equivalent to “an environmental calamity” (Thompson, 2019), such that even the Canadian Minister of Innovation said, “Canadians are rightfully concerned about reports of data breaches, misuse of personal information by large companies, election interference, and online hate related to mass tragedies” (Bains, 2019).

The information which NSA whistleblower Snowden revealed regarding “the extent of governmental surveillance and the close relationship between traditionally distinct public and private entities has damaged systemic trust in a profound way” (Shull, 2019). Attacks on the privacy of citizens represent a political threat in a society where political stability rests on deeply held and long-practiced set of core liberal values of personal liberty, individualism (autonomy), and freedom, rooted in the ideals of the Enlightenment revolution and the Scientific Revolution, and a breach to the social contract forming the basis of the liberal political tradition. Citizens in liberal democracies are seeing their privacy rights squeezed from all sides—government, business, and malicious actors–eroding trust in government. The challenge for regulators and policymakers is: Is the data collection process of personal/private data ethical? Is intelligence gathering or knowledge making in support of business innovation ethical? What decision-making and technology governance frameworks are available to guide ethical technology governance?

Abu-Shaqra, B. (2020). Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society (2020-04-17T20:04:42Z) [Doctoral dissertation, University of Ottawa]. uO Research.

Canadian identity as an academic idea

Ethical Hacking Sociotechnology

Karl Weick – sensemaking through organizing

OSINT analyst competency areas

Scientific method in research

Social digitization

Social engineering in ethical hacking

Back to MA/PhD Thesis Writing Resources (templates)

Back to DTI Courses