Attacks could affect everything from gas to food purchases

One of Canada’s most senior intelligence experts warns foreign cyber espionage could undermine everything from our ability to buy food and gas to national prosperity unless government and corporations wake up to the enormity of the threat.

“Cyber is the threat of the ages and it’s something we’re just not getting our minds around,” Ray Boisvert, former assistant director of intelligence for the Canadian Security Intelligence Service, said in a hard-hitting speech Friday at a security intelligence symposium in Ottawa.

“It’s extremely significant and it’s having a big impact on both public and private sector interests. It is fundamentally undermining our future prosperity as a nation.”

He cited the unprecedented and crippling 2011 cyber attack on Treasury Board and Finance Department computers targeting highly-sensitive information on Saskatchewan’s potash industry, as well as allegations that Chinese hackers stole into Nortel Networks Inc.’s corporate computer network for at least a decade, perhaps contributing to its demise.

Equally menacing, Boisvert said, is the “extreme vulnerability” of the nation’s network-reliant critical infrastructure, comprised of 10 indispensable, interconnected sectors, from food and water to public utilities, aviation, public health, banking and telecommunications.

“It’s all about how we get cash out of the machine, how we get gas out of the gas pump, it’s food on the shelves, and one significant cyber attack on a critical infrastructure node will bring calamity upon us,” he said.

“We’ll see, as we’re freezing in February wondering why the furnace won’t turn on or why the gas pumps aren’t working, that these are parts of the cyber threat that are real and potentially devastating.”

Yet warnings are being ignored, security investments are being postponed and resources to fight the problem are being deployed elsewhere, such as counter-terrorism, he said.

Comparing the issue to the debate over climate change, he said “pretending that it’s some sort of inconvenient truth and that it’s not something you particularly want to think about is certainly not the way to move forward.

“There’s some wilful blindness on behalf of individuals,” Boisvert told the gathering of the Canadian Association of Security and Intelligence Studies. “Not acting leaves us vulnerable to a complete loss of our economic and commercial advantages, not to mention our sovereignty. Wishing it away is not an option.”

Part of the resistance comes from the current generation of government and corporate decision makers who are not cyber savvy and have difficulty grasping the technical complexities, the depth of the threat and how to counter something that has no clearly identified bad guys and often no smoking guns.

As well, “government is reluctant to talk about it because it costs a lot to counter effectively.”

Boisvert’s comments follow the recent fall report of federal Auditor General Michael Ferguson, who found federal departments and agencies are slow or loathe to share information to help each other fight cyber-threats, while businesses don’t know they should report hacks to the government, or don’t trust the government to protect sensitive information about security breaches.

Boisvert, who retired from CSIS this year to head I-Sec Integrated Strategies, later told reporters while blame often falls on China, many other nations — “even good friends” — are engaged in online spying against Canada for strategies, financial data, intellectual property, defence and diplomatic information and other valuable secrets.

He said solutions to the issue “are not all that difficult” and include stronger links between government and business, new laws and, perhaps, even military action.

Currently, for example, CSIS is mandated to collect, analyze and advise only government on potential threats to the nation. Yet private industry owns and operates about 85 per cent of the country’s critical infrastructure.

Boisvert said an effective cyber defence will require bi-lateral and multilateral diplomatic accords and, when all else fails, “we’re going to have to ensure that our military or others are in a position to strike back at some of the more serious threat actors.

“But ultimately it’s going to come down to spending disproportionate amounts of money investing in protecting critical infrastructure and cyber as a whole.”

In his audit, Ferguson also documented how departments lost track of how $980 million was spent on cyber-security over the past decade and a lack of benchmarks to determine whether the spending is having its intended effect.

Also missing was a detailed plan laying out who is responsible for what in keeping federal systems safe and helping secure the vast private networks that control the country’s telephone, banking and transportation systems.