On Wednesday, January 30, 2019, MLI Munk Senior Fellow Christian Leuprecht, along side Queen's University Professors David B. Skillicorn and Arthur J. Cockfield, provided a submission to the House of Commons Committee on Public Safety and National Security. Below is an edited version of their submission on the cybersecurity in Canada's financial sector.

By Christian Leuprecht, David B. Skillicorn, and Arthur J. Cockfield, January 31, 2019

The range of cyber threats facing the financial sector

The financial sector is part of Canada’s critical infrastructure; as such, cyber threats facing the sector are existential to both Canada’s financial industry as well as to Canadian prosperity and the democratic way of life.  The threats facing the financial sector are twofold:

  • Threats that derive from the general vulnerability of the Internet, which is the primary mechanism for online banking and financial transfers between banks and other entities.
  • Threats to the SWIFT network which handles interbank transfers.

For the Internet, threats cover the full range of: credential capture by phishing or spear-phishing; creation of fake banking portals; credit and debit card data capture (via illicit Near Field or RFID readers) or by data breaches from businesses that store such details insecurely; data collection via insecure apps for cell phones created by banks themselves or impostor apps downloaded by consumers unwittingly; denial of service attacks; ransomware; and transfer delays.

Banks are also vulnerable because of their inability (sometimes unwillingness) to detect money laundering and terrorist financing by failing to: analyse their own data extensively enough; follow ‘know your customer’ laws or internal bank protocols; and stop rogue workers that aid and abet criminals. Recent cases have resulted in fines in the hundreds of millions to billions of dollar range  because of these issues. The most recent headline maker is the Estonian branch of Danske Bank, a Danish bank, which is alleged to have laundered over US$230 billion.

The SWIFT network reaches the banks of almost all countries in the world and, as such, represents a single cyber-domain. This borderless property means that a bank in a developed Western country is exposed to hackers from anywhere else, including state actors and sophisticated criminals. Weaknesses in the SWIFT system have already been exploited to carry out bank robberies with substantial losses. For example, an attack on the Bangladesh Bank targeted almost a billion dollars, and was only largely thwarted because the criminals made a slight mistake in a request document. Even after security procedures were upgraded because of this attack, attacks have continued, for example a $12 million loss from Ecuador's Banco del Austro.

Recommendations:

  • support the cyber-security needs of small and medium sized financial institutions; and
  • develop a policy response for rebuilding the financial system’s technological infrastructure; and
  • publish warnings of retaliatory attacks against outside hackers responsible for attacks and pursue these hackers under all available avenues under domestic and international law.

The Canadian Cyber Threat Exchange as well as the global financial intelligence network of which the Bank of Canada is part provides critical cyber intelligence and domain awareness that shores up the resilience of Canada’s financial industry.  However, that holds true only for the large banks.  Many small and medium-sized players remain quite vulnerable because they do not benefit from this intelligence, yet are tied into the industry in ways that could generating cascading failures.

At the same time, the relationship between government infrastructure and capacity on the one hand, and the financial industry on the other hand, has yet to be clarified: if the Canadian financial industry were to suffer a devastating attack, could government resources successfully rebuild technological infrastructure after the attack and should the government use offensive cyber capacity to retaliate?  Making clear and explicit the government’s willingness to help defend critical infrastructure in Canada from cyber threats is part of a broader deterrent strategy to contain such threats, which the government has yet to ponder or at least articulate publicly for adversaries to note. The response should set out how Canada plans to engage with international law to detect and sanction cyber-threats.

Sector-specific vulnerabilities and mitigation efforts

The banking sector is vulnerable to actions by insiders (sometimes referred to as rogues), whether wittingly or coerced. Of course, banks have long been aware of this and have robust vetting and oversight processes in place – but the amount of effort required for an insider to steal a small amount and a large amount is not as different as the magnitudes of the amounts, so there is always the temptation for one large theft. Insiders often have inside knowledge that makes them vulnerable to coercion by outside criminals. Given that up to $2.5 trillion is laundered around the world each year, organized crime in particular has powerful incentives to corrupt bank employees to maintain these cross-border flows.

In Canada, banks take responsibility for consumer losses as long as consumers have not been negligent about their own security. This is much better for consumers than jurisdictions where  consumers are responsible for their own losses but have little leverage to improve banks’ security. However, the Canadian policy has some perverse consequences. First, banks are not as careful about security as they could be, judging that consumers prefer simplicity over less-user friendly network security solutions. This is a reasonable business decision as long as the trade-off is revisited regularly, and attention is paid to the potential for catastrophic losses because of it. We are not convinced that sufficient attention is in fact being paid. Second, when banks are robbed using a cyber-attack, they have no incentive to go public with the method used, even to other banks (banks do, of course, communicate with one another about attacks, but it not clear how speedily and at what level). This enables cyber-criminals to target each bank individually, with little fear that a vulnerability used for one will have been patched for the others.

