Greta Bossenmaier: Cyberspy chief warns of online threats

Canada’s cyberspy agency chief says advances in quantum computing will create new risks for cybersecurity. CSE head Greta Bossenmaier says encryption used in online banking and shopping may require a “rethink.”

The immense processing power of quantum computing — designed to crunch data much faster than today’s machines — will bring tremendous opportunities for science, medicine and engineering, Bossenmaier said.

But it could also hobble encryption that shields sensitive data from prying eyes, meaning “potentially every Canadian citizen could be vulnerable.”

“And one can argue it’s not really a question of if, it’s a question of when.”

Bossenmaier’s words of warning come as the Liberal government consults Canadians on creating a new cybersecurity policy.

State-sponsored hackers, sophisticated criminals, cause-motivated hacktivists and people out to make mischief online all pose a threat, officials say.

“Cyberthreats used to be the exclusive domain of nation states, and that’s certainly not the case anymore,” she said.

“Cyberthreats come at companies, governments and other organizations from any number of sources and for any number of motivations.”

For instance, federal officials have quietly warned operators of electrical grids, transportation hubs and other key infrastructure about the danger posed by insiders who could unleash devastating viruses and cripple systems, internal government notes reveal.

Crucial networks that Canadians rely on for everyday needs face a “substantial threat” from rogue employees out to wreak digital havoc, warn the Public Safety Canada briefing notes.

“The insider threat is difficult to detect and can cause real damage.”

No special hacking skills are required, just a portable thumb drive loaded with malicious code. As a result, it is important that organizations have the right security protocols and procedures, “for example by limiting access to systems only to those who genuinely need it.”

A federal briefing on the insider threat was delivered last December to leaders of the 10 most crucial infrastructure sectors, say the notes, obtained by The Canadian Press under the Access to Information Act.

The notes point out that more than 90 per cent of critical infrastructure — key to delivering everything from food and clean water to banking and health services — is controlled by the private sector and all of it is dependent in one way or another on information technology to operate. Many critical infrastructure sectors are interdependent, meaning a problem in one could have a “cascading impact” in others.

There are two kinds of insider threats — those from people who intend to do harm and others from people who inadvertently damage vital systems, said Melissa Hathaway of the Belfer Centre for Science and International Affairs at Harvard University in Massachusetts.

Many companies and government agencies are banning thumb drives outright to avoid the accidental risk of infection, she told the conference.

“The bad guy who knows better and is doing it on purpose is much more concerning, and that’s what’s happening more and more.”

Public Safety is already working with critical infrastructure operators to prepare for the possibility of a major cyberattack on the Canadian electrical grid and telecommunications systems, the internal notes say.

Security officials call such an occurrence a “black swan” — a rare but devastating event that requires special attention due to the potential for massive losses should it happen.

The Canadian Press/Canadajournal