Cybersecurity in Canada: Finance industry, government seek ways to share data

By Guest Contributor
July 18, 2013

By Daniel Seleanu, Compliance Complete

TORONTO/NEW YORK, July 18 (Thomson Reuters Accelus) - More cooperation with government intelligence agencies would improve the Canadian financial industry’s cyber security capabilities, regulatory and industry experts told Thomson Reuters. Financial institutions have deployed defences, but face considerable threat from cyber-criminals intent on committing fraud, stealing sensitive information, and disrupting their networks.

To mitigate those risks, security and financial experts have called for an enhanced information-sharing system that would allow firms to provide detailed cyber-attack statistics to the government in exchange for intelligence on emergent threats and mitigation strategies. To date, attempts to establish such a system have had little result. 

“I don’t know, with our current regime, if we are going to get a strong foothold on stopping cybercrime,” Iain Kenny, head of Canadian accounting firm MNP’s Anti-Money Laundering Compliance and Forensic Technologies Services Practice told Thomson Reuters. “Without better cooperation [between financial institutions and government], it’s an uphill battle.”

A recent study by Websense Security Labs showed a sharp increase in Canadian cybercrime activity in 2012 and 2013. The company’s 2013 Cybercrime Report Card for Canada concluded that foreign companies and governments were increasingly setting up virtual bases in Canada to drive corporate espionage attacks. “Previous reports uncovered a new wave of cybercrime in Canada; this year’s report suggests that not only have Canadian cybercrime figures increased since last year, [but] new, more insidious elements have also come to light,” the report said.

Canadian financial institutions, which face more regulatory scrutiny over their cyberdefenses, want an intelligence-sharing relationship with the government, said John Manley, Canada’s former finance minister and current president of the Canadian Council of Chief Executives. And the government is looking for the same thing. “What [the government] has is intelligence and access to best-in-the-world technologies,” Manley told Thomson Reuters. “And what the private sector has is experience of what attempts are being made to penetrate their cyber defenses.”

Manley said he was confident that within a year, the government-banking relationship will have evolved to the point where such information was being regularly collected. “They could require it [through legislation], but they would rather get it voluntarily.” Manley said. It was unlikely such reports would be made public, he said.

Financial institutions, Manley said, were concerned about the damage to their reputations from the release of sensitive intrusion statistics. He stressed that no bank would want to have to reveal a material failure. “If somebody is attacked and a significant number of depositors’ money was stolen, then who wants to disclose that? It’s going to make it appear that that institution is more vulnerable than the rest,” he said.

If the government could assure institutions that they would not be singled-out, then banks would not object to sharing aggregate cyber threat information, Manley said.

Manley called for the establishment of an information-sharing “safe zone,” predicated on the understanding that cybercrime was a common threat to all institutions. “So the ability to have a safe zone in which to share information and access the intelligence and global information that the government is privy to would be the ideal outcome,” he said.

A mandated disclosure system also risks obsolescence, Kenny said. “The biggest problem with any regulatory or criminal law on cyber security is that they will always be behind the technology. If you over-legislate, it becomes too much of a burden for the participants, and it becomes ineffective. Legislation is overly rigid and prescriptive.”

Kenny added that the federal government did not want to start mandating specific cybersecurity measures for financial institutions. “That is not how you foster economic growth,” he said. “If the federal government would put any kind of legislation in place, it should be related to the sharing of intelligence between dissimilar industries. The different sectors are not talking to each other, because they are scared about privacy.”

Public Safety Canada, which is responsible for implementing the federal government’s 2010-2015 Action Plan for Canada’s Cyber Security Strategy, acknowledged the importance of information-sharing. “The protection of Canada’s cyber security is a shared responsibility,” the agency told Thomson Reuters in an e-mailed statement. “Successful implementation of Canada’s Cyber Security Strategy depends on partnerships and information-sharing with other governments and industry to ensure the resilience of cyber systems vital to Canadian security and economic prosperity.”

The statement added that Public Safety Canada was working closely with the financial sector, including by developing and implementing a strategy to engage chief executives on cybersecurity. It declined to elaborate.

Existing co-operation framework inadequate

Public-private sector co-operation on cyber security has been attempted on many levels in Canada, but it has never gotten past the drawing board, several experts said.

The federal government’s Cyber Security Strategy (PDF) is partially focused on partnering with critical infrastructure owners and operators, including those from the financial sector, to secure vital cyber systems outside the federal government. The goal is to establish critical infrastructure sector networks for the purpose of sharing information, including best practices and threat data.

