Cybersecurity in Canada: Finance industry, government seek ways to share data
By Daniel Seleanu, Compliance Complete
TORONTO/NEW YORK, July 18 (Thomson Reuters Accelus) - More cooperation with government intelligence agencies would improve the Canadian financial industry’s cyber security capabilities, regulatory and industry experts told Thomson Reuters. Financial institutions have deployed defences, but face considerable threat from cyber-criminals intent on committing fraud, stealing sensitive information, and disrupting their networks.
To mitigate those risks, security and financial experts have called for an enhanced information-sharing system that would allow firms to provide detailed cyber-attack statistics to the government in exchange for intelligence on emergent threats and mitigation strategies. To date, attempts to establish such a system have had little result.
“I don’t know, with our current regime, if we are going to get a strong foothold on stopping cybercrime,” Iain Kenny, head of Canadian accounting firm MNP’s Anti-Money Laundering Compliance and Forensic Technologies Services Practice told Thomson Reuters. “Without better cooperation [between financial institutions and government], it’s an uphill battle.”
A recent study by Websense Security Labs showed a sharp increase in Canadian cybercrime activity in 2012 and 2013. The company’s 2013 Cybercrime Report Card for Canada concluded that foreign companies and governments were increasingly setting up virtual bases in Canada to drive corporate espionage attacks. “Previous reports uncovered a new wave of cybercrime in Canada; this year’s report suggests that not only have Canadian cybercrime figures increased since last year, [but] new, more insidious elements have also come to light,” the report said.
Canadian financial institutions, which face more regulatory scrutiny over their cyberdefenses, want an intelligence-sharing relationship with the government, said John Manley, Canada’s former finance minister and current president of the Canadian Council of Chief Executives. And the government is looking for the same thing. “What [the government] has is intelligence and access to best-in-the-world technologies,” Manley told Thomson Reuters. “And what the private sector has is experience of what attempts are being made to penetrate their cyber defenses.”
Manley said he was confident that within a year, the government-banking relationship will have evolved to the point where such information was being regularly collected. “They could require it [through legislation], but they would rather get it voluntarily.” Manley said. It was unlikely such reports would be made public, he said.
Financial institutions, Manley said, were concerned about the damage to their reputations from the release of sensitive intrusion statistics. He stressed that no bank would want to have to reveal a material failure. “If somebody is attacked and a significant number of depositors’ money was stolen, then who wants to disclose that? It’s going to make it appear that that institution is more vulnerable than the rest,” he said.
If the government could assure institutions that they would not be singled-out, then banks would not object to sharing aggregate cyber threat information, Manley said.
Manley called for the establishment of an information-sharing “safe zone,” predicated on the understanding that cybercrime was a common threat to all institutions. “So the ability to have a safe zone in which to share information and access the intelligence and global information that the government is privy to would be the ideal outcome,” he said.
A mandated disclosure system also risks obsolescence, Kenny said. “The biggest problem with any regulatory or criminal law on cyber security is that they will always be behind the technology. If you over-legislate, it becomes too much of a burden for the participants, and it becomes ineffective. Legislation is overly rigid and prescriptive.”
Kenny added that the federal government did not want to start mandating specific cybersecurity measures for financial institutions. “That is not how you foster economic growth,” he said. “If the federal government would put any kind of legislation in place, it should be related to the sharing of intelligence between dissimilar industries. The different sectors are not talking to each other, because they are scared about privacy.”
Public Safety Canada, which is responsible for implementing the federal government’s 2010-2015 Action Plan for Canada’s Cyber Security Strategy, acknowledged the importance of information-sharing. “The protection of Canada’s cyber security is a shared responsibility,” the agency told Thomson Reuters in an e-mailed statement. “Successful implementation of Canada’s Cyber Security Strategy depends on partnerships and information-sharing with other governments and industry to ensure the resilience of cyber systems vital to Canadian security and economic prosperity.”
The statement added that Public Safety Canada was working closely with the financial sector, including by developing and implementing a strategy to engage chief executives on cybersecurity. It declined to elaborate.
Existing co-operation framework inadequate
Public-private sector co-operation on cyber security has been attempted on many levels in Canada, but it has never gotten past the drawing board, several experts said.
The federal government’s Cyber Security Strategy (PDF) is partially focused on partnering with critical infrastructure owners and operators, including those from the financial sector, to secure vital cyber systems outside the federal government. The goal is to establish critical infrastructure sector networks for the purpose of sharing information, including best practices and threat data.
Limited progress has been achieved, however, because the sector networks are currently at differing stages of maturity and interoperability, according to a Fall 2012 Auditor General’s Report. “Since sector networks are only now starting to develop and are incomplete in coverage, one of the principal mechanisms for implementing the Cyber Security Strategy has been missing,” the Auditor General concluded.
The report also found deficiencies in the Canadian Cyber Incident Response Centre (CCIRC), which was established in 2005 by Public Safety Canada to be the country’s focal point for cyber threat monitoring and risk mitigating advice. The CCIRC was conceived as an information hub for collecting relevant information from federal departments, provincial governments, the private sector, and foreign allies. It is supposed to analyse that information and distribute the results to stakeholders, so that they can better protect and defend their critical infrastructure.
