Governments and the private sector have to do more if Canada wants to overcome the shortage of cybersecurity talent needed to meet online threats, experts stressed during a security conference.
While universities and colleges have in the past five years greatly boosted the number of cybersecurity-related courses they offer from 400 to 1,300, it’s still not enough, Michele Mosca, co-founder of the Institute for Quantum Computing at the University of Waterloo, told the annual SecTor conference in Toronto.
One group alone in Germany is funding 150 university faculty-level research positions in cyber security, he noted.
Meanwhile in Canada there is a lot of spending on what he calls “projects.” For example, the federal Innovation department recently announced the availability of $80 million in cybersecurity spending, which includes money for training.
“It’s a good start,” said Mosca, “but we need a lot more.”
The Information Technology Association of Canada, an industry trade group, has started a new talent alliance, and recently Rogers Communications, the Royal Bank and Ottawa’s FedDev Ontario agency announced a $30 million fund to create the Rogers Cybersecure Catalyst for training and research in Brampton, Ont.
“The bottom line is … we have to create more capacity,” Mosca said. “There’s no way we can keep up with what’s needed with the current investment.”
He emphasized that this has to change rapidly” so post-secondary institutions can do more training and R&D.
“The handful of us in Canada in this space are working hard, we’re busy starting companies, mentoring startups, advising government — you can’t squeeze much more out of the people we have.”
Mosca was one of four people on a panel discussing the security industry in Canada.
Leah Macmillan, Ottawa-based senior vice-president of global marketing for Trend Micro, said companies have to expand their search for talent, and nurture them when they’re found.
“We can’t wait for people to magically graduate,” she said.
For example, Trend Micro Canada has created its own seven-week certification training programs for recent graduates, some of whom may not know a lot about cybersecurity, and hires those with the most potential. That includes graduates from Queen’s University’s commerce program for business-related positions in cybersecurity.
Industry needs to encourage diversity on cyber teams, she added.
Stephan Jou, chief technology officer at Interset (recently bought by U.K. giant MicroFocus), a user behaviour analytics firm, said his company tries too contribute cyber and data science education material to Ottawa-area post-graduate schools. Other firms could do the same, he said, to raise the next generation of graduates.
Leo Lax, executive managing director of an Ottawa early-stage accelerator called L-Spark, said post-secondary institutions could also help increase talent by offering more continuing education and professional courses.
“We have to figure it out as an ecosystem,” he suggested.
The panel had nothing but effusive praise for the skill of cybersecurity talent here.
Jou raved about the number of Canadian experts in artificial intelligence. It’s one reason why the U.S government chose his firm — even when it was small and young — to be a supplier to “three-letter” agencies, he said.
MicroFocus bought Interset for its talent, not the number of customers, he said. And Interset is being turned into the centre of focus for analytics for all MicroFocus products, he added.
He described Ottawa, Toronto, Montreal as an “incredible nexus of [AI] talent not available anywhere else.”
Lax, who urged Canadian firms to help support startups, noted L-Spark has found several big companies — Telus, BlackBerry Limited, Solace and G+D Mobile Security — to back a proof of concept secure Internet of Things wireless platform for testing applications. Four startups have been provided with software development kits to create secure IoT products that can run on the stack.
Mosca noted the race to build quantum computers is providing many opportunities for companies to build quantum-resistant solutions.
As for whether that alleged Canadian trait of being nice is a help or a hindrance to cybersecurity careers, Trend Micro’s Macmillan argued Canadians have risen in the international firm in part because we “aren’t threatening.”
“I’ve been told we are politely aggressive,” said Jou. “That seems to have worked.”
A Toronto hospital is recovering after being hit last week by a variant of Ryuk ransomware. However, so far it seems the malware was only trying to exfiltrate data instead of demanding money.
Michael Garron Hospital chief executive officer Sarah Downey told CBC News that the hospital’s firewall stopped data from leaving the institution.
UPDATE: On Friday, communications director Shelley Darling said IT experts were able to confirm the malware was Ryuk by examining the malware. There was an email message for communicating with the attackers, she added. but the hospital is not contacting anyone about paying a ransom.
The hospital has over 100 servers and they are still being evaluated for infection, she said. After the attack was discovered two elective surgeries and out-patient clinics had to be rescheduled and staff had to resort to paper documentation. As of Friday morning, all email had been restored. However, some remote VPN access is still off. Certain portals that communicate with other health care data repositories are slowly being restored. In addition, what Darling called “minor administrative systems” — such a volunteer database — and “systems that talk to each other” are still offline.
“It’s probably going take us a few weeks to have confidence to say all of our systems are back online,” he said.
The hospital hasn’t estimated yet how much the attack will cost. Some of those costs may be recovered through insurance, Darling said.
The attack started in the early hours of Sept. 25 when what it calls a virus was discovered on one of the IT systems. As a result several systems were closed to prevent the malware, later identified as a Ryuk variant, from spreading.
Patient privacy has not been compromised, the hospital said. However, it is still in what the institution calls a Code Grey, which means IT systems have been impaired.
Darling said the suspicion so far is the attack started with an employee clicking on an infected email or going to an infected website. “In the last several days we’ve been re-educating our staff on cyber security email do’s and don’ts,” she added. There has been regular privacy training, but now “we are looking at putting more formal education in place.”
“While we hope these types of situations never take place, our expert hospital teams prepare for all issues and we have extensive processes in place to respond quickly when experiencing disruptions in clinical services,” Downey said in a statement after the attack was discovered. “We want to reassure our community that all current patients at MGH continue to receive safe, high-quality care from our health care teams.
“Our priority is to restore full computer functionality as quickly as possible and we apologize to the small number of patients whose care has been re-scheduled. I am so grateful to our staff, physicians, leaders and volunteers who have worked exceptionally hard and put in extra hours during this time to ensure safe, quality care to our community.”
Michael Garron Hospital until recently was called Toronto East General Hospital, and is one of the largest in the city. The emergency department alone sees about 80,000 patients a year.
According to a blog earlier this year from security vendor CrowdStrike, Ryuk ransomware began appearing in August 2018. Controlled by a group it dubs Grim Spider, Ryuk has been targeting large enterprises. CrowdStrike says Ryuk was derived from the Hermes commodity ransomware, which can be bought on dark forums. However, researchers believe Ryuk is only used by the Grim Spider group.
CrowdStrike believes that the initial compromise often comes after a victim clicks on a link or a document in an email that downloads the TrickBot or Emotet trojans. But note that in June the U.K. National Cyber Security Centre published an advisory that pointed out often Ryuk isn’t spotted by victims until after some time following the initial infection, ranging from days to months.
That allows the threat actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems. But, the advisory notes, it may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.
In the first four months since Ryuk’s appearance the threat actors operating it netted over 705 Bitcoins across 52 transactions for a total current value of US$3,701,893.98, said CrowdStrike. Payouts have been going up ever since. According to one news report in June alone Florida municipalities hit by Ryuk paid out more than US$1.1 million dollars.