Limited progress has been achieved, however, because the sector networks are currently at differing stages of maturity and interoperability, according to a Fall 2012 Auditor General’s Report. “Since sector networks are only now starting to develop and are incomplete in coverage, one of the principal mechanisms for implementing the Cyber Security Strategy has been missing,” the Auditor General concluded.

The report also found deficiencies in the Canadian Cyber Incident Response Centre (CCIRC), which was established in 2005 by Public Safety Canada to be the country’s focal point for cyber threat monitoring and risk mitigating advice. The CCIRC was conceived as an information hub for collecting relevant information from federal departments, provincial governments, the private sector, and foreign allies. It is supposed to analyse that information and distribute the results to stakeholders, so that they can better protect and defend their critical infrastructure.

“This includes working directly with financial sector organizations to help address cyber incidents,” Public Safety Canada said.

The center’s mandate requires it to operate 24 hours per day, seven days per week. Currently, however, the CCIRC operates 15 hours per day. “As CCIRC is not operating around the clock, there is a risk that there will be a delay in the sharing of critical information linked to newly discovered vulnerabilities or active cyber events reported to CCIRC after operating hours,” the Auditor General found.

Additionally, the report observed considerable confusion among participants regarding the methodology for reporting cyber crime information. “Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the government of Canada and, if so, to which agency,” the report said. “In some cases, these owners and operators speak directly with other federal agencies as part of their sector network. Others have said they were not aware of the existence of CCIRC or of the opportunity to share cyber threat information.”

Thomson Reuters found an inconsistent level of knowledge regarding the CCIRC among financial industry stakeholders in Canada. Many of those interviewed voiced calls for just such a mechanism to be dedicated specifically to the financial services industry, apparently unaware that one already existed in the form of the CCIRC.

Well-defended but still vulnerable

Canada’s largest banks are just as likely to be targeted as any of their international counterparts, Kim R. Manchester, a financial intelligence consultant, told Thomson Reuters. “Canadian financial institutions are not poor,” he said. “They contain a lot of assets and opportunities, and if you do circumvent their defences, then you’ll get access to a pot of gold through cybercrime, social engineering, fraud, theft, and internal theft.”

Manchester emphasized that any large financial company that was connected to its clients over the Internet was currently under threat of cybercrime – and had been for decades.

In the face of strong defenses deployed by Canadian financial firms, attempts to steal depositors’ money through direct hacking attacks are considered less of a threat than malicious attacks on financial infrastructure or fraud committed through the manipulation of clients. “The electronic loss of funds is the least of [banks'] worries,” Kenny said. “Canadian banks are more worried about the protection of private client data, as well as the reputational impact of cybercrime events,” he said. “What really affects the financial sector is denial-of-service type attacks, where [hackers are] taking systems offline.”

Similar risks to merchant infrastructure, like the Interac debit payment system, were equally serious, he said. “There would be severe implications if those systems were to be taken offline”, he said. Kenny stressed, however, that “most of those networks are fairly secure and redundant; they have enough protection in them that it would be difficult to take down the entire network”.

In terms of fraud through client manipulation, the Canadian Bankers’ Association (CBA) told Thomson Reuters that criminals were aware that Canadian banks possessed robust security systems, which has led to an increase in attempts to obtain confidential information directly from customers. “So the most common type of cybercrime we see is aimed at individuals and their computers, rather than at the banks and their systems,” the CBA said. “Phishing is a common example and involves criminals sending e-mail messages falsely claiming to be from a bank and tricking them into revealing personal information, such as on-line banking login information.”

Cyber threats directed at the banks themselves, such as denial-of-service attacks, are less common, it said.

According to the CBA, banks lost less than $12 million to online banking fraud in 2012, compared to about $500 million in losses from credit and debit card fraud.

Among the trends in cybercrime cited by the Websense report, was a 25 per cent increase in the number of Canadian websites hosting malicious software and an 83 per cent increase in Canadian “bot networks,” which hackers use to provide instructions to malicious software through command-and-control servers.

At the same time, Websense observed a 67 per cent decrease in the number of Canadian servers hosting generalized phishing sites. Despite the decrease, however, the report stressed that in the first quarter of 2013, Canada ranked fourth on the global cybercrime list for hosted phishing sites. Websense suggested that the decrease could represent a tactical shift by hackers to individually targeted forms of customer manipulation, such as those described by the CBA.

Existing cyberdefense regulations

The Office of the Superintendent of Financial Institutions (OSFI), Canada’s banking and insurance regulator, expects financial institutions to have plans, processes and technologies in place to manage computer security risks. The regulator applies its supervisory framework (PDF) and uses a variety of information sources, and in some cases on-site reviews, to supervise an institution’s risk management processes and procedures. “In general, the level of effort we expect from institutions in dealing with cyber security should be consistent with the level of cyber risk they face,” the OSFI told Thomson Reuters in an e-mailed statement.

