No one is immune to the threat from hackers. They endanger critical infrastructure. They go after businesses and individuals. They target our health care system and civic society. They cost Canadians, companies and institutions billions of dollars every year.
The threat is too big – and too diffuse – to be handled by whacking moles as they emerge. With so many points of vulnerability, it’s time for the country to stop playing catch-up. This will require two things. First, there needs to be a stronger federal offensive, centred on an expansion of the RCMP’s cybercrime unit. And, second, Ottawa must help small players such as libraries or museums, cash-strapped institutions that may struggle to keep themselves safe.
This will cost money. But the scale of the hacking threat is sobering.
Canadian companies spent $1.2-billion last year recovering from cyberattacks, twice as much as two years earlier, according to data gathered by Statistics Canada. And a report last month from the Canadian Centre for Cyber Security shows that fraud losses were up nearly 50 per cent from 2021 through 2023, to $567-million last year.
The report points the finger at the usual suspects, saying that China, Russia, Iran, North Korea and India are all engaged in cyberattacks that likely go beyond espionage-gathering: “State-sponsored cyber threat actors are almost certainly attempting to cause disruptive effects, such as denying service, deleting or leaking data, and manipulating industrial control systems.”
What is the federal government doing? It’s tabled Bill C-26, which seeks to protect telecommunications and critical infrastructure. Introduced in the House of Commons in 2022, it began second reading in the Senate in September. But the bill has faced criticism for lacking oversight and transparency.
The government is developing as well an updated National Cyber Security Strategy. That’s good. But it does not scream urgency that the one being refreshed dates to 2018, an entirely different era.
What more could the federal government do?
Ottawa needs to meet a transnational threat by stepping up diplomacy, engaging more with foreign allies and hiring additional cybersecurity experts.
This space has argued that the RCMP needs to be split between its local policing functions and a national force dealing with larger issues, including cybercrime. The National Security and Intelligence Committee of Parliamentarians noted last year that the Mounties had struggled to attract people with the “advanced education or specialized skill sets.” One way to help that is removing the need for all would-be RCMP officers to undergo paramilitary-style boot camp, training that makes no sense for someone who will work behind a computer and not in front-line policing.
The Centre for Cyber Security report also notes the growing problem of gangs, many operating with the support or at least sanction of hostile nations, offering ransomware or other hacking services to whomever will pay their price.
It’s a lucrative business. Although most of the businesses that gave information to Statistics Canada denied paying ransoms, it’s clear someone is coughing up. The hacker group Black Basta, which took down the Toronto Public Library in 2023, emerged in 2022 and had pocketed about $150-million by the time of the library attack. The library, which says it did not pay, needed months to get fully back into operation.
The hope of a payoff has sparked attacks on a range of soft targets. The criminals who hacked Toronto’s main children’s hospital felt abashed enough to apologize and unlock the stolen data. No such luck for five hospitals in southern Ontario, where a cyberbreach impacted patient care. The Calgary Public Library closed all branches last month after a hack. The Art Gallery of Ontario was hit in September.
The federal government should make its cybersecurity resources available to targets such as these, which are perennially short of money. A lot of the anti-hacking efforts are focused on critical infrastructure. This is logical. An attack on a dam or water-treatment plant poses catastrophic risk.
But a library keeping its doors open is critical in its own way, part of the social infrastructure that underpins life in Canada.
Hackers pose a threat to all parts of society. It’s not enough to respond each time they attack. Canada needs to go on the offensive.