This is the Year in Review podcast for 2022. I’m Howard Solomon contributing reporter on cybersecurity for IT World Canada.com. With me are Terry Cutler, head of Cyology Labs in Montreal and David Shipley head of Beauceron Security in Fredericton, New Brunswick.
(The following transcript has been edited for length and clarity. To hear the full conversation, play the podcast)
This is the first time the two of you have been on the show together. Each will have a chance to talk about what you think were the top news stories of the year and give a prediction or two for 2023.
But first I want to ask what kind of a year has it been for you? Terry, Cyology Labs gets to see the inside of cyber attacks through your incident response services, penetration testing and cyber security advisory service. What do you see? Are organizations getting better at cybersecurity?
Terry: Unfortunately, I still see problems with them getting the basics in place. We always have problems with patch management, strong passwords, and all these things. The advice to these guys is always the same. We all know we have to create strong passwords to our multifactor authentication. Don’t click on links you’re not supposed to, watch out for suspicious websites because you get ransomware, viruses, worms, trojans, botnets and zombies. They’ve got to worry about all these things, and it becomes so overwhelming because they still believe that they’re a small company. Who’s gonna want to hack us? And when you’re trying to so pitch cyber security initiatives to them like like awareness training and such It’s always the same response all the time: Cyber security is not interesting to us, or they just don’t believe they’re a target, and remembering all those passwords is such an a daunting task. And what’s worse is they get sticker shock when they see the price of some of these services. They think it’s a couple hundred dollars to secure their business when it’s thousands and tens of thousands of dollars.
Howard: David, Beauceron Security sells cybersecurity awareness services including phishing tests. What have you heard and seen in the last 12 months? Are organizations learning?
David Shipley: They are learning. It’s interesting: We are working on a data set that looks at 7,000 people. We trained them then we automatically phish them over a 12-month period and then reassess them, and we saw double-digit improvements in self-reporting on things like behaviors around clicking on attachments they weren’t expecting. Even if they know the person [sending the phish] we saw a 61 per cent decline in clicks. We saw double-digit declines in sending information to personal cloud storage. So we were able to prove that awareness training works.
To Terry’s point, awareness is part of those fundamental basics that still aren’t being done as effectively as they need to be. My hope for 2023 is that it’s less about the latest cool microlearning module or Netflix series and more about actually measuring the time that people are spending learning about this versus the risk reduction achievements we’re able to see. I think when we get to that we’re able to have really strong return on investment conversations [with management ]. Because the most expensive thing for organizations is the human element which is 82 per cent of where malicious attacks come from, according to the Verizon Data Breach report. So are we making the most of the time that we’re actually spending on training? Are we actually moving the needle? You can answer that question if you measure it.
Terry: David, did your clients experience a cyber attack or some type of incident before they jumped onto their awareness training service?
David: For some it’s definitely a day plus two, plus five [after the event]. It’s still not the majority. For most, we were doing something previous to an attack. They wanted to do training better, faster, and with measured results. And quite a few now are regulated firms. What’s really interesting about the regulated ones is the regulators are still just looking for proof of activity. They’re not actually challenging firms to show if their awareness programs actually target the risk specific to the institution or organization. How are you measuring the results and how are you iterating? Everybody else is just sort of checking the box and saying good job. You got the participation award. You did training this year.
Howard: This year Statistics Canada released a cyber security survey of 8,800 businesses with 10 or more employees — and that’s certainly a way larger sample than done by most IT companies that do surveys — which found that 18 per cent of respondents said that they were impacted by a cybersecurity incident in 2021. That translates by the way into over 50,000 businesses across Canada. By comparison, 21 per cent in both 2019 and 2017 said they were impacted. What do you make of those numbers? is this evidence that businesses are getting better because there were fewer last year reporting that they were impacted by a cyber security incident?
