Canada’s Recommendations for Upholding Digital Security in the Financial Sector
On 29 July 2019, Capital One disclosed a digital security incident in which an outside individual gained unauthorized access to its systems. That party then leveraged their access to obtain the personal and financial information of Capital One cardholders as well as of individuals who at one point applied for a credit card. Overall, the bank holding company estimated that the breach affected 100 million Americans as well as six million Canadians. That’s almost a third of the population of the United States and nearly a fifth of Canada’s citizenry, respectively.
Irfahn Khimji, strategic account manager at Tripwire, explains that this event and others have motivated Canadians to start thinking more about their digital security:
Canadians are starting to realize that their privacy and security is something that needs to be taken seriously. Not only are citizens becoming more aware of the risks associated with having an online presence, but organizations are starting to take more precautions as they don’t want to be the next breach in the news.
This incident highlights just how damaging a data breach in the financial sector can be. Canada is already aware of this fact. In fact, the Canadian Parliament’s Standing Committee on Public Safety and National Security (the Committee) decided to investigate digital security in the financial sector as a national economic security issue. This Committee several meetings on the issue of digital security in the financial sector for the purpose of this exercise. After hearing expert testimony on the subject, the Committee came up with nine recommendations that reflect the current dangers facing the financial industry and what the Government of Canada can do to help protect organizations. Those recommendations are presented below.
Recommendation 1: The Committee recommends that, in the next Parliament, the House of Commons Standing Committee on Public Safety and National Security establish a sub-committee dedicated to studying the public safety and national security aspects of cybersecurity, with potential areas of inquiry including international approaches to critical infrastructure protection, impact of emerging technologies, and cyber supply chain security.
During the Committee’s meetings, witnesses emphasized that financial organizations must build security in every offering in order to maintain trust and a competitive advantage. Of particular significance for this recommendation is the testimony of Mr. Scott Smith, the Canadian Chamber of Commerce’s senior director of intellectual property and innovation policy. He told the Committee that smallmid-sized businesses are key to Canada’s financial success, as 99.7% of businesses in the country have fewer than 500 employees. Even so, he said that these companies need to embrace digital technologies to expand into international markets and to continue to serve domestic customers.
“As a vendor community we need to ensure that we focus on helping Canadian businesses of all sizes,” Khimji explained. “Too often do we fall into the trap of trying to cater to the large businesses while ignoring the small to mid-sized businesses. While large organizations help drive and test new technologies, the technologies need to be at a scale and cost that can support small and mid-sized Canadian businesses.”
Recommendation 2: Along with encouraging Canadians to adopt sound cyber hygiene habits, the Committee recommends that the Government of Canada undertake efforts to ensure the digital products and services they rely on, including products that are part of the Internet of Things, are “secure by design.”
The Committee learned that the digital security has changed over the past decade, with tools like anti-virus programs and firewalls no longer providing adequate protection on their own. Witnesses said this was the case because of the rapidly evolving dynamic threat environment, one in which state and non-state threat actors are using new tactics and techniques for opportunistic and targeted attacks against banks, credit unions, trust companies and other financial institutions. In particular, these threat actors are going after these entities’ deployed Internet of Things (IoT) devices.
To adequately help financial organizations defend themselves, witnesses told the Committee that private-public partnerships are key to creating security standards around IoT security and thereby closing off IoT devices as a major threat vector.
Khimji supports this recommendation full-heartedly:
This is a great initiative to ensure that products released by vendors not only help their customers, but at the same time minimize the exposure that these new products bring. Moving to a more digital Canada is key to our success in the global economy, provided we can do so in a secure manner.
Recommendation 3: The Committee recommends that the Government of Canada recognize both the promise and the peril of artificial intelligence for cybersecurity, ensuring that this duality is addressed in its national cybersecurity framework.
In terms of digital security, artificial intelligence (AI) is a dual-use technology. On the one hand, digital defenders can use the tool to look for signs of compromise within internal systems and workflows on the assumption that a system breach might have already occurred. On the other hand, digital attackers are increasingly turning to AI as a means to assist their attacks. These operations are increasingly threatening the digital security of financial organizations, particularly those that rely on traditional perimeter defense systems to protect themselves. This explains why the Committee feels the need to address both the promise and dangers of AI for digital security.
Recommendation 4: The Committee recommends that the Government of Canada increase this country’s existing quantum skills capacity and continue to support research and development of quantum technologies and encryption standards that will ensure Canada’s electronic information and information systems remain secure in a post-quantum world.
Quantum computing is similar to AI in that it’s a double-edged sword. Witnesses told the Committee that advancements into this subject will improve the ability of computers to communicate information over long distances and thereby make surreptitiously eavesdropping on networks more difficult. They also noted that quantum computers could “supercharge” AI as applied to security analysis software.