Banks also face reputational risk because they are the conduits for moving money, even when it is moved for illicit purposes. Banks are the vehicle for financing of drug trafficking and many forms of fraud; they could do more to prevent this, using data analytics on their transaction data for anti-fraud purposes but have little incentive to do so.

Recommendations:

  • develop a policy framework to mitigate consumer losses from risky behaviour;
  • support the nascent cybersecurity insurance industry;
  • develop policies to incentivize data analysis of bank data for cybersecurity purposes; and
  • encourage more government collaboration among law enforcement, FinTRAC and financial

Over the medium term the financial industry will likely not be able to carry the burden of losses due to cyber threats that already amount to billions annually.  It will also need to improve its corporate behaviour with respect to cyber threats.  Government should develop a framework under which banks can offload some of these losses on consumers whose behaviour constitutes disproportionate risk and that, at the same time, effectively penalizes industry players for poor behaviour.  Both clients and the industry as a whole thus stand to benefit from the nascent cybersecurity insurance sector.  Insurance effectively makes it possible to valuate and monetize risk by corporations and individuals.  However, the cybersecurity insurance market requires regulation to develop and mature.

No country has been able to incentivize banks to leverage their vast amount of data about their customers and transactions for cyber-security purposes by applying data analytics to it. Banks regard data analytics as a cost, when cybersecurity analysis could be an asset for them as it deepens their understanding of their customers and business – but also provides a benefit to law enforcement and financial regulators. Government should expand its capacity for collaboration between financial institutions, the RCMP and FinTRAC. A recent successful example of such a collaboration between FinTRAC and financial institutions occurred via Project Protect that assisted law enforcement in tracking down sex traffickers.

Infrastructure dependencies

The Internet does not respect national boundaries, making it difficult for any business to control where its data resides and how its communications travel between locations. Information-rich businesses such as banks as, therefore, vulnerable to data outages, data breaches, and interruptions to communications that are caused in other countries, either accidentally or deliberately.

The SWIFT network has had multi-hour outages that have led to banks being unable to meet payment deadlines. The Internet infrastructure itself is also a vulnerability, and outages in particular regions are frequent.  During an outage, customers are unable to pay for products and services and transfer money in a timely way.

Financial institutions are motivated to keep data about customers and transactions in national repositories, but this is difficult to ensure because the institutions themselves are often multinational, the location appropriate for each customer may be far from obvious, and backup and cloud services may place data in unexpected places for the best of reasons. Financial institutions are, therefore, vulnerable to data breaches in jurisdictions outside Canada, where regulations are weaker.

Banks are thus vulnerable to the infrastructure of the communications systems they use, and it is the nature of the current system, and any conceivable extension such as 5G, that these vulnerabilities can only be hardened against, not avoided.

Recommendation:

Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives, to require critical data: to be retained only in Canadian jurisdiction; to set clear standards and expectations for the resilience of Canadian communication infrastructure; to monitor that resilience; and to impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments that otherwise leave them vulnerable.

The role of communications services providers in threat detection/mitigation

Telecom providers have access to information about the overall structure of communication that is richer than any other entity can have. In principle, therefore, they are able to detect denial of service attacks, spoofing of email addresses or website URLs, and malware embedded in emails or messages. An example of how effective this can be is the deep packet inspection used by the Communications Security Establishment to protect Government of Canada websites and emails.

Two issues prevent this potential from being fully exploited. First, this level of detection is expensive so there is little incentive for telecom providers to provide it. Second, telecom providers consider that amelioration, once detected, is legally problematic. Telecom providers in Australia have been much more willing to be proactive, even though their legislative regime is similar to that in Canada. The widely different actions in Canada and Australia are something of a puzzle.

Recommendations:

  • The government should clarify the opportunities and obligations of telecommunications providers with respect to detecting and ameliorating communications that have the potential to do harm; and
  • the government should devote more resources to cybersecurity research.

Canada has world-class capacity in cryptography, notably through the Institute for Quantum Computing.  Canada would do well to invest more systematically in a cybersecurity research ecosystem that brings together government, researchers, and the private sector.  The Smart Cybersecurity Network, funded by the National Centres of Excellence, and with which one of us (CL) has been involved since its inception, has taken on some of the coordination.  However, it has neither a mandate nor capacity to conduct neither research nor postsecondary education.  While Australia now has nine cybersecurity centres at universities co-funded by private industry as well as a Cyber Security Collaborative Research Centre with $50 million in government funding, Canada has nothing of the sort.  While the Government of Canada is investing significantly in AI, there is not a similar concerted effort for cybersecurity research or training of the next general of highly skilled personnel.  Canada needs to invest systematically in generating the requisite skillsets, capacity, expertise and research. External grants could include industry partners and emphasize commercialization to improve adoption rates of cybersecurity innovations. (A particular problem is that education is a provincial mandate, limiting federal government leverage to make this happen – a cooperative federal-provincial process will be needed.)

