Skip to main content
Welcome to
super saver spring
offer ends april 20
save over $140
save over 85%
$0.99
per week for 24 weeks
Welcome to
super saver spring
$0.99
per week
for 24 weeks
// //

In the mid-1950s, psychologists Joseph Luft and Harrington Ingram created the "Johari window," which popularized the concept of "unknown unknowns" – things that both you and others are unaware of. It's hard enough to develop laws and policies to deal with threats we know about. But what about those we haven't experienced, or anticipated?

In mid-2016, elements of an electronic dark-arts toolkit stolen from the United States National Security Agency began showing up online. They were apparently put there by a hacker group with links to Russia.

Then late last month, a particularly noisome piece of malware struck around the world. The country hit hardest was Ukraine; the attack essentially shut down the government and all e-commerce. Banks and electrical utilities were paralyzed; radiation monitors at the Chernobyl nuclear site went off-line.

Story continues below advertisement

Related: Computer virus spreads from Ukraine, disrupting world business

Read more: Cyberattacks among potential risks of growing reliance on fintech: report

It was nominally a ransomware attack – pay up or your data goes bye-bye – but cybersecurity experts believe it was actually a "wiper" program, aimed at erasing targeted information. There's a strong suspicion it was the work of a state-sponsored entity.

It was an extreme event, but also a warning of what the future may hold. In fact, high-level breaches are already happening more often, and at higher cost, than most people realize.

A recent study by the Ponemon Institute on the costs of data leaks found the average breach in Canada, defined as the loss, theft or exposure of financial or medical information, cost $5.8-million to fix, investigate and mitigate. The institute looked at 27 major companies, which lost an average 21,000 records per occurrence.

The cost figure is actually down slightly from last year, but that's not the report's most interesting finding. Roughly half the breaches were due to software glitches or human error; the cyber equivalent of a business damaging its own merchandise. The other half were the result of criminal or malicious activity – the electronic equivalent of a break and enter.

Suffice it to say that cyberthreats are a large and growing problem. And they aren't occupying enough attention from governments, businesses or individuals. The situation is exacerbated by a labour shortage in the information security business. One study, commissioned by the International Information System Security Certification Consortium, estimates there will be 1.5 million unfilled cybersecurity jobs by 2020.

Story continues below advertisement

So what to do?

Allocating more public resources to the threat would be a start. That could include training and education incentives, and budget top-ups for the government agencies leading the fight.

Last year John Adams, a former head of Canadian Security Establishment, suggested it's time to stop playing defence and pursue a more active, offensive strategy. That's an idea worth exploring, provided there is adequate government oversight. The NSA's secret offensive playbook may be connected to the most recent mess, after all.

Also, thwarting criminals and warding off state-backed hackers ought not be invoked as licence to force companies and others to build "back doors" allowing law enforcement to snoop on citizens in the name of security.

Part of the answer surely lies in market forces. Tech firms and industry groups have resorted to paying "bug bounties" – find a flaw in our system; get a reward – and holding hacking contests with cash prizes.

Some have set up in-house bug hunting teams; Google's Project Zero is among the more aggressive in the cyber-world. Yet it has often identified vulnerabilities only to encounter reticence on the part of the affected companies to admit they exist.

Story continues below advertisement

Timely and full disclosure of security flaws is imperative, and if industry can't agree on common rules, government should nudge them. That may run against the prevailing tech industry ethos, but not everyone is following Google's famous "Don't be evil" dictum.

For every amateur bug bounty hunter who turns in her findings for rewards, there are others hacking for fun and profit, and selling information on the dark web.

Traditional policing skills are a poor fit with the new environment. For the cops, that means enlisting the help of intelligence agencies, developing closer links with the tech sector – and hiring people with new and different abilities. Some of the smartest and most with-it crooks have gone online.

The Trudeau government is studying the risk of a cyber-hacking of the democratic process. It's a real possibility, particularly when one considers the damage wrought by Kremlin-linked hackers in the U.S., including meddling with the electoral system.

Some of the dangers out there are unknown unknowns. But a lot of them are, in fact, quite well known. They are not unexpected. There's no reason for this country to be unready.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies