A proactive approach to Canadian cyber resilience

There is increasing evidence of state-backed Advanced Persistent Threats (APT) targeting groups in support of geopolitical objectives. Public disclosures from Canadian and American cyber security agencies observe these activities in 2021, 2022, and 2025. The trend shows that targeting activity is becoming more widespread, frequent, and advanced.

Cyber attacks are debilitating for affected businesses and have serious consequences for connected organizations. However, private vendor organizations remain isolated in terms of protection and response. In the public’s view, cyber is seen as less severe than physical espionage or sabotage, making it difficult for national bodies to react and intervene. There is a perception that since nothing is physically destroyed, there is no need to mount a military, diplomatic, or sanctions-related response.

Threat actors are often not direct representatives of a hostile state adversary’s security services. Perpetrators are often isolated opportunists looking for assets to sell on the Dark Web or attackers doing work-for-hire for foreign governments. In the public’s eye, these are criminals, not hostile foreign agents.

The attacks themselves are not Hollywood spy thriller fare. They happen through simple tech exploits and social engineering. System gaps or misconfigurations are used to gain access to sensitive data. Employees’ social media presence is leveraged to gain trust and steal company access credentials. Fake software patches are sent to unwitting employees to spread malware or steal sensitive data.

On the surface, these actions don’t scream “warfare.” They might not seem politically motivated in the least. However, these breaches carry significant national security implications. As long as the risk of reprisal for threat actors remains low, this brand of cyber espionage will continue to rise.

For Canadian vendors, it is no longer a question of “if” an incident will hit your organization, but “when.” However, as a private entity, Canadian security agencies may not have the authority to come to your defence. Though this situation may be addressed in Bill C26/C8, or other future legislation, for now victimized private organizations must rely on themselves or the private sector for security.

Though sophisticated attacks are concerning, the lack of controls and monitoring in many organizations poses its own risk. Instead of adhering to a compliance framework and calling it a day, organizations need to start thinking and behaving like their adversaries do. 

Security monitoring and internal solutions are as important as ever, though not enough on their own. It is time to look at what attackers are doing, and counter those risks strategically with controls and policy. It’s not a question of security budgets, but security strategy.

At an operational level, that means keeping track of activities on the deep and dark web where attackers convene. Organizations need to investigate what threat actors are doing, saying, and selling.

For instance, we are seeing threat actors target organizations that are critical to military operations in Ukraine. Canadian organizations connected to critical infrastructure or Canadian defence could be similarly targeted in a major conflict, to cause harm or disrupt daily life.

Canadian businesses need to uncover how threat actors see their organization specifically. What access might attackers already have? What bounties are they offering? Cyber security teams need to tie world events to attacker motivations and contemplate how their organization might be implicated in broader campaigns.

This extends to an organization’s third-party vendors and data residency. Many organizations adhere to FedRAMP and other government and defence standards to protect critical data. However, as global alliances shift, even between traditionally allied states like Canada and the US, organizations may need to revisit their vendor relationships and reconsider what needs defending.