By Esther Shainblum and Martin U. Wissmath

Ransomware on the Rise says Cyber Centre in New National Cyber Threat Assessment

According to an eye-opening “call to action”, individual Canadians and organizations are facing increasing risks to their data security as cybercrime continues to evolve and proliferate, according to the Canadian Centre for Cyber Security (“Cyber Centre”). The Cyber Centre published its National Cyber Threat Assessment 2023-24 (the “Assessment”) on October 28, 2022, on the Cyber Centre website. Among the major cybercrime threats described in the Assessment are ransomware, exploitation of critical infrastructure, cyber threats from foreign state-sponsored actors, misinformation, disinformation, malinformation (MDM), and “disruptive technologies” such as cryptocurrencies and decentralized finance. As described in Carters’ Charity & NFP Law Bulletin No. 468 and the February 2022 Charity & Not-for-Profit Law Webinar, the pandemic has caused a sea change in how people use technology and the internet, including work from home and hybrid work arrangements, greatly expanded use of the internet for business, work, medical and other purposes and the proliferation of cloud-based software and services that support organizations operating in the expanded cyber landscape. Cybercriminals and certain nation states exploit opportunities and weaknesses in this environment, posing a significant threat to Canadian organizations, infrastructure and individuals. 

In a foreword to the Assessment, the Minister of National Defence, Anita Anand, stated that cyber security has become a “top concern” over the last two years since the expansion of online services during the COVID-19 pandemic, and that ransomware incidents “hit the headlines on an almost daily basis both in Canada and around the world.” Ransomware is “malicious software that restricts access to or operation of a computer or device, potentially restoring it following payment.” Due to its impact on an organization’s ability to function, according to the Assessment, ransomware is “almost certainly the most disruptive form of cybercrime facing Canadians.” Financial costs can be significant, and an organization’s data can be destroyed, or sensitive information revealed. Average ransomware payments from 2020–2022 have nearly doubled from $150,000 to nearly $300,000. Additional costs can include reputational damage, unrecoverable data, and the costs of repairing damaged systems.

Other than deploying ransomware tactics, cybercriminals sponsored by foreign states, such as China, Russia, Iran and North Korea, can “target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage,” and even target Canadian organizations for financial gain, according to the Assessment. Artificial intelligence with “machine-learning enabled technologies are making fake content easier to manufacture and harder to detect” the Assessment reports. This has led to a proliferation of MDM, which degrades trust in online spaces. As cybercrime is enabled by cryptocurrencies, cyber threat actors can “deceive and exploit” machine learning in consumer services. Quantum computing also has the potential to enhance cybercriminals’ ability to steal and decrypt sensitive information. Charities and not for profits are not immune to these threats. 

The report points out that over 400 healthcare organizations in Canada and the United States have experienced a ransomware attack since March 2020.  Further, cybercriminals and other actors are targeting supply chains and managed service providers, threatening any charity or not for profit that use such providers to host their websites, IT resources or to provide them with fund development, customer relations or email services (for example).  The July 2020 Blackbaud breach, which affected dozens of Canadian charities, is an illustration of the threat this poses.  In addition, the Assessment points out that data transmitted through or stored on a server physically located in a foreign state is at risk of being accessed/exploited by that state, potentially threatening the personal information being stored or transmitted. Charities and not for profits using cloud-based providers or other third parties to store or otherwise process their data are exposed to the risk that personal information for which they are accountable could be threatened.

However, there is some positive news in the Assessment as well. Sam Khoury, head of the Cyber Centre, stated that the “vast majority of cyber incidents can be prevented by basic cyber security measures” with practical steps outlined in guides available on the Get Cyber Safe website. Not-for-profits and charities should inform themselves about these threats, pursue practical steps to improve their own cyber security standards and protect personal information in their custody or under their control. Awareness and “best practices in cyber security” can mitigate many cyber threats, according to the Assessment. Cyber threats continue to succeed because they “exploit deeply rooted human behaviours and social patterns, not merely technological vulnerabilities.” For more information about cyber security, the Cyber Centre recommends reading its Cyber Security Guidance on these issues, as well as visiting the Get Cyber Safe website.  

​Read the November 2022 Charity & NFP Law Update