At a glance.
- Canadian signals intelligence agency predicts cybercrime will pose a threat to national security.
- Report: US water infrastructure is in hot water.
Cybercrime as a threat to national security.
A federal report from Canada’s Centre for Cyber Security – a branch of the Communications Security Establishment (CSE) – is warning of a ramp up in Russian and Iranian organized cybercrime targeting Canadian organizations. The report names Russia and Iran as cybercrime safe havens where threat actors can carry out operations against Canada and other nations in the West. (As Reuters reports, the Russian government has denied any support of cybercriminals.) It also predicts that “Organized cybercrime will very likely pose a threat to Canada's national security and economic prosperity over the next two years.” In 2022 there were 70,878 reports of cyber fraud in Canada resulting in C$530 million in stolen funds.
Chris Lynam, director general of Canada's National Cybercrime Coordination Centre, says that due to underreporting, these stats represent just a fraction of the actual damage, and the real cost likely tops C$5 billion. The report goes on to say “So long as cybercriminals can extract financial profit from Canadian victims, they will almost certainly continue to mount campaigns against Canadian organizations and individuals.” As the Toronto Sun adds, the report offers recommendations for cracking down on cybercrime. Sami Khoury, head of the Cyber Centre, stated, “The good news is that most cyberincidents can be prevented by basic cybersecurity measures. We have tailored advice and guidance products available on our website. Collaboration is key as we work to minimize the impact of cybercrime in Canada.” As the Globe and Mail notes, Lyman also urges small businesses to report cyberincidents to the proper authorities. “One report from a small town in Canada could be the missing piece to an international puzzle,” he said.
Tom Kellermann, SVP of cyber strategy at Contrast Security, calls Russian toleration and encouragement of cybercrime “the Pax Mafiosa," and he says it's thriving. "The protection racket between the regime and cybercrime cartels began in 2013 and serves to offset economic sanctions. The is a Silicon Valley of the East and it exists in St. Petersburg, Russia.”
Report: US water infrastructure is in hot water.
According to an assessment from the National Infrastructure Advisory Council (NAIC), increased cyberthreats – as well as climate change and increased demand – have left the US’s water infrastructure in the midst of a “rapidly evolving water crisis.” As Nextgov explains, the NAIC consists of thirty executives and leaders from the public and private sector that advise the president on infrastructure risks. Approximately 80% of public water systems are publicly owned and operated by municipalities, and the report states that a lack of funding and investment has left this infrastructure “unsustainable.” Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency and an NIAC member, stressed the importance of building resilience in the nation’s water systems. "We need to do the work up front to really prepare for the disruption and anticipate what could be disruptions in the future," he stated. "We need to practice and prepare, not just our response, but really looking at continuity and recovery as well."
The report goes on to highlight the importance of employing new technologies to increase resilience and provide new opportunities in the water system workforce. "Without additional investment in technologies routinely employed in other infrastructure and employees, water utilities will be hard pressed to find the skilled employees needed to meet their cybersecurity needs,” it reads. As CyberScoop adds, the report recommends the establishment of a cabinet-level agency focused on developing a strategy for shoring up that nation’s water systems. There are currently seven executive agencies and three independent federal agencies with some sort of water oversight, and the report states that a National Water Strategy is necessary to coordinate these agencies’ efforts. It reads, “This fragmentation of responsibility at the federal level makes it difficult to ascertain the country’s water needs and strategically prepare the nation for a water-secure future.” A devoted agency would help outline the necessary budgetary needs, prioritize resilience efforts, and establish a research and development program for cybersecurity and other threats to water infrastructure.
(Added, 4:15 PM ET, August 30th, 2023.) Susanto Irwan, Co-founder & SVP of Engineering at Xage Security, approves of the new attention to water systems. “It's promising to see a growing focus on the resiliency of America's water systems. The recent call by the National Infrastructure Advisory Council (NIAC) to establish a Department of Water or a dedicated federal agency to address the escalating cybersecurity threats marks a major step in securing our country’s critical infrastructure. Although there are federal agencies in place that oversee water-related threats, it is no longer enough, as evidenced by CISA’s report of at least five cyberattacks on U.S. public water systems within a two-year span. To successfully mitigate risks, a coordinated effort between owners, operators, and the government is key – as well as implementing the latest zero trust identity and access management solutions to safeguard our nation’s 150,000+ water systems. To secure this precious resource, a meticulously formulated national water strategy, spearheaded by deep collaboration and a dedicated federal agency, is exactly the path forward that America needs to take.”
(Added, 5:45 PM, ET, August 31st, 2023.) Anand Oswal, Senior Vice President and GM of Network Security at Palo Alto Networks, wrote to connect the call for water system security to other risks to critical infrastructure. “As we’ve seen with attacks like the Colonial Pipeline, critical infrastructure is a top target for attackers and one we can’t afford to leave unprotected. A critical sector of OT devices, Industrial control systems (ICS), were found to have 274 common vulnerabilities & exposures (CVEs) in 2022. With current IT and OT security technologies relying on outdated and siloed piecemeal solutions that do not completely protect and require specialized training, skills, and maintenance, total cost of ownership has increased to an untenable level." Oswal recommends zero-trust as a principle in utility security. "A zero-trust approach is crucial to mitigate risk and close cybersecurity gaps. Rooted in the principle of 'never trust, always verify,' zero trust can protect digital OT environments by leveraging network segmentation, preventing lateral movement, providing layer 7 threat prevention, and simplifying user-access control. This recommendation by the NIAC is shining a spotlight on what could become a severe problem if the status quo is left unchecked.”