Update to National Cyber Security Plan needed to combat ransomware attacks: CIRA

The not-for-profit organization that manages Canada’s .CA domains says the government needs to step in and revamp its National Cyber Security Plan if Canadians intend to combat an increase of hacking and ransomware attacks. Monday, the Canadian Internet Registration Authority (CIRA) released its annual Cybersecurity Survey which found that 36 per cent of organizations surveyed faced more cyber attacks during the COVID-19 pandemic as more professionals migrated to working remotely. That represents an increase of seven per cent from last year’s report. “It feels like the pandemic forced 10 years of cybersecurity adoption to happen in about 10 weeks. The pivot to work-from-home and employees using their own devices really increased the number of security threats facing organizations, and the bad guys did everything they could to take advantage of the situation,” CIRA general manager for cybersecurity and DNS services Mark Gaudet said in CIRA’s press release. Public affairs manager for CIRA, Josh Tabish said the first thing the government needs to do is update its five year National Cyber Security Plan -- which he pointed out does not mention the word ransomware -- if it wants to tackle the issue. “That's really troubling, given how big of an issue ransomware has become... we've seen a number of high profile attacks in the US and in Canada, for example the Colonial Pipeline is probably the biggest one,” he told the Wire Report in a phone interview. In Canada, in June, it was reported that Humber River Hospital, North York, Ont., experienced a ransomware attack, halting the work at some of its clinics. In August, an RCMP detachment in Sault Ste. Marie, Ont., was also hacked, rendering its email services unavailable. “We saw the Biden administration step up with an executive order to improve the cybersecurity of federal government networks. We haven't seen that kind of response to ransomware in Canada,” Tabish said. “We went through our federal election recently and they said very little about cybersecurity, very little in the way of concrete details.” Tabish said the government should start looking into an RCMP-funded program to assist and decrypt ransomware attacks, or create dedicated capabilities within the RCMP, or even within the CRTC enforcement branch, to pursue ransomware attackers aggressively. “I think that funding for that kind of investigation is probably limited at this point so increasing that would help.” According to the survey, 95 per cent of respondents put cybersecurity protections in place during the pandemic which they intend to keep permanent. One in five respondents experienced a ransomware attack in the last 12 months, of which 69 per cent opted to pay the hackers. The survey was conducted through July and August, online, by market research firm The Strategic Counsel. It surveyed 510 cybersecurity decision-makers (employees or owners) in the private and public sector. Only three out of 10 organizations have specific cybersecurity policies according to the report. Less than half of respondents, 43 per cent, conduct mandatory cybersecurity-awareness training for all its employees and 93 per cent conduct awareness training for certain employees. “The few organizations that don’t conduct training tend to cite insufficient resources as the main reason or never considering it as a solution,” according to the report. Tabish added that the government can also look into passing legislation that sets clear priorities and provides dedicated funding to help modernize and protect all federal government networks along with providing funding and tax incentives for smaller organizations to develop their own cybersecurity protections. The Ministry of Public Safety, which released the National Cyber Security Plan in 2019, could not respond to questions about the plan by publication time. Tabish did note that the Canada Digital Adoption Program dedicated $1.4 billion to aid small businesses adopt new technologies but it remains unclear whether cybersecurity technologies would count as eligible expenses in the program. Six out of 10 organizations have cybersecurity insurance coverage as part of their business insurance, according to CIRA’s survey. Although insurance is becoming an increasingly popular option to help businesses with the costs of cybersecurity threats, “most organizations with cybersecurity coverage say their provider has increased premiums or requested new forms of proof of the corporate cybersecurity measures in place,” according to the findings. Two-thirds of the organizations surveyed said they would support legislation that makes it illegal to pay off ransom attacks. Tabish said that has been an idea floated around in the United States but given the fact it can put people at risk if hospitals and police detachments are attacked, it may not necessarily be the best policy. “I think what that stat really says is that IT professionals are looking for help from the government. That they feel there's a role for government to play in helping promote trust online and reduce cyberattacks. And so, regardless of the specific idea on offer, the first thing we need to do is come together and have a conversation as a country about what we can do and have the debate about these ideas,” he said. In May CIRA found that Canadians show strong support for new laws to protect privacy and prevent cyberattacks following a survey it commissioned for its “Canadians Deserve a Better Internet” report. “We really need to host a consultation about what can be done to curb this ransomware problem and everybody needs to play from the government to the private sector to law enforcement,” Tabish said. -- Reporting by Jenna Cocullo at jcocullo@thewirereport.ca and editing by Michael Lee-Murphy at mleemurphy@thewirereport.ca.

Update to National Cyber Security Plan needed to combat ransomware attacks: CIRA

News | 10/04/2021 5:49 pm EDT

To keep reading, get a free trial.

Already a Subscriber?

Related Stories

Cybersecurity is national security, panelists tell IIC

News | 05/16/2023 11:54 am EDT

Regulating TSPs, not suppliers, in cybersecurity bill will be ineffective: Telus exec

News | 11/22/2022 3:55 pm EST

Feds give $675k for UWaterloo cybersecurity project

Briefs | 08/16/2022 5:03 pm EDT

Reuse & Permissions

Inside The Wire Report

Information

Hill Times Publishing

Get in Touch With Us