“This includes working directly with financial sector organizations to help address cyber incidents,” Public Safety Canada said.
The center’s mandate requires it to operate 24 hours per day, seven days per week. Currently, however, the CCIRC operates 15 hours per day. “As CCIRC is not operating around the clock, there is a risk that there will be a delay in the sharing of critical information linked to newly discovered vulnerabilities or active cyber events reported to CCIRC after operating hours,” the Auditor General found.
Additionally, the report observed considerable confusion among participants regarding the methodology for reporting cyber crime information. “Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the government of Canada and, if so, to which agency,” the report said. “In some cases, these owners and operators speak directly with other federal agencies as part of their sector network. Others have said they were not aware of the existence of CCIRC or of the opportunity to share cyber threat information.”
Thomson Reuters found an inconsistent level of knowledge regarding the CCIRC among financial industry stakeholders in Canada. Many of those interviewed voiced calls for just such a mechanism to be dedicated specifically to the financial services industry, apparently unaware that one already existed in the form of the CCIRC.
Well-defended but still vulnerable
Canada’s largest banks are just as likely to be targeted as any of their international counterparts, Kim R. Manchester, a financial intelligence consultant, told Thomson Reuters. “Canadian financial institutions are not poor,” he said. “They contain a lot of assets and opportunities, and if you do circumvent their defences, then you’ll get access to a pot of gold through cybercrime, social engineering, fraud, theft, and internal theft.”
Manchester emphasized that any large financial company that was connected to its clients over the Internet was currently under threat of cybercrime – and had been for decades.
In the face of strong defenses deployed by Canadian financial firms, attempts to steal depositors’ money through direct hacking attacks are considered less of a threat than malicious attacks on financial infrastructure or fraud committed through the manipulation of clients. “The electronic loss of funds is the least of [banks'] worries,” Kenny said. “Canadian banks are more worried about the protection of private client data, as well as the reputational impact of cybercrime events,” he said. “What really affects the financial sector is denial-of-service type attacks, where [hackers are] taking systems offline.”
Similar risks to merchant infrastructure, like the Interac debit payment system, were equally serious, he said. “There would be severe implications if those systems were to be taken offline”, he said. Kenny stressed, however, that “most of those networks are fairly secure and redundant; they have enough protection in them that it would be difficult to take down the entire network”.
In terms of fraud through client manipulation, the Canadian Bankers’ Association (CBA) told Thomson Reuters that criminals were aware that Canadian banks possessed robust security systems, which has led to an increase in attempts to obtain confidential information directly from customers. “So the most common type of cybercrime we see is aimed at individuals and their computers, rather than at the banks and their systems,” the CBA said. “Phishing is a common example and involves criminals sending e-mail messages falsely claiming to be from a bank and tricking them into revealing personal information, such as on-line banking login information.”
Cyber threats directed at the banks themselves, such as denial-of-service attacks, are less common, it said.
According to the CBA, banks lost less than $12 million to online banking fraud in 2012, compared to about $500 million in losses from credit and debit card fraud.
Among the trends in cybercrime cited by the Websense report, was a 25 per cent increase in the number of Canadian websites hosting malicious software and an 83 per cent increase in Canadian “bot networks,” which hackers use to provide instructions to malicious software through command-and-control servers.
At the same time, Websense observed a 67 per cent decrease in the number of Canadian servers hosting generalized phishing sites. Despite the decrease, however, the report stressed that in the first quarter of 2013, Canada ranked fourth on the global cybercrime list for hosted phishing sites. Websense suggested that the decrease could represent a tactical shift by hackers to individually targeted forms of customer manipulation, such as those described by the CBA.
Existing cyberdefense regulations
The Office of the Superintendent of Financial Institutions (OSFI), Canada’s banking and insurance regulator, expects financial institutions to have plans, processes and technologies in place to manage computer security risks. The regulator applies its supervisory framework (PDF) and uses a variety of information sources, and in some cases on-site reviews, to supervise an institution’s risk management processes and procedures. “In general, the level of effort we expect from institutions in dealing with cyber security should be consistent with the level of cyber risk they face,” the OSFI told Thomson Reuters in an e-mailed statement.
“OSFI has significantly increased its supervisory resources in its Operational Risk Division and has launched a number of initiatives, which include conducting in-depth reviews of institutions’ current cyber security practices.”
When asked about the specific nature of cyber threats facing Canadian institutions, the OSFI declined to share its supervisory findings. The regulator noted, however, that a variety of sources pointed to increasing attack volume and sophistication. “The recent distributed denial of service attacks that have primarily targeted U.S. institutions show that the nature of these attacks is evolving quickly and increasing in sophistication,” it said. “If left unchecked, cyber-attacks could impact an institution’s operations and public confidence in that institution.”
Manley, who also sits on the board of directors of the Canadian Imperial Bank of Commerce (CIBC), one Canada’s largest banks, observed that the OSFI has been making cybercrime more of an issue and raising questions with bank boards to make sure that financial institutions were taking necessary steps to mitigate cyber risks.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)