The Canadian Association of Security and Intelligence Studies (CASIS) recently held a Symposium entitled “The Cyber Challenge.” Although the speakers focused on the national and international, and non-criminal aspects of the threat, the implications for those on the front lines of public safety are unmistakable.
As Greta Bossenmaier, the Chief of the Canadian Communications Security Establishment (CSE) pointed out, the internet was built on the principles of simplicity and access, not security. As the internet has been build up, layer upon layer, its vulnerability to malicious actors has increased. For Canada, this has meant an assault on the computerized databases of the government and private companies in almost unbelievable volumes. Canadians can access over 200 government services online, but on the other side of the equation, federal computer systems are “probed over 100 million times a day by suspected malicious actors searching for vulnerabilities.” These probes do not always fail.
Melissa Hathaway, who has advised two U.S. presidents on cyber issues, focused on three areas of vulnerability – power, telecommunications and finance. Critical infrastructure related to these three areas have been attacked multiple times around the world, and the ability of some foreign governments to take out or destroy critical systems has been dramatically demonstrated.
Canada considers 10 areas to be critical infrastructure: energy and utilities, finance, food, government, health, information and communication technology, manufacturing, safety, transportation, and water. Since we all know the frustration of losing power in a storm, or the inconvenience of having our email go down, or the occasional bank message that says systems are being updated, it is not hard to imagine the chaos that could be created if attacks against these systems were to be coordinated and prolonged. With these systems out, others would fall almost immediately.
If the key nodes of power, telecommunications and finance were to be taken down, the rest would quickly follow because supply chains, hospitals, public safety and government are all dependent on at least one of those three key nodes to function. A disastrous situation would ensue for frontline services if they had to respond to an emergency during a multi-dimensional cyber attack that left them without functioning communications systems or command and control facilities.
Power facilities can be thrown offline, but they can also be destroyed by intentionally programmed power surges, or induced to vibrate themselves to pieces.
To these existing and proven vulnerabilities must be added the growing inventory of devices linked by the “Internet of Things”. As the Chief Technology Officer and Chief Security Strategist at Intel, MacAfee, Fortinet, Tyson Macaulay pointed out during his presentation, our desire to be able to communicate with devices will add everything from autonomous vehicles to embedded medical devices to the internet.
While it will be wonderful to be able to look into our refrigerators from the grocery store to see if we need milk, experts have pointed out that the computer software in most “things” on the internet will be unsophisticated and unable to download security updates. It will be annoying if someone hacks into our fridge, but fatal if someone hacks into our heart monitor or automated car. Nor will be it easy for emergency workers to deal with a rogue heart implant.
One of the featured speakers was Ray Laflamme, an expert on Quantum Computing at the University of Waterloo. Since few in the audience knew much about quantum physics, let alone the more difficult world of quantum computing, we were more comfortable with the potential of quantum computing than the science behind it. For the security and intelligence world, one implication will be an infinite complication of the world the cryptologists inhabit – which ultimately has implications for everyone who wants to communicate privately on their cellular devices, for good or ill. As the capacity of computers increases, so does the complexity of encryption programs, and the capacity of computers breaking down encryptions. In a broader sense, computers with infinitely more capacity will immeasurably increase the dangers and defences for critical infrastructure.
While computer attacks may play out in disasters on the frontline, they also have implications for inter-state relations. At what point is a cyber attack the equivalent of a military attack, to which a country has a right to respond with military measures? This is a question to which a theoretical answer is preferable to one in the real world.
The response to the cyber challenge can take place at several levels. On the technical side, we may simply be approaching the end of the era of standardized software. We may find that companies and governments can only protect themselves by developing software that is unique to their own enterprises, hopefully ending the global hunt for zero day vulnerabilities that can be used to attack standard programs.
Another approach may lie with the growing number of companies that build and sell space in data fortresses that are able to deploy technical security expertise that exceeds the effort needed to penetrate them. Large users may simply give up on the idea of holding off the flood of attacks with their own expertise, and use the facilities of consortiums of security experts.
At the state level, some nations have already concluded that aggressive diplomacy is the only approach. For example, China and the U.S. reached an agreement on the limits of cyber activity after the U.S. threatened to end the import of goods from any Chinese company that appeared to have benefited from Chinese cyber spying.
Not many countries have this kind of market access control, so international discussions are necessary, and are taking place. We can hope that, in the end, a network of rules emerges that prevents cyberwar in a physical sense, not just in cyberspace.
While we can hope that agreements are reached, or technical fixes are possible, there are some unavoidably negative conclusions for frontline services to the public. It is possible to have contingency plans for disaster management if a critical system breaks down, but very difficult to conceive of a plan that could keep vital services operating if multiple critical systems are deliberately attacked with the intention of preventing a workable response.
Even if technical fixes are possible, they often add to the already significant cost of keeping computer-based technology systems and software up-to-date.
For the CSE, Greta Bossenmaier highlighted the importance of the move to bring all federal government networks under Shared Services Canada. This is an expensive program, but also one that has seen service levels fall for users across the system. It is becoming evident that keeping cyber systems safe may mean making them more expensive, less user friendly, less adaptable to local conditions, and more difficult to service quickly.
It is only in the past two decades that the computer has become a part of everyday life, of virtually all areas of commerce, and in fact of every part of our existence. Change is accelerating, and it is impossible to foresee the future we are going to have to function in with any clarity.
The only thing for certain is that we must assume that meeting the evolving cyber challenge will be a constant preoccupation – for nations, for companies, and for frontline organizations.
Greg Fyffe is President of the Canadian Association for Security and Intelligence Studies (CASIS).