The National Cyber Threat Assessment Report 2020 - My Reading Notes

Summary

The National Cyber Threat Assessment 2020 report was published by the Canadian Centre for Cyber Security which is Canada’s authority on cybersecurity and part of the Communications Security Establishment (CSE).

The report is an update on the first National Cyber Threat Assessment 2018 (NCTA 2018) and covers cybersecurity challenges Canadians face that have both evolved and emerged over the past two years while also predicting future trends and providing forward-thinking threat intelligence. It is written for and easily accessible by both technical and non-technical audiences.

Scott Jones Head, Canadian Centre for Cyber Security notes in his opening remarks that “I challenged our assessment teams in 2018 and, again this year, in 2020, to be bold and make predictions. Only the future will tell if our predictions are accurate but they are informed by the full extent of CSE’s expertise and knowledge of what is happening in the Canadian and worldwide cyber environment and leverage all sources of information both classified and available openly.”

His direction is evident in the expanded scope the report covers going beyond the usual topics of cybercrime, nation-state actors etc. to include thoughtful insights on topics such as physical safety related to OT /IoT as well cautioning about the potential for IoT to be used for personal harm such as in cases of domestic abuse.

The report is primarily organized into five overarching trends rather than by technology or threat actor categories including:

1.   More physical safety of Canadians is being put at risk.

2.   More economic value is being put at risk.

3.   More collected data increases privacy risk.

4.   Advanced cyber tools and skills accessible to more threat actors.

5.   Internet at a crossroads.

While the document is a summary briefing and may not have all the detail that security professionals would want to see, it is an excellent resource for non-technical and non-security professionals to inform business and strategic decisions related to enterprise cybersecurity risk.

This is the type of document that should be included in strategic intelligence updates to senior leadership as well as in board member’s reading packages for review.

For technical and security professionals, it is also an opportunity to view the threat landscape from a much different perspective and the “theme” based organizational approach helps facilitate this providing a unique perspective. I found the report challenged several of my premises such as the future of attack vectors such as Cryptojacking, which I had largely de-prioritized and clearly need to re-think, as well as introducing new and emerging threats that I hadn’t considered or explored sufficiently and now feel require more of my attention.

Recommended for: Corporate and small business leaders, board members, policy makers, public administrators, law enforcement officers, cybersecurity, enterprise risk and legal professionals.

Access the report at: https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020

Key points:

• The global market for cyber products and services is projected to grow from approximately $204 billion CAD in 2018 to $334 billion CAD in 2023.8
• Cybercrime is still the most likely threat to impact Canadians and is becoming more organized, sophisticated and targeted. It is also increasingly supported by an ecosystem which is driving an entire criminal industry.
• Individual Canadians lost over $43 million CAD to cybercrime fraud in 2019, according to statistics from the Canadian AntiFraud Centre.18 This number only accounts for the reported cases of cybercrime fraud, and we assess that it is almost certain that actual amounts are higher.
• Ransomware researchers estimate that the average ransom demand increased by 33% since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations.
• Cryptocurrencies continue to facilitate many forms of cybercrime which would otherwise be cost prohibitive for cybercriminals.
• Physical safety is now a concern. Primarily OT attacks on critical infrastructure.
• IoT is an emerging threat that is evolving from “smart device” attacks to target Smart City infrastructure, personal medical devices and connected vehicles.
• Technologies such as AI and 5G are gradually emerging as opportunities for threat actors.
• A study commissioned by the OPC found that 92% of Canadians expressed concern about the protection of their privacy, with 37% stating that they were extremely concerned.
• Many authoritarian states are pushing hard to change the accepted approach to Internet governance from the multi-stakeholder approach to one of state sovereignty leveraging international forums, policy proposals and technical standards proposals.
• State-sponsored actors continue to seek to divide Canadians leveraging information operations on social media based on major news events such as the 2017 Quebec City mosque shooting.
• Threats to physical safety such as stalkers and abusive partners are taking advantage of personal IoT devices to identify and locate victims and smart home and connected vehicle technology to intimidate. An organization providing support for victims of domestic abuse reported that, as of January 2019, more than 2,500 of its clients had reported experiences of technology-facilitated abuse.

Reading notes

Cybercrime

The report covers a number of aspects of cybercrime and correlates well with what we are seeing in similar private sector reports. Cybercrime is no longer a “smash and grab” trade for petty criminals but evolving into organized criminal ventures leveraging an ever growing and diverse ecosystem of cybercrime tools and services suppliers.

Of particular note and interest to me were the sections on:

• More economic value is being put at risk – page 12 – which defines the risk of the cybercrime attack surface in terms of economic value including not only financial resources but also intellectual property. This is an excellent approach to thinking about and communicating cyber risk to non-technical audiences.
• Ransomware and Big Game Hunting – page 22 – expands on the human operated tactics that we are seeing cybercriminals adopt to include credential harvesting and business email compromise attacks that are targeted towards much higher ransoms and other extortion or fraud schemes such as doxing.
• “Ransomware researchers estimate that the average ransom demand increased by 33% since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations”. This is a troubling trend as we begin to see Ransomware criminal activity shift more and more to Ransomware as a service and affiliate business models lowering the technical barriers of entry for cybercriminals as well as the overall cost of successful attacks. The graph on page 22 of the report illustrating these trends should be shared with all business and strategic decision makers.