However, the witnesses observed that attackers could also use quantum computing to undermine the world’s cryptographic standards. They could then reveal sensitive data, including financial information, that’s protected by today’s encryption algorithms. Acknowledging that threat, Canadian public and private sector organizations need to form partnerships with the security community in order to successfully transition their systems to encryption implementations that are safe in the quantum age.
Recommendation 5: The Committee recommends that the Government of Canada develop a comprehensive cybersecurity skills and training strategy that will instill ethical and secure coding practices early on and create a cybersecurity workforce that leverages diverse backgrounds, meets internationally recognized standards, and is prepared for the cybersecurity challenges of today and tomorrow.
In his testimony before the Committee, Cybersecure Catalyst Executive Director Charles Finlay cited a report indicating that Canada would have 8,000 empty digital security positions to fill by 2021. The Committee felt it was dangerous to allow these positions to go unfilled without doing something. It therefore vocalized its support for initiatives such as Cybersecure Catalyst, a not-for-profit center based at Ryerson University which intends to pursue training and certification, research and development and other work in the name of filling out Canada’s digital security workforce.
“This initiative will be key to the future of a Digital Canada,” noted Khimji. “Security should be a focus not just among IT students, but all throughout high school and university programs. There is field of study today that does not use the internet. Therefore, students should learn some of the risks and mitigating factors to having an online presence for both themselves and their businesses.”
Recommendation 6: To ensure accurate and comprehensive statistics, the Committee recommends that the Government of Canada encourage Canadian citizens and companies to report all instances of cybercrime.
The Committee found from witness comments that Canada doesn’t have the necessary data to measure the state of its digital security accurately. Some witnesses pointed out that a robust and modern public reporting system could help the country to track attacks across organizations and economic sectors and thereby more efficiently pursue digital criminals. The Committee realized the advantage of creating such a system. It did this while acknowledging that the international nature of digital crime makes it difficult and therefore rare for Canada, as well as most other countries, to lay charges against a suspected criminal.
Recommendation 7: The Committee recommends that the Government of Canada support responsible vulnerability disclosure programs.
Witnesses revealed in their testimony that it’s impossible for an any organization to eliminate all flaws within their hardware, software and firmware. That’s especially the case when companies’ digital environments contain poorly secured legacy systems. From their testimony, the Committee confirmed that properly organized bug bounties can help organizations identify and patch vulnerabilities and that Canada’s Government can do more to promote such frameworks as an important security measure. It also noted the importance of organizations acting quickly to address flaws disclosed to it through these bug bounty programs.
Tyler Reguly, manager of software development at Tripwire, observed that the Government’s support of bug bounties will help Canadian organizations better defend themselves against digital threats across the board:
Bug bounty programs and frameworks that protect security researchers disclosing vulnerabilities are key to the cybersecurity ecosystem. When researchers are uncomfortable coming forward or feel that their careers or personal freedoms are at risk, it gives adversaries the upper hand. A government backed program or framework that supports researchers properly disclosing vulnerabilities would go a long way toward securing organizations in Canada.
Recommendation 8: The Committee recommends that the Government of Canada reject approaches to lawful access that would weaken cybersecurity.
Throughout the Committee’s meetings, witnesses emphasized that more needed to be done to help financial organizations integrate a “security by design” approach to securing their IT environments. In light of these discussions, the Committee was concerned to learn of recent pushes by law enforcement to weaken messaging apps and other services’ encryption using backdoors. It subsequently vocalized its support for the position that all Canadians have access to strong encryption despite the challenges this position creates for law enforcement agencies.
Recommendation 9: The Committee recommends that the Government of Canada explore ways to ensure all sensitive data moved within Canada has a domestically routed path, ensuring data packets are not exposed to foreign network infrastructure.
A research effort led by Andrew Clement, Professor Emeritus at the University of Toronto’s Faculty of Information, revealed that approximately 80 percent of Canadian web communications with foreign countries pass through the United States. The Committee agreed that this lack of sovereign control over its data flows could put Canada at risk, especially if the United States suffered a digital attack and decided to temporarily bring its external connections offline. Professor Clement, therefore, recommended that the Government help the country store, route and process all domestic data within its borders. He also recommended that the Government “support the development and use of Canada’s Internet exchange points for direct inter-network data exchange to avoid U.S. routing.”
A Call to Financial Organizations
By implementing the recommendations discussed above, the Government of Canada will certainly strengthen the security of financial organizations within their borders against digital threats. But that doesn’t mean the organizations themselves should do nothing. On the contrary, they should look to protect their systems while maintaining the availability of their services and automating their compliance with SOX and other mandates. Khimji went on to state that these organizations should ideally work with the Government to help make all of this happen:
It is imperative that these recommendations are not just a mandate from the government that turns into a compliance exercise. Rather, the public and private sectors need to work together to ensure a safe and secure digital Canada. While there are always bound to be risks associated with sharing data, it is important that we work together to minimize that risk and allow Canadians to safely participate in the global economy.
Learn how Tripwire can help support these partnerships.