The Newfoundland hack is continuing to prove the need for privacy reform. While a Canadian spy agency gave a fresh reason, the government still won’t act.
Last month, we reported on the Newfoundland ransomeware attack. At the time, we pointed out that this hack is a fresh wake-up call for Canada to reform privacy laws. Unfortunately, the Canadian government continues to prove that, time and time again, it really doesn’t take people’s personal information seriously.
Canadian privacy laws have been woefully out of date for years now. Back in 2019, privacy reform received broad party support. Everyone knew way back then that it is needed and that it would go largely uncontested should the government actually follow through with its promises of reforming those laws. This broad movement was made all the more urgent thanks in part to Europe finally getting its act together and putting into force their own privacy laws a year earlier. It couldn’t have been more clear, privacy reform was not only wanted, but badly needed back then.
Of course, sensing a whiff of possible accountability, Canadian businesses came knocking and lobbied to shut down that whole privacy reform thing. This is because getting off their lazy rear ends and actually lifting a finger to protect Canadian’s personal information might cost money. That’s about the last thing businesses want to do is spend a little money for moral purposes. After that, the bill stalled with the Innovation Minister blaming Conservatives for Liberal inaction. After it died on the orderpaper after the election was called, provinces finally gave up hope and started drafting their own privacy reform laws. Unfortunately, such measures were always destined to be a patchwork system which highlights the need for action from the federal government.
Now, here we are, post election, and the Speech from the Throne hinted that the Liberals have long forgotten about privacy reform, letting that legislation get swept out into the dustbin of history. While businesses are happy that they won’t have to take action to protect people’s personal information, the result is that Canadians are more vulnerable than ever before.
That vulnerability showed itself thanks to the Newfoundland ransomeware attack where critical infrastructure was successfully targeted. Unfortunately, the Canadian government opted to hit the snooze button on that wake-up call and hoped that it all would go away on its own. Obviously, there is no evidence to suggest that this problem of people’s personal information being at risk would solve itself on its own. Now, a report from the Communications Security Establishment (CSE) is saying that attacks are, unsurprisingly, on the rise. With the Canadian government continuing to jam its own fingers in their own ears screaming “la la la, I can’t hear you!”, it has painted a giant “hack me” sign on the backs of Canadians everywhere. From the CBC:
More than half of the known ransomware victims in Canada this year were critical infrastructure providers, according to a new threat assessment from Canada’s cyber spies, and the number is likely even higher.
As part of a push a new awareness campaign, the Communications Security Establishment (CSE), Canada’s foreign signals intelligence agency, released a ransomware bulletin Monday looking at the key trends of ransomware in 2021.
“Brazen, sophisticated, increasing in frequency, and, for the cybercriminals, very profitable,” assessed CSE’s Cyber Centre in its report.
“The impact of ransomware can be devastating, and the severity of the financial consequences related to a ransomware attack can be profound.”
Ransomware is a form of malware used by threat actors and criminals who encrypt files on a device then demand a ransom in exchange for decryption. Once successfully hacked, ransomware victims are often attacked multiple times.
CSE said it’s aware of 235 ransomware incidents against Canadian victims from Jan. 1 to Nov. 16 of this year and more than half of those targets were critical infrastructure providers, including those in the energy, health and manufacturing sectors.
The number is likely higher, as the agency said most ransomware events go unreported.
Of course, privacy reform would go a heck of a long way in solving these problems. As proven in Europe, privacy reform can set a standard for minimum level of security. Laws such as requiring encryption when sending or receiving personal information or standards for critical infrastructure can be put into place. Failure to comply can result in fines. That adds a financial incentive for sectors everywhere to raise the standards of security should they deal with personal information. This alone can offer a minor deterrent for black hat hackers trying to break in and cause problems in IT infrastructure.
What’s more is that privacy reform can set rules that says that companies must report hacks and security breaches to authorities. One of the worst things one can do in the event they become compromise is keep it secret. With unreformed privacy laws, the market incentive is to keep the details of a hack under wraps. This leaves customers exposed without their knowledge and empowers those with nefarious motives to commit these crimes. When not even the victim will report the crime, this lowers the potential repercussions for the criminals in the first place, encouraging the hacking behaviour.
All of this isn’t exactly secret. Europe’s General Data Protection (GDPR) laws wound up being a blueprint for other countries to update their privacy reform. The problems with the GDPR wasn’t that the laws were overly burdensome as many had feared. The problems of GDPR was that the laws were wildly overly successful. Enforcement struggled to keep up with the demand and all those reports now flooding into government offices. Questions about its necessity were quickly replaced by whether or not its enforcement was going to be followed through or if the penalties were going to be effective (which is currently set at a maximum €20 million or 4% annual turnover, whichever is greater).
Thanks to the Speech from the Throne and all indications so far, the Canadian government sadly just doesn’t care. While it may pay lip service to whenever a major incident crops up, the Trudeau government continues to show signs that no privacy reform is even on the horizon as if the need isn’t there (it very obviously is). Parties have shown to support it, the public will obviously be on board, and the necessity continues to scream out “just do it already!”, but the Liberals have no interest in acting. With that, the invitation to international online criminals continues to remain open. That leaves Canadians to continue to pay the price of the Canadian governments negligence.
Drew Wilson on Twitter: @icecube85 and Facebook.