David: For me, the big number in that survey was that losses to cybercrime in 2021 were $600 million. That’s up from $400 million in 2019. While the percentage decline [in firms impacted by cyber incidents] is interesting from 21 to 18 per cent, the money lost increased by almost 50 per cent — and this despite the fact that the private sector as a whole spent almost $2.7 billion dollars more, as much as $9.7 billion a year, to protect themselves. Where it gets even more nuanced is the number of businesses actually paying for cybersecurity is statistically about a dead heat, but actually declined slightly from 62 per cent to 61 per cent. Sixty-one per cent of businesses spent $9.7 billion dollars on cybersecurity and the cumulative outcome for everybody was worse than the year before. Where did the losses come from? Did it come from the 38 to 39 per cent of businesses that don’t spend anything on cyber? Or did the folks who bought cybersecurity tools etc., did they get good ROI? So there’s more to follow on these numbers.
Terry: I think it’s also around the question of how much people are actually disclosing. A lot of times they don’t want to participate in a survey that may reveal that they got hacked because they’re scared that their brand is going to get affected, there will be a loss of clients’ trust.
Howard: We’re going to take a deeper look at 2022 now. Here’s a list some of the biggest cyber incidents this year: Australian telecommunications company Opus suffered a huge breach in September when details on 11 million customers was accessed. Also in Australia, a health care and insurance provider called Medibank admitted the personal information of 9.7 million current and former subscribers was exposed in a ransomware attack. The data of 5.4 million users was put up for sale in July. [After this podcast was recorded someone hacked the accounts of prominent Twitter around the same time information on 400 million Twitter users was put up for sale. It is believed the data was scraped from Twitter last year]. In April CashApp admitted that a former employee had breached its servers forcing the company to notify 8 million customers about the incident. And then there’s the cyber warfare since Russia invaded Ukraine that sparked a number of cyber attacks in Western Europe that are believed to be war-related, including attacks on energy companies. In Canada by my estimation, there were 46 publicly-reported cyber attacks including six Canadian municipalities, six educational institutions and two hospitals — in addition to two cyber attacks on Canadian government departments. That’s the department of Global Affairs, which is our equivalent to the U.S. State Department, and also the IT system used by Members of Parliament. David what was the most significant cyber news story this year for you?
David: The Canadian teen who can now displace Mafiaboy as the most interesting hacker on the Canadian scene. This was a Hamilton, Ont., kid who stole $45 million from a Los Angeles-based cryptocurrency billionaire. [Now 19, he pleaded guilty in June to theft over $5,000 after spending a year in pre-trial custody.] The kid initially thought he’d only stole a million. He got nicked because he decided to use some of that stolen crypto to buy the Playstation username “God” — because that’s what you do when you’re a teenage kid. It was the perfect example of social engineering smartphone SIM card swap. The sad part for the kid is that that $45 million is nowhere near worth what it is because of crypto’s collapse. But he’ll be on the street and they haven’t recovered all the money. [Police have only found about $7 miliion worth of the victim’s cryptocurrency.] So he might be set for life.
Howard: You’ve talked about a big SIM-swapping attack. What should IT departments and cell phone providers be doing to tighten security to prevent this?
David: This is the perfect example of how multifactor authentication strength varies widely depending on the application. The strongest MFA is a physical key, like the YubiKeys. The weakest are these SMS-based text messages. Now, I’m not going to be a cybersecurity purist and say never use SMS for 2FA because a national tax agency’s only MFA method is currently text messages or phone calls. It’s better than nothing. But the reality is if you’ve got billions of dollars in crypto assets you better be locking that down better than the Los Angeles investor did. I think it’s part of a theme in 2022 where the strength of multifactor authentication as a control was tested severely, and some of its limitations began to emerge.
[Editor: For example, the Twilio-Oka attack]
Terry: And employees are suffering from MFA fatigue from fake push notifications … If the victim says yes [to constant fake text requests for access] he gives access to the cybercriminal to gain access to the account. So organizations should start looking at only using an Authenticator app to type in codes when required. There’s another piece needed to stop SIM swapping: Asking your provider to turn on port protection, which means you have to show up in person with identification in order to switch your smartphone’s service. We had a victim where an attacker managed to log into one of our accounts that didn’t have multifactor authentication turned on and switched the phone to a different carrier. They got access to all of the victim’s security questions, and then they were able to drain their bank accounts and purchase things online.
