#CyberFLASH: CSIS, Bill C-51 and Canada’s growing metadata collection mess

immigrant-detainees-20160711-2

Much has been made over whether the Canadian Security Intelligence Service, Canada’s spy agency, should be armed with broader powers to “disrupt” what it perceives as terrorist plots.

A report tabled this month by the Security Intelligence Review Committee, which watches over CSIS’s work, notes that while the spy agency hasn’t abused its new powers of disruption, its bulk data collection program needs to be scaled back.

It’s easy to think of CSIS and other spy agencies as shadowy organizations that carry out James Bond-like “missions” involving cool gadgets and high-tech weaponry, but the Snowden leaks, among other revelations, have shown the public that metadata collection (online communications, phone logs and other electronic exchanges that can be intercepted in enormous amounts) now constitutes the state’s primary instrument of control.

Privacy Commissioner Daniel Therrien recently called upon legislators (the Liberals in particular) to amend certain aspects of Canada’s national security laws in order to address the issue of metadata collection.

In particular, Therrien referred to the Communications Security Establishment, which seems to get a lot less public scrutiny than CSIS. The CSE is responsible for collecting massive volumes of foreign communications through “signals-intelligence,” (or “sigint”), but also tends to drag up large amounts of Canadian metadata as well, which it isn’t supposed to be doing.

Read more here

#CyberFLASH: Drop in police requests for electronic surveillance of suspected criminals baffles experts

hacker-stolen-passwords

Experts say they’re baffled by the big drop in the number of applications from police to conduct electronic surveillance on citizens.

In 2015, peace officers asked for authorization to intercept and record private communications 66 times, down from 114 a year earlier.

Police can ask a judge for permission to intercept someone’s personal communications when they suspect serious criminal activity. Such authorizations generally last around 60 days.

The data comes from the Department of Public Safety’s annual report on the use of electronic surveillance in Canada.

The report describes how, when applying for authorization, police most often said they suspected drug trafficking, terrorism, conspiracy and possession of stolen property. It also says charges were laid against 56 people identified during an interception.

Brenda McPhail welcomes the information, but the director of privacy, technology and surveillance for the Canadian Civil Liberties Association, can’t explain the drop. McPhail says there’s a limit to how helpful numbers are without any analysis.

“We could wonder whether or not the categories they are required to report in are so narrow that they are not catching the new kinds of interception technologies and techniques that are being used,” she said.

Christopher Parson agrees. He’s with the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“Wiretaps are meant to be a tool of last resort so what that may suggest is authorities are finding other ways of gaining evidence that is less intrusive on Canadians’ privacy, more generally,” Parsons told CBC News.

Read more here

#CyberFLASH: Infrastructure sectors face potentially crippling ‘insider’ cyberthreat, feds warn

electrical-grids-jpg-size-custom-crop-1086x706OTTAWA—Federal officials have quietly warned operators of electrical grids, transportation hubs and other key infrastructure of the cyberthreat from insiders who could unleash devastating viruses and cripple systems, internal government notes reveal.

Crucial networks that Canadians rely on for everyday needs face a “substantial threat” from rogue employees out to wreak digital havoc, warn the Public Safety Canada briefing notes.

“The insider threat is difficult to detect and can cause real damage.”

No special hacking skills are required, just a portable memory key loaded with a malicious code. As a result, it is important that organizations have the right security protocols and procedures, “for example by limiting access to systems only to those who genuinely need it.”

A federal briefing on the insider threat was delivered last December to leaders of the 10 most crucial infrastructure sectors, the notes say.

They point out that over 90 per cent of critical infrastructure — key to delivering everything from food and clean water to banking and health services — is controlled by the private sector and all of it is dependent in one way or another on information technology to operate. Many critical infrastructure sectors are interdependent, meaning a problem in one could have a “cascading impact” in others.

The notes, prepared earlier this year for Monik Beauregard, a senior assistant deputy minister at Public Safety Canada, were obtained by The Canadian Press under the Access to Information Act.

Read more here

#CyberFLASH: Ottawa should create cyber threat advisory committee, says security lawyer

keyboardThe federal government should follow Washington’s lead and create an advisory committee of experts on national cybersecurity — announced yesterday — including both the public and private sector, says a security lawyer.

“I do believe that Canada would benefit from a similar setup where the Minister of Public Safety, the Minister of Defence and the Prime Minister could get input and recommendations from a panel made up of experts/stakeholders from the private, public, law enforcement and academic sectors,” Imran Ahmad of the firm Cassels Brock, who also sits on the advisory board of the Canadian Advanced Technologies Alliance’s (CATA) Cyber Security Council, said in an interview.

Ottawa “would benefit from a holistic view on cybersecurity threats to Canada that are affecting Canadians on a daily basis and that go beyond a narrow national security lens.

His view was echoed by Kevin Wennekes, CATA’s chief business officer, who said creating a public-private sector advisory committee is “long overdue,” he said. The security industry “is the the first to know of the threats,” he said.

Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, said such a commission could be a good idea here. But he added, it wouldn’t be as easy as in the U.S. or Britain, where the public and private sectors are closer. Before coming to Canada Kabilan helped develop the U.K.’s National Counter Terrorism Strategy and has worked on security with other allies and knows how this country compares. “We haven’t even broken the ground to enable looking at the potential for something like that, because those relationships and the ability of the private sector to be a part of all of these discussions and part of the input into policy and decisions in the security sphere is not quite as well developed in Canada.”

Read more here

#CyberFLASH: Cyber security review still in early days, Public Security officials tell Senate

ralph-goodale.jpg.size.xxlarge.letterboxSpeaking before a Senate committee on national defence Monday, Monik Beauregard said that the department is under a tight timeline to review its efforts and get a report to cabinet.

But Beauregard said the department is still trying to figure out how wide or narrow the review will be.

“At this point, we’re all looking at the scope of the reviews and thinking about how to carry it out,” Beauregard told senators Monday evening.

In his mandate from the prime minister, Public Safety Minister Ralph Goodale was asked to lead the review into critical infrastructure protection, in co-ordination with five of his cabinet colleagues.

“Critical infrastructure” has a broad definition, but is typically thought of as systems, networks, facilities and assets essential to public safety, national security, and economic interests of Canada. That includes everything from bridges to roads, but also data centres, financial networks, and natural resources projects.

The new Liberal administration promised to revisit a number of controversial public safety measures introduced by the previous Conservative government, including plans to protect those pieces of critical infrastructure.

Read more here

#CyberFLASH: Cybersecurity strategy hinges on fed-prov collaboration

Cyber-700x500Public Safety Minister Ralph Goodale will need to continue working closely with the provinces and territories if he wants to close the gaps in Canada’s cybersecurity preparedness and develop a plan for countering radicalization, security experts say.

Goodale and Justice Minister Jody Wilson-Raybould held their first meeting with provincial and territorial ministers in Quebec City Thursday to hash out concerns about public safety and justice issues. Among the topics they discussed were cybersecurity and counter-radicalization — or specifically, the need to get better at sharing best practices for protecting critical infrastructure and developing a policy framework to organize counter-radicalization efforts.

While there was little detail provided in the accompanying press release, researchers focusing on national security and terrorism say the fact that the new government is making a commitment to work more closely with the provinces and territories is a good sign.

“A lot of the critical infrastructure that might need protection is in the hands of the provinces and private sector,” said Wesley Wark, a professor focusing on national security at the University of Ottawa. “That’s really the root of this — vulnerability and, in their mind, inadequate measures by the previous government.”

Prime Minister Justin Trudeau tasked Goodale with leading a review of Canada’s state of critical infrastructure protection when appointing him to the portfolio in November.

The Canadian government had been the target of multiple high-profile cyber attacks during the former Conservative government’s decade in office — in 2011, attacks traced to Chinese IP addresses targeted the Treasury Board, the Department of Finance and Defence Research and Development Canada (DRDC).

Read more here

#CyberFLASH: List of protests tracked by government includes vigil, ‘peace demonstration’

hi-bc-archive-surveillance-camerasOTTAWA — What do Canadian veterans, advocates for the disabled and the country’s largest union have in common? Their activities were monitored and reported on by police and government agencies over the last year.

Documents show the central Government Operations Centre received reports on more than 160 protests, community events, and demonstrations between May 2014 and February 2015. The RCMP, Public Safety Canada, and the Privy Council Office prepared reports for the GOC — which co-ordinates the federal government’s response to national emergencies and natural disasters.

While much of the monitoring focused on First Nations causes and environmental activism, the GOC showed a diverse set of interests, including:

• A rally on Parliament Hill pushing for better benefits for Canadian veterans.

• A “die-in” protesting police brutality against black Americans, including vigils for Ferguson, Mo. shooting victim Michael Brown organized by the Black Lives Matter movement.

• An event called “Paddle for Peace” in Fort St. Jean, B.C., where the report noted “public order issues are not expected.”

• Canadian Doctors for Refugee Care’s national day of action.

• An “interfaith peace demonstration” in Mississauga.

Read more here

#CyberFLASH: The cyber economy’s soft underbelly

B97375091Z.120141001155319000GS36SSNI.11

The Internet is critical to Canadian commerce and to federal, provincial, territorial and municipal governments. The federal government alone offers more than 130 commonly used services online, including tax returns, Employment Insurance applications and student loan applications.

It is no longer simply an easy way to send personal messages.

According to Public Safety Canada’s Cyber Security Strategy:

• 74 per cent of Canadian households had paid Internet service in 2008;

• 59 per cent of personal tax filings were electronic in 2008;

• 67 per cent of Canadians banked online in 2009;

• Canadian online sales in 2007 were estimated at $62.7 billion; and

• In 2007, 87 per cent of Canadian businesses used the Internet.

The identity protection and fraud detection service, CSID, of Austin, Tex., reported that in 2011, “more than 174 million records (were) compromised in data breaches, costing businesses US $5.5 million per breach in monetary damages.”

Tim Page, then-president of the Canadian Association for Defence and Security Industries (now VP of Seaspan), told attendees at last fall’s Security Technology Conference in Ottawa that there are “serious risks to public safety, threats to our ecosystems, traditional way of life and national security challenges abound and are growing in complexity, impact and cost.”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.