Cyberattacks top concern for Bank of Canada boss amid rapidly changing tactics

Click to play video: 'What can Canada do to thwart cyberattacks against democratic processes?'
What can Canada do to thwart cyberattacks against democratic processes?
Communications Security Establishment Chief Greta Bossenmaier outlined steps officials and citizens can take to combat cyber threats against Canadian democratic processes – Jun 16, 2017

OTTAWA – Of all the economic fears that could keep Stephen Poloz awake at night, the threat of a cyberattack is perhaps the one that troubles him the most.

The Bank of Canada governor can talk all day about household debt and how a global recession would slow down the economy, push up unemployment and make mortgage payments difficult for some people, and never lose faith that the system would be resilient enough to prevail, he said in an interview.

But a cyberattack against the financial system? Poloz admits he’s unsure what the fallout would be and he struggles to picture what such an event might look like.

For a policy-maker who carefully studies stacks of data before making a decision, the many unknowns surrounding the rapidly evolving world of cyberthreats are disconcerting, to say the least.

Story continues below advertisement
Stephen Poloz, Governor of the Bank of Canada, holds a press conference at the National Press Theatre in Ottawa on Wednesday, June 8, 2017.
Stephen Poloz, Governor of the Bank of Canada, holds a press conference at the National Press Theatre in Ottawa on Wednesday, June 8, 2017. THE CANADIAN PRESS/Sean Kilpatrick

“It leaps up to the top of your consciousness pretty quickly – I think in many ways it’s more worrisome than all the other stuff,” Poloz told The Canadian Press in an interview Wednesday at the bank’s headquarters in Ottawa.

“Every event you hear of sounds different, or happens in a different way…. There’s all these things you and you think, ‘My God, how do I get my arms around that whole risk and what are the consequences?”‘

Poloz shared his unease at a time when governments, central banks and the private sector around the world are searching for new strategies to counter hacks. Many, including the Bank of Canada, are pouring more resources into the area to learn new ways to prevent an attack, react to contain any damage, and how to pick up the pieces afterwards, if necessary.

Story continues below advertisement

The central bank warned Canadians in June that the country’s interconnected banks are vulnerable to a cascading series of cyberattacks, something that could undermine broad confidence in the financial system.

The report, known as the financial system review, also said such structural vulnerability could allow for the easy spread of an initial attack into other sectors, such as energy or water systems. The report urged commercial banks to co-operate on countering the threats, which aren’t going away any time soon.

It pointed to eight high-profile cyberattacks on banks in 2016, including an US$81-million heist at the Bangladesh Bank.

One recent, high-profile example was the cyberhack last summer of the company Equifax, which collects data on consumer credit histories and provides credit checks. It led to a data breach that compromised the personal information of about 145 million Americans and 8,000 Canadians.

Story continues below advertisement

The federal government, including the finance and public safety departments, have been studying policy options to better protect Canada. In 2016, the government promised $77 million in new money over five years to bolster cybersecurity.

The Senate’s banking, trade and commerce committee has also been studying cybersecurity.

Their efforts come amid signs that suggest Canada still has a long way to go.

A federally commissioned report last year warned the government was “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the United States to tackle the problem.

Canada was also called a prime target for cybercrime, state-sponsored attacks and lone hackers, said the final draft version of the April 2016 report, which was obtained by The Canadian Press via the Access to Information Act.

On Wednesday, Poloz said government has a critical, co-ordinating role to play in defending the entire system – not just the public sector – from hackers.

Story continues below advertisement

“If you continue just to add institution-by-institution guidelines, you will not create enough of an umbrella to protect anybody from the social consequences of a cyber event and, therefore, almost definitionally there will be one,” said Poloz, who expects the issue to feature prominently on the G7 agenda when Canada plays host next year.

“What are the social consequences if our payments system goes down for any length of time? Big disruption to the economy. So, it becomes a macroeconomic consequence from maybe only one member of the payments system having a vulnerability that wasn’t guarded against.”

VIDEO: A hacking ring has stolen up to $1 billion from banks around the world in what would be one of the biggest known banking breaches.

J. Paul Haynes, president and CEO of a Canadian cybersecurity firm eSentire, said even smaller hacking incidents can ripple through the system and create far greater collateral damage.

Story continues below advertisement

“We are one mouse click away from a doomsday situation being set in motion,” said Haynes, who has made presentations on cyberthreats for officials from the Bank of Canada and other regulators.

But even the best efforts sometimes fall short, experts warn.

Paul Vallee, president and CEO of the Canadian-based IT services firm Pythian, said the financial system’s vulnerability to a cyberattack is very real despite attempts by companies, such as commercial banks, to defend themselves.

“These people are working very hard on this and they have well-funded initiatives to try to secure their infrastructure,” Vallee said. “It doesn’t change the fact that the likelihood of an incident is almost perfect – it’s almost for sure guaranteed.”

Sponsored content