The Daily Swig Web security digest

Cybersecurity in Canada: The best offense is a good defense

Dave Lewis | 05 February 2018 at 15:24

Canadian cybersecurity specialist Dave Lewis takes a closer look at the country’s ongoing efforts to strengthen its defenses ahead of the 2019 federal elections.

Canada is the place that I’m proud to call home. (“Leaping from tree to tree! As they float down the mighty rivers of British Columbia! With my best girl by my side!” Okay, not quite like that, and with all due respect to Monty Python.) I’ve spent most of my life in this country and have managed to build a career in information security as a result.

To be certain, Canada is not without its share of difficulties as it pertains to security. In the Akamai State of the Internet report that is released each quarter, we saw Canada either in 10th place or just bubbling under consistently as a source of web attacks.

The Canadian government itself is no stranger to attacks. This was historically something that was not discussed for the most part.

Then, in 2014, the Conservative government made a public statement that implicated the Chinese government in a compromise of systems at the National Research Council (NRC). This was a departure from the previous position of basically saying nothing.

In 2017, the current Liberal government published a report on cybersecurity. Contained in the report was an admission that the government was routinely targeted and compromised.

CBC News summarized the findings:


The Canadian government’s computer networks have been hit by state-sponsored cyberattacks about 50 times a week – and at least one of them usually succeeded.

That acknowledgment from the Communications Security Establishment (CSE), the secretive agency charged with preventing such attacks, is a rare glimpse into the scale and frequency of attempts by foreign powers to penetrate federal government systems.


In January 2018, news came out pertaining to proposed legislation that would allow for the government to essentially hack back against targets that initiate an attack.

This raises a veritable storm of possible missteps:


C-59, which the government introduced last year, is a massive bill that will overhaul how Canadian national security agencies operate, as well as who is responsible for making sure they do not break the law.

Among the proposals in the legislation is a section that allows the Communications Security Establishment, which collects communications abroad, but cannot target Canadians, to conduct offensive cyber-attacks against enemies who target Canadian interests.


I find it deeply concerning that the government would be more concerned with offensive response then shoring up their defenses first. This becomes very important when you frame it with the federal election that is on the horizon in 2019.

We have seen the specter of interference from foreign entities in Mexico, France, and the US as a few poignant examples from recent memory.

What is more curious is this statement from the Canadian Communications Security Establishment (CSE):


The Communications Security Establishment agency said it had not detected any nation-state attempts to interfere in prior Canadian elections, but saw risk from hacktivists.

CSE said Canada’s 2015 federal election, which brought Prime Minister Justin Trudeau’s Liberals to power, was targeted by “low-sophistication cyber threat activity” that did not affect the outcome of the election…


With the approaching elections in 2019, I would hazard the safe money will be on this statement being walked back.

Criminals online are not constrained by geopolitical borders, and this should not be forgotten when considering shoring up defenses both now and in the future.

There have been great moves afoot such as the Shared Service Canada program, where the government is working to bring all of the federal agencies under a single umbrella for IT services.

Hopefully this will be well funded in the future and not just act as a bit bucket to maintain antiquated systems.

Canada is a wonderful place, and I’d very much like it to stay that way. Hopefully, cybersecurity will become more of a burning issue before we read about it on the front page.