Hand-held devices such as smartphones and tablets could be the next frontier for cyber-spies and other rogue players in the digital world, warns a newly declassified assessment from Canada's intelligence agency.
Opportunities for malicious hackers are growing as computer systems move from the back rooms of corporations and government agencies into the palms and laptops of employees, says the Canadian Security Intelligence Service assessment.
“New cyber attack tools and techniques will be developed in efforts to compromise Canadian public- and private-sector systems,” says the report, perhaps the agency's most ominous forecast to date on the perils of cyberspace.
“The cyber-related threat environment will evolve and become more complex, creating ever greater challenges for Canada within the context of national security.”
The 18-page CSIS report, Cyber Threats and Security: An Overview, was obtained by The Canadian Press under the Access to Information Act. Though heavily edited, the November 2011 assessment, originally classified top secret, is another sign of the intelligence service's growing interest in the dangers emerging from cyberspace.
Cyber threats posed by unfriendly states, groups and individuals “affect Canada's national and economic security,” says the report. “This has implications for its critical infrastructure, the operation of its public and private sectors, and its domestic and international interests.”
The computer systems that Canadians rely on every day to work and play also underpin key services including water treatment, and hydro and nuclear power plants, CSIS notes.
While there may be a variety of technical measures and procedures to secure information systems, the “weak point” remains the human being because he or she generally uses the technology “without understanding it,” says the report.
“The questions that remain are: how to link security to the adoption of new technologies, how to incite users to be more secure in the use of technology.”
In the past, computer systems could be used only within the walls of an organization. In the Internet era of portable devices, employees can conduct business anywhere and have the ability to move data from one tool to another, or even into the remote servers of “cloud computing.”
All this means people bent on infiltrating a network “no longer require direct access” to a targeted system, says CSIS. They can gain remote access using a variety of tools and techniques to manipulate the system, create back doors, and steal, erase or alter information.
“Furthermore, efforts will be made to compromise and exploit the capabilities of handheld devices such as smartphones and tablets, as more and more individuals adopt them for business and personal use.”
The report cites a project that illustrated how an unmanned aerial vehicle, or drone, could be loaded with hardware and software that would allow the small aircraft to fly over and compromise wireless networks.
It also points to the groundbreaking Stuxnet worm, designed to spy on industrial systems. Some suggest it was created by U.S. and Israeli intelligence to spy on Iranian nuclear operations.
Attacks that crippled computer systems at the federal Finance Department and Treasury Board two years ago have been linked in media reports to efforts — possibly originating in China — to gather data on the potential takeover of a Canadian potash company.
Some enterprises may not detect such intrusions, or be reluctant to report them to authorities for fear of losing confidence of users and partners, says the CSIS report.
Canada's cyber security strategy, released in October 2010, focuses on securing federal systems, helping shore up other key networks, and assisting Canadians with online security.
Even so, a recent report by the Macdonald-Laurier Institute for Public Policy said a lack of information sharing and no comprehensive national strategy leaves Canadians exposed to the ill effects of natural and man-made disasters, including a cyber attack.
At the same time, civil libertarians and privacy advocates are wary of federal efforts to give CSIS and police more powers to conduct online surveillance. Many have loudly protested the recent introduction of Conservative legislation that would make it easier for authorities to find out more about Internet users.