The new head of Canada’s cybersecurity centre says his first months on the job have been a “dizzying” experience of responding to one major incident after another, including a cyberattack from a hostile state against a federal government department in recent months.
“The last eight months have been somewhat a dizzying experience of a number of cyber incidents and managing all these cyber incidents,” Sami Khoury, who was named head of the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security last August, told the audience at the Cyber UK conference Wednesday.
“Day one of the job, the federal election is called,” he began listing, noting that the government suddenly was responsible for defending the entire country at a time of particular interest for foreign states looking to interfere in Canada’s affairs.
Then, just as the election ended, Newfoundland suffered a major cyber attack that crippled the province’s health care system for weeks and led to 200,000 files being stolen. That required CSE to deploy a team to help the province essentially rebuilding its IT systems, Khoury told conference attendees.
Shortly after, CSE scrambled to help cyber defenders address a major vulnerability, known as Log4j, in a nearly ubiquitous software library that hackers quickly tried to abuse. At the time, it was qualified as of the single most critical vulnerabilities in the last decade.
At the same time, Khoury said CSE was trying to handle “a number” of ransomware incidents, which he has frequently qualified as one of the biggest cyber threats Canada faces right now.
In 2021, 304 ransomware attacks were reported to CSE, a 151 per cent increase on the previous year but still likely a drop in the bucket compared to the real number because the problem remains “way, way underreported,” he said.
Canada the target of ‘thousands’ of cyber attacks every day, CSIS reveals
CSE responded to more than 2,200 cyber attacks in 2020
Khoury said that by the beginning of 2022, “we thought we would celebrate a quiet New Year,” he told conference attendees.
But that hope was dashed by a previously undisclosed “nation-state incident against one of our federal government departments.” He did not specify which hostile state was behind the attack, nor which department it targeted.
The only known incident around that time is a significant cyber attack against Global Affairs Canada (GAC) that was first detected on Jan. 19. The incident forced the department to shut down a host of internal programs for days and sometimes weeks to prevent further damage.
In an interview after his panel (but before it was made available publicly online), Khoury declined to say who was behind the GAC attack but noted that it was a “sophisticated incident.”
He also confirmed that there was no private or sensitive government information that was either compromised or stolen during the GAC incident.
“We have not come out publicly with anything that points fingers at who’s behind this,” he told National Post.
Then, Russia launched its invasion of Ukraine, creating significant concerns of increased attacks from the country that is repeatedly listed as a key hostile cyber threat to Canada. Khoury also spoke of “another incident we had to manage,” but did not provide any more detail.
The last eight months have taught me that it’s going to be a busy few years
But despite the fears of a looming cyber war with Russia since its invasion of Ukraine, the head of Canada’s Cyber Security Centre says that Canadian organizations have been targeted by Russian cyber criminals … yet, he specified in an interview.
“We haven’t seen anything in Canada that we can find a fingerprint that, ‘this is Russia turning its sights to Canada’ at this point,” he said, noting that most of the country’s cyber attacks have focused on Ukrainian targets.
But “we want Canadian businesses to be ready for when that happens,” he added, because the issue is serious and the threat is real. “Russia is throwing everything and the kitchen sink in the Ukraine conflict.”
But it’s not because Canada isn’t directly targeted by Russia yet that CSE isn’t watching what it’s doing to Ukraine and using that as a warning of what could be to come here.
“In the early days of the Russia campaign, we saw that we saw them go against Ukrainian banks. So then we issued an advisory about trying to protect your web-facing servers,” Khoury detailed.
“Then we saw them flood the airwaves with misinformation and disinformation. And we issued another bulletin with that information,” he continued.
“Then we saw them deploy very nasty, destructive malware in the Ukraine,” he said. “It’s a bit of a game of cat and mouse … Every time we observed something to Ukraine, we turned around and updated Canadian guidance or made it a little bit more customized.”
Khoury says the last months have been so intense for cyber defenders across the country that he’s now concerned they may be slowly getting burnt out.
“I am concerned about the energy level … and pacing ourselves. There are humans that manage these cyber incidents and it’s important to make sure that our teams have a bit of time to breathe, to catch their breath,” he said.
“The last eight months have taught me that it’s going to be a busy few years. We are not out of a job. It’s going to keep us busy,” he added.