Terry: My choice for story of the year was the breach of the International Red Cross. A lot of not-for-profits are being attacked because cyber criminals know they don’t have the time, money or resources to deal with cybersecurity. So they’re going to attack these folks and leak their data. They lost close to um, 500,000 records, which involved donors and a lot of personal information. We have to find ways to help secure these groups better.
Howard: I want to bring up the cyber attacks in Australia. Doesn’t anybody down there understand encryption? How can a health provider not have adequately protected over 9 million data records on people?
David: I think Canada’s a pretty big glass house when it comes to medical data record protection. Whether it’s the 2019 LifeLabs breach or attacks on various provincial health care systems [Editor: for example, Newfoundland] the reality is healthcare is always seen as a cost center. Many patient record systems didn’t have encryption of data at rest as a feature, or it’s a paid upgrade to a version that maybe they couldn’t even get to because they’ve customized the software. The layers of complexity and process and people that make medical records so vulnerable is going to take decades to unwind because we built the Wright brothers’ version of patient data records and then we turned it into the space shuttle with all the aforementioned safety concerns. It’s awful, which speaks to the need for dedicated federal government funding to the provincial healthcare systems to help them modernize their it environments right down to the data centers so they actually can encrypt data better at rest — and make sure they actually have modern ERPs [enterprise resource planning systems]. But this is going to be the next 20 years of securing, and unfortunately they’re 20 years behind because criminals are having a field day. They are causing incredible trauma in Australia. And to be honest, I don’t think we’re seeing attention to this issue in Canada. Mental health files and abortion information in Australia are being leaked. It already happened in the Newfoundland virtual health care system in 2021.
Terry: Recently a patient who went to a local hospital contacted me saying he could get access to patient data because hospital staff had pasted usernames and passwords on the walls for the nurses to log in. He was sitting in the waiting room and was able to see this, so he used his laptop and signed in. He was able to pull up the current list of Active Directory users, their budgets, the price of medical equipment … One problem [in any company] is there’s too much access to data.
Howard: David, you brought up the Canadian healthcare comparison. But hospitals are largely funded by provinces and therefore they have somewhat limited financial resources. In Australia, Medibank is a private company. What’s their excuse for not having state-of-the-art cyber security?
David: I don’t mean to come across as flip when I say this, but probably because the consequences to them of not having it was not severe enough to warrant attention to the matter. This is where in a capitalist system some things fall flat. We need to have guardrails for private sector companies — regulations — for their own benefit. Otherwise, the primary responsibility of an organization is its fiduciary responsibility to shareholders. Security is an expense … That’s why there is a reasonable role for sensible regulation to guide corporate behavior.
Howard: David, another news item you thought was very important this year in Canada was the introduction of federal cyber risk security legislation covering the critical infrastructure sector.
David: This comes as part of my role as the co-chair for the Canadian Chamber of Commerce’s Cyber. Right. Now campaign. We have spent a lot of time on the proposed legislation and had some really good meetings in Ottawa [early in December]. The bill is approaching second reading, which means it’s soon going to committee [for detailed examination]. There’s a big push on in 2023 to get Royal Assent. The tricky part will come over the next two to three years as the more precise regulations get ironed out about what’s going to qualify as an incident that needs to get reported, things like due diligence defenses to avoid some of these $25 million a day fines. But it has broad support across Canada’s banking, telco and other sectors. Tech giants on the committee broadly think it’s a good thing to have those guardrails, but there’s a need for some clarity and precision. What I remain concerned about, and that’s probably not going to get solved in the short term, is that this legislation deals with federally-regulated industry — banks, telecommunications, transportation and some aspects of energy transmission. But these aren’t the areas that are the smoking craters right now in Canadian cybersecurity. We just talked about health care, municipalities, small and mid-sized businesses, and what I’m deeply concerned about is we’re creating a regime to protect the crown jewels [being those four sectors] but the crown jewels aren’t what hackers are nicking. We are potentially setting up a situation where Ottawa cares about the federal areas of jurisdiction. And provinces are going to have to pick up the rest. To Quebec’s credit, it has the first provincial ministry of cybersecurity. I met some of the staff at a recent event in Montreal and was impressed. And Quebec is leading in things like provincial legislation around privacy and they want to play a proactive role But Quebec is a big province. What’s Prince Edward Island supposed to do? What are New Brunswick, Newfoundland, Manitoba going to do? There are going to be have and have-not provinces with proper cybersecurity legislation. That doesn’t seem like a national strategy that makes sense to me.