Issues related to entities participating in the Canadian economy/telecom infrastructure that may be subject to extraterritorial direction from foreign governments

Two parts of the telecom infrastructure contain inherently unfixable vulnerabilities: the network switches that form the backbone of the Internet, and consumer devices themselves.

Network switches necessarily see all of the traffic that they direct. If this traffic is not encrypted or weakly encrypted, such switches may be able to read everything that passes through them. Even if the traffic is strongly encrypted, the patterns of communication (who communicates with whom, how often and when, how much) cannot be hidden from the switch, and this ‘traffic analysis’ can be revealing.

Switches can also control how they manage the communication, ranging from delaying it (which could be crucial for e.g. currency exchange transactions) to cutting it off completely. Because most traffic passes through multiple switches, it can be hard to trace the point at which the problem happens, providing plausible deniability.

The hardware and software of a switch can be analysed, looking for built-in vulnerabilities that might have been inserted by a foreign government. For example, the UK’s Cyber Security Evaluation Centre, set up for GCHQ staff to evaluate Huawei hardware and software. However, it needs to be possible to update the software in a switch from time to time, and so each switch possesses a mechanism to ‘call home’ to allow it to check for and get such updates from a remote location. Policing this update mechanism is extremely difficult.

The routing technique of the Internet uses tables that tell each switch which outgoing link to use to reach each eventual destination. These tables themselves are a vulnerability, and there have been several recent incidents where large amounts of traffic have been misdirected through the territory of a particular state (where it could, at least in principle have been subject to analysis).

Consumer devices such as cell phones have an inherent vulnerability because they must be able to see key presses and displayed information, even if this data is encrypted for the rest of its existence. The manufacturer of such devices is in a position to see all of its input and output, even if the storage on the device and all of its communication are encrypted. Since such devices are routinely used for banking transactions, capture of financial details and transactions can, in principle, be captured.

Recommendation

The government should ban telcom providers such as Huawei from participating in the development of 5G network infrastructure.
In our view, the government should ban Huawei from participating in the development of Canada’s 5G mobile network infrastructure. As a result of a recent change under Chinese law, China can request any domestic company, including Huawei, to assist it to support national interests, including intelligence interests. A related concern is that China and its industries are suspected to engage in industrial espionage on a large scale as an inexpensive means of R&D “transfer”.  Moreover, Huawei and the ruling Communist Party appear interwoven in many important fashions, including via state subsidies – reportedly $10 billion in a single year.  The systematic theft of IP along with massive state subsidies made it impossible for competitors such as Nortel Networks to compete and, ultimately, helped precipitate to the demise of Canada’s premier high-tech company.

Since communications is critical infrastructure, the government should be excluding wholesale any foreign entity with suspected ties to any country where strong evidence exists of significant prior IP theft or intelligence gathering.  For the sake of Canadian security, Canadian industry, and Canadian research, Canada has a strategic interest in supporting our allies in banning foreign entities they find undermine their national security interests.  In so doing, the Canadian government would join not only its Five Eye partners -- the US, Australia and New Zealand -- but a growing list of other allies that have either already taken this step, or are actively looking at ways to exclude to ban Huawei from their 5G and communications networks, including Japan, South Korea, Germany, France, the Czech Republic and Poland.

Furthermore, the Evaluation Board of the Huawei Cyber Security Evaluation Centre (HCSEC), set up jointly between the entity in question and GCHQ, has become even less certain about this entity and its products’ security implications, with UK and French telcos actively replacing that equipment in their critical communications infrastructure.

In this matter, Canada appears increasingly out of step with our key allies, and dithering carries reputational risk for Canada’s perceived reliability as an ally as well as the Canada’s integration in the North American and allied communication infrastructure.  Canada already opted to exclude this foreign manufacturer from critical government infrastructure years ago.  It should do likewise for the national grid.

Christian Leuprecht is a Munk Senior Fellow at the Macdonald-Laurier Institute and a professor in leadership at the Royal Military College, cross-appointed to Queen’s University. David B. Skillicorn is a professor in the School of Computing at Queen’s University, and Arthur J. Cockfield is a Professor at Queen’s University's Faculty of Law.