Feds could make reporting of cyberattacks mandatory: Mendicino
The federal government is considering making it mandatory for Canadian businesses and organizations to report cyberattacks, Public Safety Minister Marco Mendicino said Thursday.
« It’s an option that we’re looking at very carefully, » Mendicino told members of the Public and National Safety Committee.
Mendicino warned members of the committee that the current international situation has increased the threat of cyberattacks against Canadian businesses, organizations and various levels of government.
« I can’t stress enough how important it is that in the current geopolitical environment…we are on high alert for potential attacks from hostile state actors, such as Russia, » he said.
The minister said these attacks « could manifest as cyberattacks, through ransomware, that seek to identify potentially valuable targets for Canadian interests, such as critical infrastructure, but also for sub-national targets, different levels of government and other sectors of the economy ».
Mendicino said that since the government created the Canadian Center for Cyber Security, it shares information on cyber threats with owners and operators of Canadian critical infrastructure. The federal government has also created a special unit within the RCMP to coordinate police operations against cybercriminals.
Mendicino was questioned by NDP MP Alistair MacGregor as the committee continued its hearings on Canada’s security posture vis-à-vis Russia.
MacGregor said the committee heard from some witnesses who called for mandatory incident reporting.
« Sometimes companies are loath to report that they’ve been hijacked by ransomware, » MacGregor told Mendicino. « They find it easier to pay the person than not to report them. Also, there may be a threat of further damage if they do in fact report to the authorities.
« If we don’t really know the full extent of the problem, if some companies are keeping this in-house, what steps is your government taking to perhaps introduce a mandatory reporting requirement…? »
The threat is increasing, according to the government agency
The Center for Cyber Security has issued a number of bulletins warning Canadians of the potential for cyberattacks by Russian state-backed actors who may attempt to storm critical infrastructure, such as electrical systems.
In its National Threat Assessment 2020 report, which outlines its predictions for the next two years, the center said the number of bad actors is growing and they are becoming more sophisticated. He warned of a potential increase in Canada of cybercrime, ransomware attacks and commercial espionage, particularly against Canadian companies, academic institutions and governments that may have proprietary information.
« Canadian organizations of all sizes, such as small and medium-sized businesses, municipalities, universities and critical infrastructure providers, face an increasing number of cyber threats, » the center wrote in its report.
“These organizations control a range of assets that are of interest to cyber threats, including intellectual property, financial and payment information systems, customer, partner and supplier data, and industrial plant and machinery. «
Ransomware payments are rising, report says
The value of ransomware payments is also on the rise, the center warned.
“Ransomware researchers estimate that the average ransom demand has increased by 33% since the fourth quarter of 2019 to approximately C$148,700 in the first quarter of 2020 due to the impact of targeted ransomware operations,” the report states. « At the more extreme end of the spectrum are multimillion-dollar ransom events, which have become increasingly common. »
Groups like the Canadian Federation of Independent Business (CFIB) say the government should focus on providing information and improving policing instead of making reporting mandatory.
“Companies can already report cyberattacks,” said Jasmin Guénette, vice-president of national affairs for the CFIB.
« Forcing them to do so won’t lead to fewer attacks – it will mean more work and bureaucracy for businesses. Some of them don’t want to report cyberattacks, fearing their further consequences. »