As the number of successful pandemic-related scams continues to grow online, Canada’s cyber spy agency is helping to launch a new — and free — threat-blocking tool for all Canadians to use.
This first-of-its-kind initiative is getting tentative applause in cyber security circles, but experts caution the initiative needs to be closely watched to make sure it doesn’t cross any red lines.
The Canadian Internet Registration Authority (CIRA, the not-for-profit agency that manages the .ca internet domain) and the Communications Security Establishment, Canada’s foreign signals intelligence agency, teamed up on the CIRA Canadian Shield — a protected domain name system (DNS) service that prevents Canadians from connecting to malicious websites that might infect their devices and steal their personal information.
CIRA is providing the threat blocking technology while the CSE’s Canadian Centre for Cyber Security is offering its threat intelligence services — basically a who’s-who list of every bad actor roaming the web.
“For any piece of malicious software to get to you, 90 per cent of it relies on knowing the address book of the internet,” said Scott Jones, head of the cyber security centre.
“What we do is when we know it’s malicious, CIRA makes sure that you don’t get told to go to the bad address. It stops you from getting to the bad place.”
The two agencies were working on the project long before the pandemic struck, said Jones, but the current global emergency makes it more relevant because large numbers of Canadians are now working from home, often on unsecured networks or devices.
“We’re not just feeding in information about malicious attacks that are COVID-related. We’re feeding in anything we see from any criminal activity that’s targeting the government, or that we’re getting made aware of. Any state-sponsored type activity as well that we can block, we’re putting it in there,” he said.
“Basically, anything we’re using to defend the government of Canada we’re now making available for all Canadians, so that they can protect themselves.”
Project should be audited for censorship: researcher
Christopher Parsons, a senior research associate at the Citizen Lab through the Munk School of Global Affairs and Public Policy, said the electronic spy agency has made progress in stepping out of the shadows.
“This represents to my eye a continuation of that effort, to take what is often sort of secret or classified information, turn it into a way that could be made publicly available and then trying to make it more useful to Canadians,” he said.
Parsons said that even if all those involved in the project are driven by good intentions, it should be audited and tested to make sure it’s not accidentally blocking Canadians from accessing safe sites.
“It’ll be important to assess and evaluate and ensure that the items that are being provided to CIRA from the government are in fact appropriate to block,” he said.
“I don’t think that it’s likely that the cyber centre is, you know, going to secretly use this to build a censorship networking path. I truly cannot see that happening, but mistakes could happen.”
Jones stressed the agency is collecting only anonymized statistics about how frequently the Canadian Shield blocked web addresses on its threat list.
“Nothing about Canadians as individual users. We get nothing about their usage patterns,” he said.
While the CSE collects a wide array of foreign communications related to Canada’s interests — including phone calls and emails — its mandate restricts its ability to collect data on Canadians. Given the sensitive nature of its activities, it’s monitored by an independent watchdog group — which has reprimanded the agency over its metadata collection practices in the past.
As the Canadian operator of the threat-blocker, CIRA would have to comply with Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act.
Wesley Wark, a University of Ottawa security and intelligence expert, said the project could do a lot of good — but attention should still be paid to the anonymized data it collects.
“The CIRA cyber shield is a new public initiative, so it certainly deserves scrutiny,” he said.
“Anonymization might be the most sensitive issue. [Data] anonymization is a tricky business, as CSE itself knows. It can fail and if it did, it might have impacts on privacy.
“If the Canadian Shield system functions properly, it could make a significant contribution to internet security while at the same time protecting privacy.”
CIRA spokesperson Spencer Callaghan said the authority has committed to a full annual privacy audit by a third-party auditor.
The rollout comes as the cyber agency is reporting more successful attempts at online fraud linked to the pandemic.
Jones said the agency has helped to take down more than 2,000 fraudulent sites and email addresses designed specifically for malicious cyber activity since the crisis began.
Some fraudsters have tried to fool people into clicking on malicious links promising Canada emergency response benefit (CERB) payments, while others have tried to lure Canadians with promises of personal protective equipment, treatments or cures.
“Not necessarily a rise in activity, but certainly a switch to the use of COVID-related themes as lures, which are very enticing for Canadians,” said Jones.
“The same level of activity, but more successful activity because of the nature of the lure.”