Terry: One of the challenges we’re seeing is around resources. There’s not enough senior cyber folks around to make a dent. What I’m seeing is that a lot of companies are paying out big bucks to acquire talent. And they’re constantly moving around for the biggest dollar, especially in healthcare, where we do a lot of work. We’re handling 18,000 machines [PCs and servers] just in one group, and the turnover is just incredible. What I’m also seeing is that there’s not enough documentation being left for the new hires. They’re constantly looking to see where the assets are, and where the vulnerabilities are. They have very weak visibility into where all the weaknesses are. Instead of purchasing one solution that would give them a holistic view they’re buying different solutions from different vendors that. But all these extra tools weren’t meant to work together. So if a cyber breach occurs they have to bring in four or five teams to try and stitch it together to find out what just happened. Then they realize that they need logs, or the incident happened a month and a half before we got the call for help. There needs to be better preparation.
David: One thing I just want to add about the unique challenges in the public sector — and I’m thinking, Terry, about your point about healthcare — is the emphasis on the lowest price wins the bid. It’s ideal from the best use of every tax dollar standpoint, but who wants to be the person that bought the cheapest security? … There’s some interesting research from the U.S. that shows after a ransomware attack outcomes for patients in hospitals who had heart attacks got worse — but it wasn’t the ransomware attack that negatively impacted the outcomes. It was all the security controls: They slowed down the delivery of healthcare care because it wasn’t the right control in the right context for the right risk scenario related to that particular part of the hospital’s function. Healthcare is a hell of a lot harder to secure than any other domain and we are doing it so poorly as a whole. That’s not to say that there aren’t good people. I have met some of the CSOs and security teams working in healthcare systems across this country — and there are a few — and the ones that are there are incredibly dedicated. They believe in the mission. But they are not being given the tools and the resources and the money, particularly the money, from the federal government to fix the basics so they aren’t forever in firefighting mode.
Terry: Every time we see a municipality being breached there’s always a recurring theme: They hired an outside cyber security firm. If you had been working with a cyber security expert from the start a lot of this probably wouldn’t have happened. They’re often misguided by their IT people saying that they have it [cybersecurity] covered, when in fact, they don’t. IT guys are like your family doctor. They are generalists. You need cyber security expertise to complement IT.
David: This is something that drives me nuts: Often the IT leadership team inside organizations and municipalities are put in a conflict. They’re told to manage costs. ‘You can be secure up to the point where it costs us more money, or god forbid, you inconvenience us by implementing multifactor authentication, etc.’ Public sector CIOs are often put in an impossible Kobayashi Maru [Editor: A Star Trek reference for a no-win scenario] of policy making and cyber security investment because literally it’s the no-win scenario. I guess it’s character-building, but man it must suck.
Terry: Exactly. Cyber security is not about convenience.
…
Howard: Terry another cybersecurity news story or incident this year that struck you?
Terry: The reports that came out revealing the ways that cybercriminals are getting through using legitimate tools to attack a company. For example, we had to deal with an incident where a company was breached through their firewall because of vulnerabilities and leaked credentials, but instead of installing new tools they launched BitLocker or Truecrypt [exiting Windows tools] to ransom 400 computers. They charged $10,000 per machine for the decryption keys. The organization had EDR (endpoint detection and response] deployed but it didn’t stop the attack because BitLocker and Truecrypt are legit tools.
