Federal government may make reporting cyberattacks mandatory: Mendicino

The federal government is looking at making it mandatory for Canadian businesses and organizations to report cyberattacks, Public Safety Minister Marco Mendicino said Thursday.

"It's an option that we're considering very carefully," Mendicino told members of the public safety and national security committee.

Mendicino warned MPs on the committee that the current international situation has increased the threat of cyberattacks on Canadian businesses, organizations and different levels of government.

"I cannot emphasize enough how important it is that in the current geopolitical environment ... we are very much on high alert for potential attacks from hostile state actors, like Russia," he said.

The minister said those attacks "could manifest through cyberattacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure, but equally to subnational targets, different orders of government and other sectors of the economy."

Mendicino said that since the government created the Canadian Centre for Cyber Security, it has been sharing cyber threat information with owners and operators of Canadian critical infrastructure. The federal government also has created a special unit within the RCMP to coordinate police operations against cyber criminals.

Mendicino was questioned by NDP MP Alistair MacGregor as the committee continued its hearings on Canada's security posture in relation to Russia.

MacGregor said the committee has heard from some witnesses who have called for mandatory incident reporting.

"Sometimes businesses are loath to report that they have been held hostage by ransomware," MacGregor told Mendicino. "They find it's easier to pay off the person, not report it. Also, there can be a threat for further damages if they do in fact report to the authorities.

"If we don't really know the full scope of the problem, if some businesses are keeping this in-house, what steps are your government taking to maybe bring in a mandatory reporting requirement ...?"

The threat is rising, says government agency

The Centre for Cyber Security has issued a number of bulletins warning Canadians of the potential for cyberattacks by Russian state-backed actors who may try to assault critical infrastructure, such as electricity systems.

In its National Threat Assessment 2020 report, which laid out its predictions for the next two years, the centre said the number of bad actors is rising and they're getting more sophisticated. It warned of a potential increase across Canada in cybercrime, ransomware attacks and commercial espionage — particularly against Canadian businesses, academic institutions and governments that may have proprietary information.

"Canadian organizations of all sizes, such as small and medium-sized enterprises, municipalities, universities and critical infrastructure providers, face a growing number of cyber threats," the centre wrote in its report.

"These organizations control a range of assets that are of interest to cyber threat actors, including intellectual property, financial information and payment systems, data about customers, partners and suppliers and industrial plants and machinery."

Ransomware payments getting larger, report says

The value of ransomware payments is also on the rise, the centre warned.

"Ransomware researchers estimate that the average ransom demand increased by 33 per cent since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations," said the report. "At the more extreme end of the spectrum are multi-million dollar ransom events, which have become increasingly common."

Groups like the Canadian Federation of Independent Business (CFIB) say the government should focus on providing information and improving police services instead of making reporting mandatory.

"Businesses can already report cyberattacks," said Jasmin Guénette, vice-president of national affairs for the CFIB.

"Forcing them to do it will not result in fewer attacks — it will mean more work and red tape for businesses. Some of them don't want to report cyberattacks, fearing their additional consequences."