Skip to main content

The Communications Security Establishment complex in Ottawa. A partnership expected to be sealed within weeks, would create an information pipeline between the Canadian Cyber Threat Exchange, the federal department of Public Safety and the secretive Communications Security Establishment, Canada’s electronic spy agency.Sean Kilpatrick/The Canadian Press

A collective of Canada's largest banks and major companies from other key sectors is on the cusp of an agreement to gain access to a federal spy agency's trove of information about cyberthreats.

The partnership, which is expected to be sealed within weeks, would create an information pipeline between the Canadian Cyber Threat Exchange (CCTX), the federal department of Public Safety and the secretive Communications Security Establishment (CSE), Canada's electronic spy agency.

The initiative is significant because Canada has relatively few forums for government cybersecurity experts to communicate threat information to their counterparts in the private sector. This effort may help close that knowledge gap by creating more efficient pathways for some information to seep out from the CSE, a highly secretive electronic-eavesdropping agency.

Globe editorial: The new cyber-threats, and how to stop them

Cyberthreats against governments and the private sector are on the rise, and as the issue has become a big topic of conversation around boardroom tables, some of Canada's most prominent firms have increased spending to improve their digital security. This new accord is an effort to build the trust necessary to encourage companies to share information more liberally with their peers, as many are still hesitant to disclose threats and attacks bombarding their systems.

The arrangement would allow for "active threat indicators" compiled by cyberdefence teams inside government and the CSE to be shared with some of Canada's most important banks, telecommunications and power companies. The information would be passed through the CCTX to companies in a digestible format to help them pre-empt attacks and patch vulnerabilities.

The CCTX is a non-profit organization launched late last year to help companies collaborate and contribute to thought leadership on cybersecurity. So far, 28 companies have joined or are registering, and 11 more intend to follow suit. The membership roster isn't public, but it includes five of Canada's six largest banks and five major telecommunications firms. Executives from Air Canada, Canadian National Railway Co. and Hydro One Ltd. are also listed among the CCTX's leadership.

Partners have already conducted electronic testing to establish the links and are now hammering out legal details, according to Robert Gordon, executive director of the CCTX.

"[It is] a way to give the government's expertise and what they're seeing over to the private sector," Mr. Gordon said in an interview, and to "share more information across sectors."

Worldwide incidents, such as the WannaCry ransomware attack in May, have put a sharper focus on fundamental issues of cybersecurity. At the same time, more targeted attacks such as the 2014 hack of Sony Pictures, or a breach of HBO data disclosed earlier this week, put corporations on edge. (In the latter, hackers apparently gained access to forthcoming episodes and written material from shows such as Ballers and Game of Thrones.)

A 2013 hack of retailer Target Corp. was "an inflection point," according to Chris Inglis, the former deputy director of the National Security Agencyin the United States. Hackers gained access to personal data of tens of millions of customers; the incident contributed to the resignation of the company's chief executive officer and the company has spent more than $200-million (U.S.) on legal and other costs related to the breach.

Since then, cybersecurity has been "brought into the boardroom" as an issue of top importance, he said in an interview after speaking to staff at the Bank of Nova Scotia about cyberissues in late July.

"To be clear, [the threat is] rising," Mr. Inglis said. "But most of what they've seen has been there all along. They've just ripped the cover off it and turned the light on, and they can now see the rats in the basement."

The Bank of Canada highlighted more frequent and complex cyberthreats against financial institutions in its latest review of the country's financial system, calling cyber-risks a "structural vulnerability."

In a recent survey of chief risk officers at 30 large financial institutions, conducted for the Toronto-based Global Risk Institute (GRI), cyber and information technology topped a list of key risks facing those companies. Two years ago, it ranked sixth.

Last year, the GRI pointed out a lack of co-ordination in efforts to counter cyberthreats in Canada. Attempts at co-operation have improved since then, according to Richard Nesbitt, the institute's CEO and a former senior bank executive. But companies are still wary about sharing, particularly across industries.

"There's no sort of central clearing house for this information," Mr. Nesbitt said. "There really needs to be a central group co-ordinating this, and it really needs to come from government."

Canadian banks have worked together to combat cyberthreats since early 2000, according to Scotiabank's chief information security officer, Steve Hawkins. They meet monthly and have working groups. And in case of a major cyberevent, an urgent conference call can be arranged.

"We recognize that we would like to collaborate more with the other sectors, such as the telcos and the power companies and the government," Mr. Hawkins said, calling the CCTX "a step forward."

Serious breaches of corporate data that involve theft of intellectual property might have to be disclosed to shareholders; theft of customer data can trigger laws that oblige companies to tell federal privacy officials what was at stake. Yet it's often not clear which hackers have targeted a company or even what their their aims were.

Mr. Gordon said CCTX member companies decide what they want to share, with whom, and the information can be relayed in an anonymized form. Even if such information is stripped of its context, he believes it can be vital to other companies. "A technique that you might use against a financial institution is the same kind of attack vector you would use at a hospital or a transportation company or a mining company," he said.

A spokesperson for the CSE confirmed that an agreement is currently "under consideration."

"CSE tracks cyberthreats from around the world and is uniquely positioned to offer insight and advice to the CCTX on the cyberthreat landscape facing Canadians," the agency said in a statement.

Mr. Inglis, who has also consulted with other major Canadian banks, sees "much richer sharing now, to my pleasant surprise." But he still thinks companies need to share information earlier and more widely. "Everybody's looking at this through their own soda straw," he said, "and they're typically sharing this when some threshold has been crossed."

At a banking industry conference in January, Royal Bank of Canada CEO Dave McKay said "we spare no expense" in building the bank's cyberdefences, and stressed the importance of protecting confidence in the banking system.

"At some point, we're only as strong as the weakest player in there. If one gets compromised, that could hurt others," he said.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe