Why Canada has so many cyberattacks—and why we’re all at risk

Cybersecurity boss Sami Khoury tells us how crime plays out in the Cyber Wild West

Courtney Shea
Content image
(Photo illustration by Maclean’s, photo courtesy of iStock)

Over the last few months, there has been a slew of high-profile cyberattacks against big Canadian retailers, critical infrastructure systems and, most recently, the City of Hamilton. Not even the Toronto Zoo is safe from the wide reach of the online underbelly. And as the world goes digital and more crime plays out in cyberspace, the threat is only going to increase over the next two years, says Sami Khoury, the head of the Canadian Centre for Cyber Security and author of a new report that details a rise in both financially and geopolitically motivated attacks. And yes, as with everything else, AI is making it even scarier. 

It feels like a week doesn’t go by without news of a new high-profile cyberattack: the Toronto Zoo, the LCBO, SickKids, Sobeys, Indigo, the RCMP… the list goes on. What’s driving this wave? 

The bottom line is that cybercriminals have found a way to make money through ransomware attacks. When the world first became digital, cybertechnology was a tool of states—another way for countries to spy on each other. But then these tools started to leak and fall into the hands of criminals, which is when we saw the beginning of ransomware attacks for financial gain. Initially, a criminal would break into a computer system, lock it and demand payment to unlock it. That has become less effective over the years as more businesses have backed up their data. Instead, most criminals today steal information from a company and then demand payment to give that information back. We are also just living more and more in the digital world, which increases our threat surface and gives more opportunities for bad actors to exploit. During the pandemic, so many businesses raced to go digital. Security may not have been their top concern in that rush. 

Say I’m a large department store. What kind of information do I have that can be stolen? 

Most often, stolen information is just tombstone data: name, address, birth date, social insurance number. If the business or institution that gets hit is not willing to pay the ransom, the information gets posted on the dark web as something other criminals might be able to leverage. Everything has a price attached to it: 50 cents per credit card number, two dollars per passport number. This kind of personal information is used to fuel scams—usually phishing schemes that have become an everyday occurrence. 

Get our top stories sent directly to your inbox twice a week

Of course, institutions get hit hard too. The average cost of reported ransom payments in Canada is around $300,000, but there is also the cost associated with having to take your entire system offline to prevent any spreading. Getting it back up and running can be very costly, both in terms of hiring technical experts and having your business offline for days or weeks on end. And if you are a business with clients, there is going to be a cost in terms of relationships and rebuilding trust. 

I guess the hacker stereotype of the basement-dwelling internet nerd is no longer accurate? 

There are still hackers who live that life. They are the ones who develop the breaching tools, only now they are selling them to more sophisticated criminal enterprises like LockBit and BlackCat—cybergangs that operate on an actual business model called RaaS, or Ransomware as a Service. These groups rent out their ransomware tools to other criminals and take a cut from ransoms paid by victims. These days, you don’t need to know coding to launch a cyberattack, you just need to know how to navigate the dark web and other people will do it for you. 

If it’s all about money, why target public organizations and not a big bank? 

We don’t talk publicly about specific incidents but generally, these are targets of opportunity. It’s not somebody on the dark web saying, I’m going to go after such-and-such organization, but they might have found a weak spot in the organization’s computer system that they are able to breach. Or somebody within the organization clicked on a phishing email, a scam email that tricks employees to share information, which allows a criminal to catapult their way inside the network without breaching the outside defences. 

I’m thinking of those scenes in Mission: Impossible where Tom Cruise is trying not to set off any of the laser trip wires. Now it’s all just clicks?

Right. By clicking you can allow a malicious actor to bypass all of your organization’s defences and once they’re in, they can communicate with people on the outside. 

Speaking of movies, paying ransom is often presented as an ethical dilemma, but you say it’s more of a business decision. 

In Canada there is no law against paying ransom. The government doesn’t recommend it, but yes, it’s a calculation. Any business considering it has to factor in two things: first, you’re dealing with a criminal and there is no guarantee that they will hold up their end of the bargain. In some quarters there is honour among thieves, but at the end of the day you just don’t know. We’ve heard cases of double jeopardy where they’ll ask for the ransom to unlock the system—just to delete your information again. Second, if word gets out that you paid ransom, maybe another group unrelated to the first one is going to target you. 

For businesses that do decide to pay, I’m assuming they’re not putting unmarked bills into a suitcase—

That’s right. Ransoms are generally paid through a cryptocurrency exchange, so you’re paying in Bitcoin laundered with other sources of Bitcoin, making it difficult for authorities to trace the payment back to the cybercriminal.

Are there professionals who specialize in handling these sorts of situations?

They’re called breach coaches—professionals who will hold your hand through a ransom negotiation, but ideally we want organizations to invest in cybersecurity to avoid these situations in the first place. If an incident does happen, our organization has published a ransomware playbook that contains lots of guidance about protecting yourself. We encourage anyone who has been the victim of an attack to report it so that we can assist. Our services are totally confidential. We know that cybercrime is often under-reported, perhaps because of shame or because the victims are too busy managing the immediate situation. In 2023, we had 305 ransomware reports from both individuals and businesses. The actual figure would be five or 10 times higher. 

What is the biggest cybersecurity mistake you see businesses making? 

We hear people say, I’m a small or medium business, why would anyone come after us, but that’s not the point. It doesn’t matter if you’re the zoo or a bank or a small business—if cybercriminals find a weak spot, they will exploit it. Almost always these weak spots are based on a failure to update. Whether it’s an iPhone or a corporate server, the update notifications you receive aren’t just about increasing functionality, they’re about closing vulnerabilities. 

So running an old OS is like leaving your keys in your glove compartment?

Exactly. That’s why I am always saying patch, patch, patch. 

We are also seeing cyberattacks against critical infrastructure and government. Last year in the energy sector, this month, the RCMP. Is the motivation for attacks against public institutions different? 

That really depends. Ransomware attacks can hit critical infrastructure and governments, but in cases of nation-state driven attacks, the motivation is generally strategic, either to steal some kind of valuable information—maybe Russia or China wants information about Canada’s oil reserve, for example—or to destabilize. Russia shut down electricity in Ukraine two Christmases in a row in 2014 and 2015. You can imagine if that was to happen in Canada, the impact would be devastating. 

How serious is that threat? 

In December we released a national cyberthreat assessment where we called out Russia, China and Iran—countries that have shown capability to hack into our infrastructure and remain dormant with the hope of doing something one day down the road. Last year, as part of a joint operation with U.S. intelligence, we caught China hiding in critical infrastructure networks, and we can assume they weren’t hiding to get money. 

You mentioned phishing emails as a growing problem. What is your best advice on how to avoid them? 

Everyone has to be very critical of the emails they receive. Phishing is more sophisticated now. Before, you’d just look out for weird sentences and grammar mistakes to know something was fake, but now cybercriminals are using ChatGPT to craft emails that are indistinguishable from the real thing. And it’s moving from the written word to also voice and video. They can go on YouTube and hear my voice in an interview I’ve done and now they can have my voice saying anything they want. 

You’re talking about deepfakes. Was Taylor Swift a hot topic around the office back in January? 

Deepfakes were definitely a topic of conversation—and still are, particularly from the point of view of electoral security. More and more we’re seeing cyberthreat actors use AI to generate misinformation whether it’s fake phone calls or videos. Over half the world will vote in the next year, so this could be hugely consequential.