Thank you, Mr. Chair. I appreciate the opportunity to share FireEye's perspective with you on threats to the Canadian financial services sector and to provide an overview of how we as a company and the private sector in general work in partnership with the government to help defend that sector.
As the Chair said, my name is Christopher Porter. I'm the chief intelligence strategist for cybersecurity company FireEye. We have more than 4,000 customers in 67 countries. My testimony today will reflect the lessons we learned from responding to incidents around the world, but also intelligence we gather on threats that are specific to Canada.
In addition to working at FireEye, I am also a non-resident senior fellow at the Atlantic Council and until 2016 I served for nearly nine years at the U.S. Central Intelligence Agency, which included an assignment as the cyber-threat intelligence briefer to the White House National Security Council staff, several years in counterterrorism operations and brief war zone service.
In addition to the 300-plus security professionals responding to computer intrusions worldwide, FireEye also has over 200 cyber-threat analysts on staff in 18 different countries. They speak over 30 languages. They help us predict and better understand the adversary, often by considering the political and cultural environment of the threat actor. We were born as a technology company, but we have these capabilities, as well. We have an enormous catalogue of threat intelligence and it continues to grow every day alongside the continually increasing attacks on organizations around the world.
We also have deep ties to Canada. FireEye appliances defend Government of Canada email inboxes every day, and we work closely with Canada's public safety institutions to keep Canadians safe by defending their networks and also by supporting investigations.
For today's discussions I will focus not only on the cyber-threats that Canada's banks, investment firms and government financial regulators face today but also the threats that they are likely to face in the near future. We live in a time of rapid change in how cyber operations are deployed, especially by nation-states. What were once spying tools used to carefully, quietly and illicitly acquire information are increasingly in the hands of military officers poised to go on the offensive and do serious damage and disruption.
This is especially true in Canada, which is often one of the first nations targeted for new types of cyber operations. Canada is a country with a high per capita GDP which makes it an attractive target for financially motivated criminal activity. It is a world leader in high-tech development, including in some niche areas of military applicable dual-use technology, so it's going to be a perennial target for foreign intelligence services. As a member of NATO with a large diplomatic and investment presence worldwide, Canada is a natural target for politically motivated retaliation from a number of actors worldwide.
Companies and individuals in Canada are also targeted by a spectrum of threat activity that ranges from deliberate, sophisticated criminal intrusions to commodity malware that spreads worldwide and only incidentally affects Canadians.
For example, in February 2017, multiple major Canadian financial institutions were exposed to risk of state-sponsored cyber-theft from North Korea. At that time, the Polish financial supervision authority took its systems offline after discovering malicious code had been placed on its web server and it was being used to redirect select targets to malicious downloads that gained control of their computer. Notably, those attackers used a white list of IP addresses to designate which individuals would receive the designated payload and multiple Canadian financial institutions appeared prominently on the targeted list. Even though the threat was in Poland, it still came home here in Canada.
Commodity campaigns, such as ransomware, crypto jacking and especially credential theft malware constitute a significant threat to Canadians. Card-related fraud is a serious concern. FireEye routinely uncovers major underground fora that sell thousands of stolen credit cards at a time, sometimes from major financial institutions, but just as often targeting customer accounts at smaller banks and credit unions.
Canada is also often one of the first targets for new malware campaigns. A Canadian bank was one of the first five financial institutions worldwide to be targeted by TrickBot malware and since then we've observed additional financial institutions added to TrickBot's configuration files that have a presence in or are based in Canada. Notably, Canadian URLs appeared in all TrickBot campaign IDs and several of those organizations were either credit unions or smaller banks. In August 2017 we also observed a PandaBot configuration file that revealed targeting specifically of 15 major Canadian financial institutions.
At least a half dozen organized crime groups also conduct financial crime operations targeting companies and people in Canada, and their sophistication is on par with what previously we would have said was reserved only for nation-states. One group in particular, which FireEye calls Fin10, has been focused specifically on Canada since 2013, carrying out numerous intrusions against gambling and mining organizations, exfiltrating business data and extorting victims.
With ongoing intrusion operations, active underground threat activity, substantial targeting by commodity malware campaigns and homegrown threat actors, Canada will likely continue to face a complex and challenging criminal threat landscape in the short- to medium-term future.
The cyber espionage threat to Canada is moderate, but could be on the rise. We have observed 10 separate cyber espionage groups from China, Russia and Iran targeting Canada in recent years. Organizations in the government, defence, high-tech, non-profit, transportation, energy, telecommunications, education, and media sectors, among others, have all been impacted, much like they have been in many western countries.
Many Chinese cyber-threat groups have renewed their attention to the theft of military applicable technologies since mid-2017 and are likely to intensify those efforts as trade-related conflicts with Canada and its allies emerge. This greatly increases the risk to Canadian commercial firms in all industries, but especially those that develop cutting-edge technologies or that directly compete with Chinese companies internationally.
Aside from intellectual property theft, Chinese-origin operations continue to heavily target competitive business intelligence from Canadian companies, especially those making foreign direct investments globally.
Looking forward, I am gravely concerned about the militarization of cyber operations. As NATO members continue to share capability in training, the major cyber powers outside the alliance are likely to do the same. This proliferation of cutting-edge offensive cyber power, combined with an increasing willingness to use it, with minimal blowback and spiralling distrust, has set the stage for more disruptive and destabilizing cyber events possibly in the near future.
In the past, some countries would have responded to western sanctions with increases in denial of service attacks on finance sector websites, but in the future, they may just as well respond with destructive attacks that are aimed at permanently disabling financial services or altering data in ways that undermine trust in the global financial system. For example, they could delay or impair the trustworthy settlement of collateralized government debt.
For countries sufficiently sanctioned, and therefore increasingly outside the financial system anyway, there is little incentive not to do so during a confrontation. Efforts to undermine foreign governments may increasingly be met with disruptive cyber campaigns, such as those that target elections infrastructure and individual candidates, where Canada is especially vulnerable.
I urge the Government of Canada to work with its allies in the United States and Europe to find peaceful, diplomatic arrangements with potential rivals and adversaries in cyberspace. Attribution, while difficult, has not proven to be the barrier that many predicted to enforcing such diplomatic arrangements, and many of Canada's likely antagonists share similar concerns about cyber-threats to their own financial sector, government stability and a desire to protect their people.
Diplomatic agreements that focus on ensuring the sovereignty of signatories and that avoid destabilizing operations while protecting human dignity can be reached. They can be enforced, and they would be mutually beneficial. But they may require the west to curtail some of its own cyber activities. While not sufficient on their own to protect Canadians, diplomatic agreements restricting certain classes of cyber operations will prove necessary alongside private sector technology and services to protect Canadian citizens and businesses in the long term.
Thank you, Mr. Chair, for the opportunity to participate in today's discussions. I look forward to answering any questions you may have.