Canada cyberspy agency blocked trillions of 'malicious actions' against feds last year

In the last year, Canada's cyberspy agency blocked on average 6.3 billion "malicious actions" a day against the federal government, and received ministerial authorization to conduct more active foreign cyber operations than ever before, a new report reveals.

In an ever-evolving online environment, with criminals, hackers and adversary state actors looking to exploit vulnerabilities in Canada— from taking down Prime Minister Justin Trudeau's website to much more malevolent goals—a new report from the Communications Security Establishment (CSE) details an increase in efforts undertaken in the last year.

According to CSE's annual report released Thursday, the agency's automated defences protected the federal government from 2.3 trillion "malicious actions," an average of 6.3 billion a day.

As the federal government's cyber security operations lead, CSE is mandated to focus on foreign intelligence, active and defensive cyber operations, and assisting federal partners with cyber protection with the goal of countering hostile state activity and cybercrime and disrupting foreign adversaries.

In the last year, approved by Defence Minister Anita Anand, CSE received authorization to conduct one defensive operation and three active operations; the most active operations since the Communications Security Establishment Act came into force in 2019.

While CSE isn't providing much specific detail about what all of these operations involved, the report does note that this year it did conduct active cyber operations to "disrupt and remove harmful terrorist content disseminated online by foreign, ideologically-motivated extremists."

"This disruption fractured the extremists’ group cohesion and significantly reduced their online reach and ability to recruit new members," said the agency in the report.

More broadly, in the last four years the agency has also conducted active cyber operations to counter hostile state activity, counter cybercrime, and assist the Canadian Armed Forces.These foreign cyber operation authorizations are valid for up to a year, and CSE is able to carry out multiple operations under a single authorization, though some can be "precautionary" and don't resolve in actions being taken.

"As always, there are parts of our work that we cannot share in a public report. We don’t identify specific targets of our signals intelligence gathering or foreign cyber operations. These are classified," said CSE Chief of CSE, Caroline Xavier, in the unclassified summary of the agency's work between April 1, 2022 and March 31, 2023.

The uptick in active operations comes after a 2022 federal budget boost of $273.7 million meant to bolster CSE's capabilities to conduct foreign operations for years to come.

As the report notes, all of the activities conducted by CSE's more than 3,200 employees are subject to external review by the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians (NSICOP).

WHAT ABOUT FOREIGN INTERFERENCE?

Thursday's report plainly states that foreign states "are attempting to influence and interfere with Canada’s society and democracy" in a number of ways, including espionage and online disinformation.

While the report doesn't draw a direct line between China and foreign election interference, as has been a central preoccupation for federal politicians in recent months, CSE does call out China for its diaspora intimidation tactics.

Canadian Security Intelligence Service Director David Vigneault, left to right, Royal Canadian Mounted Police Deputy Commissioner Michael Duheme, Communications Security Establishment Chief Caroline Xavier and Canadian Security Intelligence Service Deputy Director of Operations Michelle Tessier discuss where to sit before appearing at the Procedure and House Affairs committee on Parliament hill, in Ottawa, Thursday, March 2, 2023. THE CANADIAN PRESS/Adrian Wyld

Canadian Security Intelligence Service Director David Vigneault, left to right, Royal Canadian Mounted Police Deputy Commissioner Michael Duheme, Communications Security Establishment Chief Caroline Xavier and Canadian Security Intelligence Service Deputy Director of Operations Michelle Tessier discuss where to sit before appearing at the Procedure and House Affairs committee on Parliament hill, in Ottawa, Thursday, March 2, 2023. THE CANADIAN PRESS/Adrian Wyld

"Authoritarian states use a variety of means to monitor and intimidate diaspora populations around the world, including in Canada. An example of this is the issue of the People’s Republic of China operating 'police service stations' in Canada," reads the report. 

Other than saying CSE "works with global and federal partners to mitigate the risks posed by these transnational repression activities," little detail is shared on what that mitigation looks like, though the agency outlined a series of ways CSE says it supports Canada's efforts to combat foreign interference.

These include:

• providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities and activities of foreign-based threat actors;
• defending Canada’s federal elections infrastructure from malicious cyber activity;
• proactively helping democratic institutions improve their cyber security;
• sharing unclassified threat assessments with the public; and
• sharing information to help Canadians identify disinformation and protect their privacy and security online.

As part of a suite of measures meant to assuage concerns about the strength of Canada's intuitions in the face of foreign meddling, in March, Trudeau tapped NSICOP and NSIRA to launch external reviews of the 2019 and 2021 elections and how agencies including CSE responded.

In Thursday's report the agency said it has been providing information to these oversight bodies, and confirmed participation in the work done by former special rapporteur David Johnston.

A member of the Security and Intelligence Threats to Elections (SITE) Task Force engaged during the last two elections and the recent federal byelections, Thursday's report also notes that CSE has set up a dedicated point of contact that political parties can reach out to on cyber security matters, outside of election periods.

It appears that this line of communication was utilized last spring, when CSE briefed parties on the increased risk of Russian-backed cyber threat activity following the invasion of Ukraine.

"Representatives from five parties attended the briefing, which included cyber security recommendations. The Cyber Centre sent the content of the briefing to all 19 registered federal political parties," reads the report.

CSE said in the last year it has sought to expose and counter Russian disinformation social media campaigns, and has also supported Ukraine's cybersecurity by notifying them about "hostile cyber activities against Ukraine’s national infrastructure" and "vulnerabilities on their network infrastructure to prevent hostile activity" based on data shared proactively with CSE by the Ukrainian authorities.

COMMON SCAMS AND CRITICAL INFRASTRUCTURE

In addition to CSE's work providing foreign intelligence on cyber threats to Canada, the agency's "Cyber Centre" also works to alert industries and Canadians about emerging threats and tactics of state actors and cybercriminals online, and ways to protect themselves and their devices.

In the last year, hundreds of warnings have been issued, ranging from routine cyber hygiene advice to urgent alerts.

A recent example of this was a notice in May alerting of a "significant threat from a state-sponsored cyber threat actor associated with the People’s Republic of China" that was targeting critical infrastructure.

Outreach to Canada's critical infrastructure providers has increased at CSE in the last year, because internet-connected control systems used to operate key pieces of machinery or process have been identified as "a high value target" for malicious actors, from being able to turn on or off lights to malfunctions and permanent damage.

As for the ways individuals can be targeted, one area highlighted in the report was phishing emails and texts, which CSE calls smishing, that contain links to unsavoury domains to try to harvest personal and financial information, or install malware on Canadians' devices.

Working with partners, including those in the telecommunications sector, CSE reported receiving more than 850,000 suspicious web links, of which 274,000 were malicious, and 12,700 were previously unknown scam attempts.

Among the most common types of scams reported to CSE last year were package scams, health product scams, survey scams and cryptocurrency investment scams.

During the pandemic, CSE began working to remove websites and email domains that were imitating federal entities, and that work has now expanded to ridding the internet of other sources of malicious content.

In the last year more than 3,167 government of Canada spoofs were blocked or removed, as were 306,000 other malicious domains.

Other key statistics highlighted in the report include that between 2022 and 2023, CSE produced more than 3,000 foreign intelligence reports for the federal government, and responded to more than 2,000 cybersecurity incidents affecting federal institutions and critical infrastructure.

In the report, Anand said that as cyber threat actors increase their activity, and CSE issues more warnings, it should be a "wake-up calls for us all."

"We must be clear-eyed about the threats we face, and we must work with all stakeholders, including partners around the world to defend our common interests," the minister said.