Ottawa is urging Canadian organizations to take the threat of ransomware more seriously, both through pleas for action and the release of free anti-ransomware resources.
In a letter released this morning, the ministers of Defence, Public Safety, Emergency preparedness and International Trade, Export Promotion, Small Business, and Economic Development said that by adopting basic but appropriate cyber security practices, the vast majority of cyber incidents targeting Canadians can be stopped.
“Our national cyber security must involve efforts from industry partners, small and medium sized businesses, and all Canadians,” the letter says in part. “Our message is clear: taking basic steps to ensure your organization’s cyber security will pay swift dividends.”
The most important resource released — particularly for IT leaders in small and medium-sized businesses and local governments — is a 30-page Ransomware Playbook from the Canadian Centre for Cyber Security, which contains advice on how to defend against ransomware and how to recover from an attack.
There is also a Ransomware Threat Bulletin with a broad look at ransomware. It notes that the Cyber Centre — which is the federal government’s centre of expertise on cyber threats — knows about 235 ransomware incidents against Canadian victims this year, up to November 16. The report adds that most ransomware events remain unreported so the number could be higher. Organizations can report cyber incidents here.
(UPDATE: According to a source the recent cyber attack on Newfoundland’s healthcare system was ransomware launched by the Conti gang)
More than half of the ransomware victims were critical infrastructure providers, which includes governments and the financial, healthcare, telecom, transportation and utility sectors.
Once targeted, ransomware victims are often attacked multiple times, the bulletin adds.
The letter from the ministers also notes the Cyber Centre has a free guide to baseline cybersecurity controls for SMBs that are effective for reducing the risk of all kinds of cyber attacks.
It also encourages businesses to apply for certification with the CyberSecure Canada program, which shows the public their firm has protective measures in place.
No government official was available for an interview with reporters, who were given advanced notice of the documents’ release.
The moves by Ottawa come months after the U.S. raised its voice against the spread of ransomware. On September 21 the Treasury Department announced a set of actions to disrupt criminal networks and the virtual currency exchanges responsible for laundering ransoms, and encouraged improved cyber security across the private sector. In October the Biden administration hosted a two-day meeting on the ransomware issue with more than 30 countries, including Canada.
Meanwhile Australia proposed cracking down on ransomware, including creating new offences for cyber extortion and targeting critical infrastructure. The government also says it will make it a criminal offence to deal in stolen data and to buy or sell malware for computer crimes. See here for Australia’s action plan.
The campaign didn’t impress Brett Callow, British Columbia-based threat analyst for Emisisoft and a ransomware expert. “While the release of the Playbook is certainly not a bad thing, it’s unlikely to make a significant impact,” he said in an email. “There’s absolutely no new advice here – it’s very much Cybersecurity 101 – and it seems unlikely that consolidating that advice into a Playbook will result in organizations becoming more secure.
“Ransomware has become such a big problem because it’s very high reward and very low risk. Threat actors make millions while having a near-zero of ever being prosecuted for their crimes. To really tackle the problem requires action on multiple fronts – including offensive action to disrupt threat actors and diplomatic pressure on the countries which harbour them – in order to alter the risk-reward ratio. We can’t, unfortunately, fix the problem simply by telling Canadian organizations to patch and use MFA. It’s not that simple. We need to impose costs on ransomware operators.”
Robert Wong, former CIO of Ontario Hydro who is now heading an advisory panel looking into the cybersecurity strategies of Ontario’s broader public sector, said in an email that
anything governments can do to help Canadian organizations manage cyber security risks and, more specifically, combat ransomware attacks is a positive. “Unfortunately, he added, “for most organizations (and small and medium businesses in particular), there is not a sufficient appreciation of the importance of using and managing business technologies securely until it’s too late. So education and awareness campaigns are important.
“Creating and releasing a Ransomware Playbook is helpful, only to the extent that these organizations have the capabilities to implement the necessary steps to become less susceptible to these threats. Most small and medium businesses lack basic in-house technology competencies, not to mention cyber security skills. Finding and being able to afford third-party expertise are significant challenges for them. Those who are able to implement stronger protections against ransomware attacks will become less vulnerable compared to their peers. But taking a purely defensive approach will only prevent a security breach for so long. I agree with those who believe that governments need to take a much more aggressive stance against the bad actors and devote greater resources to identifying, tracking, and prosecuting them … as well as those who shelter or enable them.”
“The work of the government should be to communicate more proactively and more regularly on cyber security. Many small business owners are not IT experts,” he said, noting most member firms have around 10 employees. “They run their business and they are the chief operating officer of every department. One role of the government related to cyber security is to communicate more proactively to businesses and business associations best practices to be implemented or current trends in cyber attacks.”
Asked if Ottawa should have made more noise with this announcement by including provincial and territorial governments, webinars or local meetings, Guenette said, “Yes.
“We are worried when we see a news release like this. Will it actually go in the hands of the small business owner? It’s unclear to me if what was done today will actually reach the intended public.”
(This story has been updated from the original with the addition of comments from Brett Callow, Robert Wong and Jasmin Guenette)
More to come