Anyone who has been paying attention to the news has heard about cyber attacks. They pose a sizable challenge to security in both the private and public sectors. One researcher’s doctoral thesis focuses on how cybersecurity experts identify the problems related to the phenomenon and outline some of the solutions they propose.
No organization is safe from malicious individuals who manage to get their hands on its customers’ personal information (as happened with Capital One and Desjardins), or who attack it, often by blocking their computer systems and asking for money to unblock it (through what is known as a ransomware attack).
“Companies that have been held to ransom can no longer access their data,” says Pierre-Luc Pomerleau, a postdoctoral researcher at Georgia State University. Hackers threaten to erase it or make it public on the Dark Web if they refuse to pay the ransom.”
Since the beginning of 2020, numerous Canadian organizations have been hit by cyber attacks. This has mostly involved large companies, from whom high ransoms can be demanded, but public institutions have been targeted too. Examples include cyber attacks on the Canada Revenue Agency and the Société de transport de Montréal.
In his doctoral thesis, Countering the Cyber Threats against Financial Institutions in Canada: A Qualitative Study of a Private and Public Partnership Approach to Critical Infrastructure Protection, Pierre-Luc Pomerleau examines the challenges faced by financial institutions when it comes to countering cyber attacks. Little research has been done on this topic, in Canada,” he says. “Yet fraud has major social and psychological impacts.”
Such consequences are most keenly felt by consumers. “A large number of people have testified in recent years that they have been victims of identity theft or security breaches,” says Pomerleau. “They’ve had to take steps to protect themselves and prevent someone else from using their identity. It’s caused them a lot of stress.”
Cyber attacks also have a significant impact on businesses. “When hackers ask them to pay a ransom to regain access to their data, they usually pay up because they need to protect their customers’ personal information. This has major economic consequences for them. And it’s very tough for the people who have to deal with it.”
In his study, Pomerleau cites figures from Statistics Canada. According to this federal agency, 21% of Canadian businesses have already been “affected by a cyber security incident” that has impacted their operations. And most of the time, they did not report it to the appropriate authorities—only 10 per cent took the trouble to do so. The report also cites Public Safety Canada figures that put the cost of cybercrime at about 0.17 per cent of Gross Domestic Product (GDP), accounting for more than $3 billion in losses annually.
It’s unfortunate that more cases are not reported. If there were, we would be able to form a better idea of the extent of the problem. At present, no one knows the total amount of losses or the total number of victims. But if we adopt the rule of three, we can talk about potential losses in the order of $30 billion.”
Pierre-Luc Pomerleau, Postdoctoral Researcher at Georgia State University and author of the study
Yet companies do have some information about the cybercrimes they are threatened by. “Currently, the private sector is investing heavily in fraud prevention and detection,” Pomerleau says. But it doesn’t possess the legal powers that would enable it to protect its infrastructure. The public sector has both the legal powers and the ability to act, but it doesn’t have the expertise. They’re going to have to find a way to work together.”
Problems and solutions
What is preventing this happening? First of all, say the specialists who participated in the study, there is the problem of trust. Currently, information is transmitted between two people who, over the years, have developed a certain bond,” Pomerleau says. But there’s a problem. Because if one person changes jobs, they have to start over from scratch. So the best way would be if the bond of trust were developed between the organizations themselves. That would certainly make it possible to combat certain crimes.”
Is this possible? The participants in the study believe it is. Provided, that is, that a legal framework is put in place that would permit partnerships to be established based on certain legal guidelines.
A lot of emphasis these days is being put on protecting the privacy of citizens, and that’s good. But in order to fight fraud, there is a minimum amount of information that the private sector and the police must be able to share.”
That is no easy proposition. Hackers can carry out their attacks from the other side of the world. And they feel free to do whatever they want. “If you can’t share information about actors, networks, and modus operandi, it’s going to be hard to reduce the number of criminal events.”
The information could be shared via secure platforms. And in fact, this is what the participants in the study recommend: the creation of a virtual fusion center. The idea behind such a center is that it would allow individuals from the private and public sectors to work together without having to travel. It would also allow them to do so in real time using secure encryption technology. Finally, it would allow them to see all the cyber security incidents as they occur, and thereby counter cyber crime more easily.
Such partnerships already exist in the United States (the National Cyber-Forensic and Training Alliance, the United Kingdom (the Joint Money Laundering Intelligence Taskforce) and Australia (the Fintel Alliance). These partnerships are very effective,” says Pomerleau. They allow the members to see the big picture, make connections between events, and learn more about the threats we face and how to deal with them. We should use these partnerships as a model for a designing a center that is adapted to the situation in Canada.
The doctoral thesis: Countering the Cyber Threats against Financial Institutions in Canada: A Qualitative Study of a Private and Public Partnership Approach to Critical Infrastructure Protection (Northcentral University, La Jolla, California, 2019) was written by Pierre-Luc Pomerleau, a postdoctoral fellow at Georgia State University. It presents an analysis of the current state of the art in the fight against cyber fraud, and describes the vulnerabilities, with proposals for solutions that could improve the situation.
In conducting his research, the author carried out a literature review, and surveyed 10 cyber security experts, 9 of whom he interviewed. All the experts worked in Canadian financial institutions, but most had previously had careers in other fields, such as law enforcement or police work. It should be noted that in granting us an interview, Mr. Pomerleau spoke on their behalf.
Since his thesis was published, Pierre-Luc Pomerleau has written the book Countering Cyber Threats to Financial Institutions, which deals with the same subject.