Critical infrastructure, personal information and the provision of services – these are just a few vulnerable spheres in which cyber threat activity carries the potential to cripple an economy. As threats become more sophisticated in nature, so too should your organizational defences.  

Security and intelligence communities are sounding the alarm on this issue, particularly throughout the last year. This summer, the Five Eyes security and intelligence communities (i.e., Canada, the United States, New Zealand, Australia and the United Kingdom) banded together to warn the world about the greatest cyber vulnerabilities of our generation. In a joint cyber security advisory, they highlighted vulnerabilities that organizations can eradicate to mitigate exposure.  

In some cases, Canada's allies have not shied away from attributing cyber activity to a foreign power. For example, the United Kingdom recently attributed Russia as the perpetrator of a cyber-attack with Europe-wide implications within an hour prior to the Ukraine invasion.

Similarly, joint cyber advisories like the one cited above, have highlighted that state-sponsored hackers have been targeting critical infrastructure in Canada and the United States.

The bottom line is simple – cyber-attacks are looming large and they metastasize quickly. They are more sophisticated, pervasive and unforgiving in terms of their scope and influence. Early detection and prevention are crucial to contain the resources required for crisis management.

Take note: Canada's scope of cyber threat assessment

The National Cyber Threat Assessment (2023-2024) released by the Canadian Security Establishment recently corroborated the scope of the threat. The assessment showcases the most pervasive and problematic patterns, namely:

  • Ransomware is a persistent threat to Canadian organizations.
  • Cyber activity is constantly threatening critical infrastructure. This, in turn, directly impacts supply chains.
  • Cyber criminals target critical infrastructure. For example, since March 2020, 400 health care organizations in Canada and the US experienced a ransomware attack. This week, five southwestern Ontario hospitals suffered similar attacks.
  • Increased cyber threat activity against municipal and provincial governments. These types of vulnerabilities implicate personal information and the provision of government services.
  • Over the next two years, Russia will rely on cyber activity as a "foreign policy lever" to target critical infrastructure.
  • Spyware tools are targeting diaspora communities with a view to exercising influence.
  • Organizations with value to foreign states will continue to be targeted. This type of activity may capture intellectual property.
  • State-sponsored cyber threats conducting operations to alleviate the impact of sanctions. This type of activity targets monetary assets and financial institutions, as an example.

To the extent that there are successful threat activities, they carry the potential to both influence and interfere with day-to-day lives. This was made clear when former the Minister of National Defence issued a statement on cyber threats to critical infrastructure in recent months, highlighting advice from the Canadian Centre for Cyber Security, which includes the top 10 security actions to mitigate threats and protect IT networks.

Cyber threat assessment checklist: How prepared is your organization?

According to PwC's Canadian Digital Trust Insights, 2023, "more than two-thirds of Canadian executives consider cybercrime their most significant threat in the coming year."

With that said, organizations should think critically about fortifying their "fences" both physically and virtually. To that end, we recommend a thorough assessment of your baseline. Here's a short checklist to start with:

  1. Know the nature of the information your organization possesses and its potential for exploitation. If the information could potentially be valuable to a foreign malicious actor, what steps have you taken to safeguard it?
  2. Have you employed cyber defences such as patch or detection systems? Have you demonstrated due diligence having regard for the existing threat?
  3. Does your organization have a critical incident protocol? If so, who is engaged by this protocol and what is contemplated in the sequence of events within the protocol?
  4. Does your organization's insurance cover the costs of a cyber-attack?  If not, do you have a reserve fund or pool of resources to draw on if required?
  5. In the event of a cyber-attack, and where personal information is implicated, have you contacted the Office of the Privacy Commissioner to report a breach?
  6. What is your training protocol? Do you have a dedicated cyber-attack incident response team? Does your organization have the expertise to detect and deter cyber-attacks including but not limited to phishing, malware, ransomware, etc.?

Blind spots in cyber defences lend for inevitable reputational woes. No organization is immune. Early mitigation is key.  

For example, the Newfoundland cyber-attack rendered the health care system virtually inoperable in 2022, right in the middle of the COVID-19 pandemic and saw the compromise of approximately 58,000 individuals' personal information. In this case, a forensic investigation determined that evidence of cyber activity was present more than two weeks before the ransomware was deployed.

In an age where transactions are predicated on a digital footprint, these counter cyber measures should be top of mind for every organization to minimize exposure and reduce liability. After all, cyber security is now inextricably linked to national security.

To learn more about the steps your organization should take to assess your cyber threat baseline, please contact a member of our Cyber Security & Data Protection Law team.

Reem Zaia is a litigation lawyer in the Advocacy Department at Gowling WLG in Ottawa. She is the former Director of Policy and Legal Affairs to Canada's Public Safety Minister. Reem's practice spans regulatory, criminal, privacy and national security law.