Canada still lacks cybersecurity ‘street smarts’ says CIRA director

While the federal government combats hostile foreign intelligence services seeking the country’s biggest secrets, hackers and fraudsters are keen on cashing in on the fear the novel coronavirus has created, targeting both individuals and businesses across Canada. The air duct folks are offering “special” air filters to protect from COVID-19, and “financial advisors” are offering financial aid or loans to help struggling businesses survive local shutdown orders. Meanwhile, work from home policies are in effect across thousands of companies, and the resulting IT sprawl is giving security leaders headaches and cyber criminals fresh new attack surfaces to chew on.

This week, leaders in the cybersecurity space had an opportunity to explain to the federal government that the cyber threats facing Canada haven’t evolved much since the pandemic began, and in fact, COVID-19 is yet another reminder that Canadians remain susceptible as ever to cyber attacks.

“Canadians need to develop street smarts around cybersecurity,” said Byron Holland, president and chief executive officer for Canadian Internet Registration Authority (CIRA), one of the witnesses appearing in front of Canada’s Standing Committee on Industry, Science and Technology (INDU) to discuss Canada’s response to COVID-19 earlier this week. He used the opportunity to reiterate a point that security pros have been hollering from mountain tops for years. “As Canada and the rest of the world enter an era where the internet has proven to be a lifeboat for the global economy, we believe Canada must do more to be a global leader in cybersecurity. We would encourage the government of Canada to dedicate more funding to cybersecurity research, solutions and platforms, to protect Canadians and ensure the security of our digital economy.”

Byron Holland, president and chief executive officer for Canadian Internet Registration Authority (CIRA), one of the witnesses appearing in front of Canada’s Standing Committee on Industry, Science and Technology (INDU) to discuss Canada’s response to COVID-19 earlier this week. Screenshot.

CIRA recently launched a free domain name system (DNS) firewall service called SHIELD to improve privacy and security for individuals using computers, smartphones and tablets. The company says SHIELD is the first deployment of a national, public DNS over HTTPS (DoH) service in the world, and that the threat intelligence feed of the service will be provided by the Canadian Centre for Cyber Security. The official launch last month was preceded by an early access launch for highly vulnerable sectors, including healthcare, education, and small businesses.

When asked if CIRA moderates the content on .ca domains that the CIRA greenlights, Holland explained that content moderation falls outside of the organization’s mandate. The number of phishing websites skyrocketed by 350 per cent between January and March, according to Google. In Canada, these phishing attempts have taken the form of, among many others, fraudsters posing as members of the Red Cross asking for money, or the Public Health Agency of Canada providing “helpful” links about COVID-19.

“I’m in no way mean trying to skate out from the responsibility, but we’re a technical moderator not a content administrator,” he explained, indicating stronger content moderation would have to come from elsewhere, such as a law enforcement agency or the Canadian Radio-television and Telecommunications Commission.

Scott Jones, director of the Canadian Cyber Security Centre, confirmed to the INDU that cyber criminals are largely sticking to traditional cyber attacks such as ransomware campaigns, distributed denial of service (DDoS) attacks and business email compromise (BEC) scams, to take advantage of people’s fear around COVID-19.

Larry Zelvin, head of financial crimes and cyber fraud for BMO Financial Group, confirmed Jones’ assessment.

“You’re not seeing a lot of changes in tradecraft because what is old still works. As a matter of fact, it’s working really, really well, maybe better than before because people are fearful and they’re taking advantage of that fear,” he told IT World Canada. “And bad guys only need to be lucky once.”