A: Well, we certainly could have responded to that. We are one part of the response. So we try to get as much information out and our goal is to try to prevent it. But at the end of the day, the companies involved need to take action on cybersecurity. We don’t, and can’t, step in and run their computer systems and we don’t step in as a fix when there’s a vulnerability.
It’s about companies and boards treating cybersecurity as part of the broader safety plan. I have seen this in my conversations with energy sector executives, cybersecurity is talked about at the same level of conversations when they’re talking about any other risk factor. That’s a significant change in the last few years.
We know how we would have responded, we know how we would have approached and worked with the sector and a victim in any of these cases. But there’s always more you can do in cybersecurity.
Q: Do you conduct stress tests on critical infrastructure?
A: We work with Public Safety Canada (who lead on all hazards). We work with them and with partners in the energy sector. We work through scenarios and most have a cyber element. A lot of companies will also do their own vulnerability testing and hiring of external organizations.
Q: With the energy infrastructure in the midst of rapid change, does it complicate things and could it lead to more vulnerable links?
A: It might, if we don’t think about it at the start. The grid is a lot more dispersed if you look at the electrical side of things. But really, it’s all being powered through the next generation of the operational technology: how are the pipelines controlled and how is the grid balanced? Most of that’s done online, whereas it used to be an offline system.
We’re building this new infrastructure… how do we also make sure it’s protected against the threats that new infrastructure is facing? And that’s something that we are talking about with industry.
Q: Do you buy the explanation that the attack on Colonial Pipeline was a mercenary attack, or were state-level players involved?
A: We certainly don’t dismiss any theories. I don’t have anything where I can answer that definitively. But we don’t just assume DarkFace’s web postings at face value. We’ll see what could be coming next. But at the same time, criminal elements have gotten very sophisticated. And it is very plausible that it was a criminal element looking for financial gain.
Q: Cybersecurity makes news when things go wrong, but have you fended off attacks successfully in the last few years?
A: Absolutely. I can’t really speak on behalf of any Canadian company, but we certainly have given information that has stopped things from hitting Canadian industry.
It wouldn’t have been as catastrophic as what we just saw, in terms of shutting down an entire pipeline — no —, but we have stopped things like that. On the Government of Canada side, though, we take between two and 7 billion actions per day to stop malicious cyber activity.
This level of activity is constant. And it’s one of the hardest parts of my job. When we’re successful, nobody pays attention. As defenders, one of the challenges we face is, you can be successful 99.9 per cent of the time. But it’s that 0.1 per cent that is going to make news and make everybody worry, and it’s going to have a devastating effect. Whereas the criminals can fail 99.9 per cent of the time and succeed 0.1 per cent — and they’re making a profit.
Q: Is the government and industry in a state of high alert after such an attack?
A: We are always vigilant when there’s an incident that affects Canada or could affect Canada, we do go into a higher state of alert. But we’re always kind of in a heightened awareness — there’s just no time to stand down anymore. The last month was our busiest month on cybersecurity, but that’s since the month before which was the busiest and the month before that was the busiest. It’s just on a curve that’s ramping up very quickly.
The answers have been edited for clarity and space.
You can read more of the news on source