News / Canada

Advanced computing could doom current online security protections: spy chief

OTTAWA — The day is coming when hackers will be able to crack the encryption people rely on for secure online banking and shopping, the head of Canada's cyberspy agency says.

Experts estimate that quantum computing could be realized within 10 years, opening the door to breaking trusted Internet protections, said Greta Bossenmaier, chief of the Communications Security Establishment.

"So the clock has started to tick," she said Friday in an address to the Canadian Association for Security and Intelligence Studies.

"The challenge of protecting systems is about to get a lot harder, thanks to quantum computing."

The immense processing power of quantum computing — designed to crunch data much faster than today's machines — will bring tremendous opportunities for science, medicine and engineering, Bossenmaier said.

But it could also hobble encryption that shields sensitive data from prying eyes, meaning "potentially every Canadian citizen could be vulnerable."

"And one can argue it's not really a question of if, it's a question of when."

Bossenmaier's words of warning come as the Liberal government consults Canadians on creating a new cybersecurity policy.

State-sponsored hackers, sophisticated criminals, cause-motivated hacktivists and people out to make mischief online all pose a threat, officials say.

"Cyberthreats used to be the exclusive domain of nation states, and that's certainly not the case anymore," she said.

"Cyberthreats come at companies, governments and other organizations from any number of sources and for any number of motivations."

For instance, federal officials have quietly warned operators of electrical grids, transportation hubs and other key infrastructure about the danger posed by insiders who could unleash devastating viruses and cripple systems, internal government notes reveal.

Crucial networks that Canadians rely on for everyday needs face a "substantial threat" from rogue employees out to wreak digital havoc, warn the Public Safety Canada briefing notes.

"The insider threat is difficult to detect and can cause real damage."

No special hacking skills are required, just a portable thumb drive loaded with malicious code. As a result, it is important that organizations have the right security protocols and procedures, "for example by limiting access to systems only to those who genuinely need it."

A federal briefing on the insider threat was delivered last December to leaders of the 10 most crucial infrastructure sectors, say the notes, obtained by The Canadian Press under the Access to Information Act.

The notes point out that more than 90 per cent of critical infrastructure — key to delivering everything from food and clean water to banking and health services — is controlled by the private sector and all of it is dependent in one way or another on information technology to operate. Many critical infrastructure sectors are interdependent, meaning a problem in one could have a "cascading impact" in others.

There are two kinds of insider threats — those from people who intend to do harm and others from people who inadvertently damage vital systems, said Melissa Hathaway of the Belfer Centre for Science and International Affairs at Harvard University in Massachusetts.

Many companies and government agencies are banning thumb drives outright to avoid the accidental risk of infection, she told the conference.

"The bad guy who knows better and is doing it on purpose is much more concerning, and that's what's happening more and more."

Public Safety is already working with critical infrastructure operators to prepare for the possibility of a major cyberattack on the Canadian electrical grid and telecommunications systems, the internal notes say.

Security officials call such an occurrence a "black swan" — a rare but devastating event that requires special attention due to the potential for massive losses should it happen.

— Follow @JimBronskill on Twitter