CIGI asked four experts, “As cyberattacks continue to evolve, what emerging threats or tactics should nations be most concerned about?” Here are their answers.
Shelly Bruce, CIGI Distinguished Fellow
For all the possibility, prosperity and optimism that cyberspace presents, it also casts some dark shadows where more and more threat actors actively seek — and too readily find — opportunities for exploitation.
As organizations across all sectors continue to fall victim to cyber compromise, conversations are starting to shift from the enticing sport of pegging the foreign cyber offender to the more urgent need to build up national cultures of cyber resilience.
At this point, the most pragmatic tonic against cyber threats is the familiar cybersecurity advice like using multi-factor authentication and patching vulnerable systems that experts have been preaching for the better part of the last decade. This cod-liver-oil approach to cybersecurity may be considered dull, but it does significantly offset current and future risks of compromise, whether from the most pervasive cybercriminal groups and their ransomware tools of choice or the well-resourced, wily state-sponsored cyber actors who take advantage of lower-brow phishing tactics to meet their strategic objectives.
More engagement across jurisdictions nationally and unprecedented, radical public-private partnering are required to plumb in a national cybersecurity framework.
A raised bar is not enough, of course. More engagement across jurisdictions nationally and unprecedented, radical public-private partnering are required to plumb in a national cybersecurity framework — one with incentives to share information, coordinate incident response, hold technology vendors to higher security standards and perpetually fuel a pipeline of cybersecurity talent.
While it may not be as titillating as hunting those on the attacking keyboards, a truly inclusive, truly national culture of cyber resilience — buttressed by 40 million front-line defenders — can go a long way to inoculating Canadians against all manner of evolving cyberthreats and adjacent online harms.
Kailee Hilt, CIGI Program Manager and Research Associate
Cyberattacks continue to surge, relentlessly targeting a broad spectrum of sectors from power grids to critical health care services. Ransomware remains one of the most common strategies, leveraging the limited downtime tolerance of these organizations, and heightening the probability of compliance with extortion demands. As the use of connected devices in every aspect of our daily lives proliferates, fresh vulnerabilities that extend beyond critical infrastructure are also increasingly being recognized.
Moreover, the pernicious threats of foreign interference, disinformation campaigns and cyber espionage are undermining the pillars of democracy, social unity and national security. The realm of cyberweapons remains shrouded in extreme secrecy, both in terms of their development and deployment. Consequently, some nations find themselves ill-prepared to confront the looming possibility of attacks to come. With the technological tools readily available online, barriers to enter cybercrime are astonishingly low, so that those launching assaults range from nation-states to really any individual wanting to wreak havoc.
The pernicious threats of foreign interference, disinformation campaigns and cyber espionage are undermining the pillars of democracy, social unity and national security.
While the evolving use of artificial intelligence (AI) and machine learning in cybersecurity offers improved threat detection and rapid responses, these technologies’ dual-use nature poses unique challenges. Cybercriminals have the potential to harness these technologies to automate attacks, thereby increasing their speed, and to craft more convincing social engineering campaigns. The capacity to mimic human behaviour and adapt in real time means that AI-driven cyberattacks may prove particularly malicious.
Equally troubling is the growing demand for cybersecurity experts, which is expected to outstrip the supply of qualified professionals, and could undermine Canada’s capacity to defend against increasingly sophisticated threats. Cultivating a national culture of cyber resilience will continue to be imperative for both current and future risk management.
Sarah McCarthy, Cryptographic Strategist, evolutionQ
Fans of the Black Mirror TV series may recall the first episode of season 6, “Joan Is Awful,” where a “quamputer” enables the cyclic creation of alternate realities embedded in a show on the “Streamberry” streaming platform.
Although perhaps not technically feasible today, this storyline portrays the powerful processing capabilities of quantum computers. That processing power may bring many benefits to society — with researchers suggesting accurate weather forecasting, drug trial simulation, stock market modelling and more — but, in the hands of a bad actor, it can also be used for cyberwarfare. Specifically, quantum computers will more readily solve the mathematical problems underpinning today’s data encryption methods, which are hard to solve with classical computing power.
The potential for malicious use of this processing power has motivated research into post-quantum cryptography (PQC) which refers to cryptographic primitives (methods for performing encryption and authentication) that build on even more complex mathematical problems to protect against both classical and quantum computing attacks. The first PQC standards are due to be released by the National Institute of Standards and Technology in 2024, but nations with highly sensitive data should not wait until their release to act.
Governments and organizations with highly sensitive data should start planning, preparing and testing for the migration to PQC algorithms, so they can effect the migration quickly, securely and cost-effectively.
That’s because threat actors are already using HNDL or “harvest now, decrypt later” attacks. With these attacks, adversaries collect and store data that is encrypted today by traditional methods. At some point in the future, when the hackers have access to a quantum computer, they will be able to easily decrypt the data. Long-life data, such as state secrets, may still be of value to adversaries and could be exploited for financial, political or military gains.
To mitigate this risk, governments and organizations with highly sensitive data should start planning, preparing and testing for the migration to PQC algorithms, so they can effect the migration quickly, securely and cost-effectively. Deploying the PQC algorithms early (in a hybrid-type model, alongside traditional cryptography), will help to reduce the period during which their data is vulnerable to HNDL attacks while simultaneously testing the performance of these algorithms in their systems.
Jessica West, CIGI Senior Fellow
Every aspect of daily life on Earth depends on thousands of satellites in outer space that collect, transmit, use and control the global flow of data. But this digital web of invisible infrastructure is increasingly vulnerable to cyber interference, as well as to data corruption, manipulation and theft. The result: global harm and potential chaos.
Unlike destructive weapons, digital tools that infiltrate space systems seem eminently usable, discreet and easily denied, if necessary. Unconstrained by the physics of space warfare, they can be used in distributed attacks across an entire system or on multiple systems at once. And because the harm they cause is, in theory at least, temporary and reversible, their use is often tolerated.
This attitude to digital warfare is dangerous. Command and control of weapons systems — including nuclear weapons systems — run through space; interference with such systems can unintentionally cause an escalation to armed confrontation. And, because most satellite systems serve various military and civilian users and purposes, effects can ripple out of control.
If nations continue to ignore the problem of cyber interference with space systems, the risks and dangers will only grow.
Even if such cyber interference does not lead to armed conflict, consequences can be grave. Temporary disruption of critical civilian services can compound other vulnerabilities experienced by citizens because of their gender, race, geography or socioeconomic status. The effects, for some if not all, can be catastrophic. If nations continue to ignore the problem of cyber interference with space systems, the risks and dangers will only grow.