National Post (National Edition)
With ransomware on rise, 2023 could be worst yet
Health care systems at particular risk
OTTAWA • Cyber attacks on Canada's largest children's hospital and the LCBO could be just the opening act for a growing number of more sophisticated incidents in the year ahead, according to experts.
Toronto's Hospital for Sick Children was hit with a ransomware attack in late December that delayed lab results and shut down phone systems. The LCBO, Ontario's provincial liquor agency, was hit with “malicious code,” that the agency warned could have been used to steal customer data.
David Shipley, with the cybersecurity firm Beauceron Security, said a lot of payments in the cyber crime world were facilitated through Bitcoin and other crypto currencies which experienced big losses last year.
“They have made hundreds of millions, if not billions of dollars, on the back of ransoms, primarily facilitated through Bitcoin,” he said. “They've lost a lot of their wealth and they're gonna have to go back and really work it and that, I think, is going to prompt new ingenuitive attacks.”
Shipley also warned that with sanctions mounting against Russia, cyber crime can be one of the significant ways to bring in money. He said a recent FBI raid on Hive, a ransomware group, could slow down the amount of activity, but the barrier to entry for cyber crime is incredibly low and new groups will come into the market.
Sami Khoury, head of the Canadian Centre for Cyber Security, said they have definitely seen an increase in ransomware attacks, which are also growing more sophisticated.
“We've seen a growth and sophistication of some of these ransomware events. We're seeing, also, capabilities that used to be in the nation state category now move into the cyber criminal organization,” he said. “The ransomware, phishing emails of five years ago are not the same as the ransomware emails of today.”
The cyber centre releases an annual report detailing threats and rated ransomware as the threat most likely to hit Canadians. They found that since March 2020, more than 400 health care organizations in the U.S. and Canada had been bit by a ransomware attack. They also identified state actors China, Russia, Iran, and North Korea as significant drivers.
Khoury said he is confident the federal government is adequately secured from cyber attacks, but the tactics are always evolving, forcing the government to adapt.
“There are attempts at penetrating the government to deploy ransomware. But fortunately, we catch them at as many stages of their development because of all of the sensor technology that we have deployed,” he said.
Shirley Ivan, chief information security officer for the Treasury Board, which oversees the government's technology upgrades, says the federal government has never paid ransomware. She said they have good procedures in place to change passwords and backup systems when they are threatened.
“In general, our policy is not to pay for ransomware. So, again, never say never, but as far as we know, there hasn't been any payment.”
Many of the government's IT systems are decades old, including the system for large programs like Employment Insurance. The EI program runs on COBOL, a program language not widely in use today.
Ivan acknowledges the programs are older, but says updates are underway while ensuring the system remains stable until they're complete.
Shipley acknowledges the government and the cyber centre do good work keeping government systems operating and secure, but he said they're like a medieval castle, with the rest of the country outside the walls.
“I can't paint that picture any clearer. We aren't inside the walls and the reality is the economy depends on us delivering the goods inside the castle,” he said.
He said he is particularly worried about health care where there isn't enough incentive to invest in upgrading technology.
“The IT systems are old, and they'd been underinvested in because no one wins an election saying we bought new servers for the hospital.”
The Communication Security Establishment, which houses the cyber centre, can engage in offensive actions against cyber criminals, taking down foreign computer networks or servers to prevent those actions. The agency has identified four occasions in which it used those powers, including once against a group of cyber criminals, but it was vague on the details of those operations. Shipley said the government should be prepared to use them more often.
“Our Communications Security Establishment has some amazing capabilities and it's time to build out an offensive cyber capacity,” he said.