Canadian government and industry need to enact a Zero Trust cybersecurity strategy
The Russia-Ukraine conflict has put much of the globe on alert for potential Russian-sponsored attacks on critical infrastructure.
This includes Canada, especially when geopolitics are factored in: Canada was a founding member of the NATO alliance and is closely allied to the United States both strategically and economically.
The reality is that the conflict is more of a wake-up call to an already vulnerable digital ecosystem. The World Economic Forum’s (WEF) Global Risks Report listed cyberattacks on critical infrastructure as a top concern.
The forum noted that “attacks on critical infrastructure have become the new normal across sectors such as energy, health care and transportation.”
The interconnectivity of the cyber landscape makes every Canadian company and individual connected to critical infrastructure a potential target.
In fact, in March, the National Research Council, the largest federal research and development organization in Canada, detected a cyber incident directed at critical infrastructure.
In accordance with recent pronouncements from both the U.S. and U.K., the Canadian Centre for Cyber Security issued a warning to operators of Canadian critical infrastructure to take steps to mitigate potential Russian state-sponsored cyber threat activity.
In 2020, a threat assessment by the centre found that the “state-sponsored programs of China, Russia, Iran and North Korea pose the greatest strategic threats to Canada and that state-sponsored cyber activity is generally the most sophisticated threat to Canadians and Canadian organizations.”
It also noted that state-sponsored actors “are very likely attempting to develop cyber capabilities to disrupt Canadian critical infrastructure, such as the supply of electricity, to further their goals.”
According to Canadian cyber crime statistics for 2021, the Cyber Centre in Canada reported 235 ransomware incidents targeting Canadian organizations between Jan. 1 and Nov. 16, 2021.
During the first six months of the pandemic, a full 42 per cent of Canadians experienced some type of cybersecurity incident, and 34 per cent of them experienced phishing attacks.
As the Canadian statistics demonstrate, threat actors, especially state-sponsored, and associated criminal enterprises have been taking advantage of the expanding cyberattack surface by using their resources to employ more sophisticated means for discovering target vulnerabilities.
They have automated their phishing attacks through artificial intelligence to find new deceptive paths for infiltrating malware and/or ransomware. No country is immune to this emerging tech enabled threat.
In the U.S., cybersecurity, and an explicit strategy of Zero Trust, is already at the forefront of national security priorities. In the past couple of years, state-sponsored and organized criminal hackers have exploited supply chains and third parties to access agencies and companies.
Several high profile breaches included Solar Winds, JBS Foods, and the Colonial Pipeline.
The implications of the breaches helped lead the U.S. government to issue a series of directives calling for more cybersecurity co-operation between government and private industry.
Highlighted in the directives was the need for fortification of critical infrastructures, much of which is owned and managed by the private sector.
These directives were capped by a White House Executive Order “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” in January of 2022.
Zero Trust principles are a strategy that assumes that every device or person connected to the network may be corrupted and needs to be verified.
The U.S. government agency National Institute of Standards (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Zero Trust makes good sense for the U.S. considering the number of breaches has exponentially increased worldwide every year along with the capabilities of hackers who are now sharing tools on the Dark Web and automating many of their attacks.
Because of the heightened threats and the fact that you may not even know if your network is already corrupted, a Zero Trust strategy that is based on the precepts of do not trust and verify everything connected, also makes good sense also for Canada.
Also, a Zero Trust approach is needed to address vulnerabilities associated with aging critical industrial infrastructure, and reliance on legacy systems, many of which are operating in both the U.S. and Canada.
Cyber conflict and the changing digital landscape have necessitated a refocus on strengthening cybersecurity strategies for Canada.
Developing an initiative-taking approach to those threat realities requires a new security posture. This should include sound investments, resources, expertise, and enhanced technology and tools capabilities.
A Canadian Zero Trust framework will help assess situational awareness, align policies and training, optimize technology integration and fortify privileged access management.
It will also promote information sharing, establish mitigation capabilities, and maintain cyber resilience in the event of cyber-incidents.
Cybersecurity needs to be at the top of the priority list because the stakes are high, and the consequences of breaches are potentially deadly.
The engines of the economy and the way of life for Canadian citizens are dependent on better cybersecurity.
Canada should follow the U.S. example of instituting an adaptive Zero Trust strategy of protecting government and industry from threats that may emanate from the Russia-Ukraine conflict and elsewhere.
Gloss