“OSFI has significantly increased its supervisory resources in its Operational Risk Division and has launched a number of initiatives, which include conducting in-depth reviews of institutions’ current cyber security practices.”

When asked about the specific nature of cyber threats facing Canadian institutions, the OSFI declined to share its supervisory findings. The regulator noted, however, that a variety of sources pointed to increasing attack volume and sophistication. “The recent distributed denial of service attacks that have primarily targeted U.S. institutions show that the nature of these attacks is evolving quickly and increasing in sophistication,” it said. “If left unchecked, cyber-attacks could impact an institution’s operations and public confidence in that institution.”

Manley, who also sits on the board of directors of the Canadian Imperial Bank of Commerce (CIBC), one Canada’s largest banks, observed that the OSFI has been making cybercrime more of an issue and raising questions with bank boards to make sure that financial institutions were taking necessary steps to mitigate cyber risks.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

828 comments

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

After I initially commented I seem to have clicked the -Notify me when new comments are added- checkbox and from now on each time a comment is added I recieve 4 emails with the exact same comment. There has to be a means you can remove me from that service? Many thanks!

Greetings! Very helpful advice within this post! It is the little changes that make the most significant changes. Thanks for sharing!

Hey, very good morning. Interesting post. You might have gained a new reader. Pleasee maintain up the excellent work and I look forward to much more of your brilliant articles. God bless, .

I’m having a small issue. I’m unable to subscribe to your rss feed for some reason. I’m making use of google reader by the way.

I could not resist commenting. Very well written!

You ought to be a part of a contest for one of the most useful websites on the internet. I’m going to highly recommend this site!

I’d like to thank you for the efforts you’ve put in penning this site. I am hoping to see the same high-grade content from you later on as well. In fact, your creative writing abilities has encouraged me to get my own, personal site now

I must thank you for the efforts you’ve put in penning this site. I really hope to view the same high-grade blog posts from you in the future as well. In fact, your creative writing abilities has encouraged me to get my own site now

Pretty! This was an incredibly wonderful post. Thanks for providing these details.

bookmarked!!, I love your blog!

bookmarked!!, I like your site!

This is getting a bit more subjective, but I much prefer the Zune Marketplace. The interface is colorful, has more flair, and some cool features like ‘Mixview’ that let you quickly see related albums, songs, or other users related to what you’re listening to. Clicking on one of those will center on that item, and another set of “neighbors” will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune “Social” is also great fun, letting you find others with shared tastes and becoming friends with them. You then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening habits if you so choose.

Howdy! This article couldn’t be written much better! Looking at this article reminds me of my previous roommate! He constantly kept preaching about this. I will send this article to him. Pretty sure he will have a very good read. I appreciate you for sharing!

I love reading through a post that will make people think. Also, many thanks for allowing for me to comment!

Hey there! I simply want to give you a big thumbs up for the great information you’ve got right here on this post. I will be coming back to your website for more soon.

Everything is very open with a very clear description of the challenges. It was really informative. Your website is very useful. Thanks for sharing!|

You need to be a part of a contest for one of the best sites on the net. I most certainly will recommend this site!

Spot on with this write-up, I absolutely think this website needs much more attention. I’ll probably be back again to see more, thanks for the info!

What’s up to every one, as I am actually eager of reading this weblog’s post to be updated on a regular basis. It consists of nice material.|

You made some really good points there. I checked on the web to find out more about the issue and found most individuals will go along with your views on this web site.

This site really has all the info I needed concerning this subject and didn’t know who to ask.

Hi there! Do you use Twitter? I’d like to follow you if that would be ok. I’m undoubtedly enjoying your weblog and appear forward to new posts.

Greetings! Very useful advice within this article! It is the little changes which will make the most significant changes. Thanks a lot for sharing!

When I originally commented I clicked the -Notify me when new surveys are added- checkbox and from now on if a comment is added I receive four emails with comparable comment. Possibly there is that is you are able to get rid of me from that service? Thanks!

It’s hard to find well-informed people on this subject, however, you seem like you know what you’re talking about! Thanks

I enjoy looking through an article that will make people think. Also, many thanks for permitting me to comment!

Hello there! This article couldn’t be written much better! Reading through this post reminds me of my previous roommate! He continually kept talking about this. I’ll forward this information to him. Pretty sure he’s going to have a great read. Many thanks for sharing!

Hello there! I simply would like to offer you a huge thumbs up for your great information you have right here on this post. I’ll be returning to your site for more soon.