In future reports, I would like to learn more about the convergence of cybercrime and nation-state or proxy actors i.e. leveraging cybercrime to fund or advance political agendas / objectives and how prevalent and relevant it is from a Canadian perspective.

The report does include evidence that “It is almost certain that the intelligence services of multiple countries maintain associations with cybercriminals that engage in ransomware schemes. In these mutually beneficial relationships, cybercriminals share stolen data with intelligence services while the intelligence service allows the cybercriminals to operate free from law enforcement.” However, evidence of cybercrime evolving as a tool of asymmetric warfare is not included in the report and is of much concern to me as an emerging threat.

There is one area of the report that mentions this connection on page 22, “At the more extreme end of the spectrum are multi-million dollar ransom events, which have become increasingly common. In October 2019, a Canadian insurance company paid $1.3 million CAD to recover 20 servers and 1,000 workstations.42 In addition, we assess that it is likely that state-sponsored cyber threat actors will use ransomware to obfuscate the origins or intentions of their cyber operations.” However, it implies this is evidence of false flag techniques and/or state-actor tolerance of such groups and activities rather than a convergence or active cooperation.

Exploiting Trusted Business Relationships

The NCTA 2018 report correctly predicted this trend continuing and advancing focusing on the threat posed by business process gaps between suppliers, contractors and service providers to initiate fraudulent attacks primarily via business email compromise. The 2020 report notes that this attack vector is on the rise as regular business processes and lines of communication are further disrupted by the move to work from home in response to the Covid-19 pandemic. This in my opinion is one of the main concerns business and strategic decision makers need to address today. Implementing zero trust architectures that enforce conditional access for all users is an excellent way to reduce risk, however these technology solutions need to be complemented by a strong security culture and consistent tone from the top that prioritizes security. This combination of well architected security technology and culture will further protect organizations against the social engineering aspects of these attacks.

Cryptojacking

Two years ago, I would have argued that the use of malware to take over a computer for the purposes of “mining” cryptocurrencies was going to not quite replace ransomware but that we’d certainly see a sizable shift of activity in that direction. Primarily this was because of both the soaring valuations of crypto but also because ransomware involves dealing with victims directly which can complicate things significantly for cybercriminals. Compromising hundreds or thousands of computers and then having them literally “make” money for you seems a much easier and more efficient criminal business model. However, the significant drop in cryptocurrency prices over the past few years and relative stagnation of this overall market has made it less profitable.

I was quite surprised to see a mention of Cryptojacking in the report let alone that it is viewed as continuing to grow as a threat vector, however with prices moving higher it may warrant another look by both cybercriminals and defenders. This topic is explored briefly in the report on page 17.

Supply chain risk

Supply chain risk is a growing concern as just in time and highly complex systems continue to come under attack. Supply chain attacks are generally viewed in terms of physical supply chain however the report makes an excellent observation on page 25 regarding software updates and other downloads initiated by trusted vendors and vendors who have access to the networks of their true targets. This not only spans traditional computers but also includes OT and IoT systems such as HVAC equipment, smart light-bulbs, manufacturing and medical equipment etc. The report notes that “Supply chain compromises can occur before or after the delivery of a product or service, or during software updates or hardware upgrades. Cyber threat actors target these updates and upgrades because they know they will be downloaded and installed thousands or millions of times in any number of organizations, and therefore create many opportunities.”

 Personal nature of digital and physical risk

This is the area of the report I found the most eye-opening and is almost never covered in more enterprise risk focused research and reports. We often forget that any tool can also be exploited as a weapon and much of our focus as security professionals is on securing corporate and public sector networks, resources and users. The impact of physical safety for internet-connected medical devices and smart watches, fitness trackers etc. may not always evident to users and the report makes mention of smart home devices as targets to manipulate and control the surroundings of a person to intimidate them.

An example included in the report on page 19 describes a man who “operated a smart vehicle application that allowed him to stop, start, and track his victim’s vehicle from his phone”. The report further mentions that “An organization providing support for victims of domestic abuse reported that, as of January 2019, more than 2,500 of its clients had reported experiences of technology-facilitated abuse.”

This section of the report gave me the most pause for reflection and represents an area where we as a security industry need to invest much more of our time and resources.

Conclusion

This is a very good report. Easily accessible by non-technical audiences and there is lots in there for us security professionals too. My conclusion and recommendation: get it into the hands of your organization's leadership and board of directors.

I look forward to next year’s report!

Further reading

• National Cyber Threat Assessment 2018
• National Cyber Security Strategy