David: The other big headline for me was the six years-plus term for Sebastian Vachon-Dejardins, a NetWalker ransomware gang affiliate caught by police because he left his fingerprints on some servers in Poland. He had attacked organizations in North America — particularly organizations in the United States — and made something on the order of $27 million as his cut. It was the most public, detailed accounting we’ve ever had of the affiliate model: How ransomware-as-a-service really does shield itself with the operators and builders of this infrastructure primarily in Russia, and how people become franchisees into cybercrime. This is one of those rare wins where a multinational police task force working actually put people behind bars — and thanks to the American component this behind bars for a long time. So we can have some wins; there is hope. But it also tells us some of these bad actors hit small and midsized businesses, hospitals, municipalities and others. They’re closer to home than we’d like. The good news is when they violate the number one rule of cyber crime — don’t hack within your own country or your country’s allies –.there’s a good chance of actually catching them and seeing them prosecuted.
Howard: The last question I want to ask about is cyber war and what we’re seeing from the Russia-Ukraine cyber war.
Terry: I think the big one is going to be around the wiper attacks. Attackers are getting into critical infrastructure and instead of holding their data hostage for ransom they’re wiping out the drives and backup servers. Knocking them offline could be almost as effective as a bombing.
David: The positive side of this coin is Ukraine learned the painful painful lessons of hacks in 2014, 2015, 2016 and paid attention to basics — and got tremendous help from the United States Canada and others including Microsoft and others to weather the storm. Russia’s attacks were not nearly as effective as we all dreaded. I think that came as a result of paying attention to basic hygiene. Which is why we need basic cyber security hygiene regulations. But [the lessons] also came after pain. The attacks that we’ve seen in North America — Colonial Pipeline, JBS Meats, Empire Co., the Newfoundland provincial healthcare system — but we still haven’t suffered nearly as much pain as the Ukrainians have suffered. And we are not investing proactively. So I think it’d be a big mistake to say it [the Russia cyberwar fizzled and we’re safe. The Ukrainians have learned to take a punch.
The other thing I’d say is that when it comes down to cruise missiles or hacking a power plant, cruise missiles take down power plants if you’ve got them. They’ve got a higher success rate [that a cyber attack]. That’s what we’re seeing: Physical violence still trumps cyber in terms of catastrophic impacts.
Howard: Predictions for 2023?
Terry: We’re going to see the same attack trends as last year, but doing more with less. We’re going to see more digitization, more automation but less experts on staff — which means there’s going to be more data breaches. And possibly more outsourcing, so managed service providers are going to have to offer more value.
David: Cyber insurance is going to get a hell lot more expensive. Those double-digit increases most businesses experienced this year — and sometimes even difficulty getting coverage — that trend’s going to continue. We’re seeing more people going to jail for crypto fraud. And boo hoo to all of the money lost to criminals from crypto falling. But it is going to serve as one hell of a fire underneath them to ramp up their activities try and make back their losses from this year. So the incentives for cybercrime continue to increase. There are still not enough disincentives internationally to shut down the business model.
Howard: I want to mention the Canadian government’s proposed Consumer Privacy Protection Act, or Bill C-27, which also comes with a proposed new act governing the use of artificial intelligence software. Those two pieces of legislation were introduced six months [Editor: Howard wrongly said in the podcast the bills were introduced 12 months ago]. It’s now December and they haven’t yet been moved to committee for detailed work. For 2023 I hope this is a priority for the Liberal government. I’m not sure it is because I haven’t seen very much action on it.
David: The read that I have is C-26 [the critical infrastructure bill] is on track to potentially get through committee and pass in the first half of next year, based on sort of the interest and intent level that we’re hearing from the government. The trick is the regulations, which won’t come into force until later, which means the law won’t actually have teeth until at minimum 2025. Will they be too little, too late? It’s going to take them a while to get those regulations right. Otherwise, we’ll have the situation in the ‘states where people aren’t reporting incidents because the reporting threshold is so high. It’s going to be a tough one to get right.