As the world continues to struggle with the COVID-19 pandemic in 2022, many countries find themselves dealing with another crisis — a surge in ransomware attacks that has crippled health-care systems and critical infrastructure. The problem has so grown in magnitude that Canada has embarked on several steps to mitigate it — all of which provide insight on Ottawa’s approach to ransomware and other cyber issues, and particularly where that approach remains deficient.
Of note is the urgency with which the government is signalling its alarm. In December 2021, four newly sworn-in cabinet ministers signed an open letter urging Canadian companies to take the threat of ransomware seriously and to introduce measures to mitigate against attacks. This was followed by a new report from the Canadian Centre for Cyber Security (the Cyber Centre), which finds that “in the first half of 2021, global ransomware attacks increased by 151% when compared with the first half of 2020.” The Cyber Centre is aware of 235 attacks against Canadian victims from January through mid-November 2021 but acknowledges that most attacks go unreported. Shockingly, it cites statistics suggesting the average cost of a data breach involving ransomware is $6.35 million.
But the concern here goes beyond simply criminal activities; there’s a nexus with several national security concerns. While the overall motivation behind ransomware attacks is greed, the report notes that state actors are using such techniques “to obfuscate the origins or intentions of their cyber operations.” The Cyber Centre report notes that state actors in China and Iran have been linked to ransomware operations. Russian intelligence services and law enforcement agencies are accused of maintaining relationships with cybercriminals, allowing them to operate with impunity so long as they do not target entities in Russia.
In this way, many a relationship between online criminal gangs and authoritarian governments is one of convenience that also serves state ends. Ransomware attacks that target critical infrastructure are inherently disruptive to states. Infamously, the May 2021 ransomware attack against Colonial Pipeline carried out by Russia-based cybercriminals disrupted the largest fuel line in the United States for five days. Unfortunately, the Cyber Centre report makes it clear that these disruptive threats are growing in sophistication, targeting software supply chains that can affect many users simultaneously. And beyond merely seizing and encrypting data for ransom, cybercriminals are stealing intellectual property, proprietary information and personal details for further exploitation.
The challenge for Western governments has been how to respond to the growing threat of ransomware. Seeing few options for diplomacy, we are starting to see states take stronger actions against cybercriminals. For example, a US Department of Justice operation led by the Federal Bureau of Investigation (FBI) was able to recover US$2.3 million in ransomware paid to the group responsible for the Colonial Pipeline attack. At the same time, states including Canada are now engaging in offensive or “active” cyber operations against cybercriminals. In December 2021, the Communications Security Establishment (CSE), Canada’s national cryptologic agency, confirmed that it had used its powers, granted under the act establishing it in 2019, against “foreign hackers” to “impose a cost” for cybercrime.
For Canada, a country that has, unfortunately, remained relatively quiet about its views of cyber norms and how international law applies in cyberspace, this is a significant admission. To date, little is known about how the CSE may use its cyber powers. We still do not know exactly what actions the CSE has taken — only that the operation was for deterrence purposes.
For many who have had their data stolen or encrypted, the idea of inflicting a bit of suffering and inconvenience on cybercriminals is likely a welcome step. However, it is not without risk. Without the consent of the state where targeted cybercriminals or their resources are based, active cyber operations may involve violating state sovereignty and, as Leah West, an assistant professor at Carleton University and an expert in Canada’s cybersecurity laws, notes, international law. In addition, deterrence operations also risk escalation. Where cybercriminals have close ties to a state, the latter may choose to respond to protect or avenge the former if they are seen as an asset. Alternatively, states may seek to challenge a perceived violation of their authority.
Moreover, it can be argued that engaging in active cyber operations (what may be seen as a “disruptive” approach) contributes to undermining certain cyber norms, or at least emphasizes a punitive, kinetic approach over a criminal justice model in which individuals are indicted for their alleged criminal behaviours. As Christopher Parsons and Bill Robinson, researchers at Citizen Lab, pointed out on Twitter, Canada may have felt more secure announcing that it is engaging in these operations because its allies, Australia, the United Kingdom and the United States, have all declared recently that they have engaged in similar operations in the wake of cyberattacks, or that it was important to do so.
But shortly after the news about Canada’s active cyber operation broke on December 6, it became clear that this country has not quite given up on the criminal justice model for cybercrimes. On December 7, it was announced that the Ontario Provincial Police had made an arrest in a large investigation believed to be linked to ransomware and malware. The effort was a joint operation between the FBI and the Royal Canadian Mounted Police (RCMP). It is, however, almost certain that the impetus for the operation came from US authorities, who are keen to target individuals believed to be engaged in malicious cyber activity. Canada’s capacity to investigate cybercrime remains weak while the RCMP continues to establish its National Cybercrime Coordination Unit, which is not expected to be fully operational until 2024.
Nevertheless, this is a positive step. Unlike the United States, Canada has rarely used the criminal justice system to target individuals believed to be involved in ransomware or other malicious activities online. In this sense, there is the potential to develop both case law and expertise in charging actors for ransomware attacks, even if the chances of prosecuting criminals based in Russia or China remain remote.
Taken together, recent events suggest Canada’s approach to malicious cyber activity is both evolving and at a crossroads. The end of 2021 saw this country take its first steps in using some of the capabilities in its cyber tool kit, including active cyber and criminal justice. But it continues to hold back on establishing or developing tools that are less risky and which may prove more beneficial in the long run — including a cyber foreign policy, clear statements on how international law relates to cyberspace and a well-defined international development cyber capacity-building program.
One hopes that, as the threat of ransomware grows and evolves, Canada will begin to use more of the tools that could be available to it.
