the Globe & Mail
Monday, May 19, 1999

Canada called 'hacker haven' for criminals

Authorities say national strategy needed
to protect country's key computer systems

by Jen Ross

Toronto -- Justin Davis, a 20-year-old convicted computer hacker from Thunder Bay, says he hasn't met a system yet that he couldn't break into.

"The longest it has taken me to hack a complicated system is 35 minutes."

Statements like that haunt the people in charge of Canada's information infrastructure. They gathered in Ottawa last week to discuss creating a national strategy to protect key computer systems from attacks by hackers and cyber-terrorists.

Canada -- already labelled a "hacker haven" -- needs to create a unified defence against cyber-assault, says Senator William Kelly, chairman of the special Senate committee on security and intelligence.

Although all provinces have individually devised some form of electronic protection, and a national network of hacker trackers was set up a year ago, Canada must speed up and standardize these efforts if it is to reduce threats posed by computer intruders, Mr. Kelly said.

"Our critical infrastructure is spread out across the country and we need a co-ordinated effort across the provinces and the private sector to deal with computer security."

In an Ernst & Young/CIO Canada Global Information Security Survey, 70 per cent of the Canadian companies that reported computer security breaches said they suffered financial losses because of the crime, and 32 per cent reported losses exceeding $1-million.

The survey said more Canadian businesses are becoming the target of Internet-related computer crimes -- 95 per cent of Canadian businesses use the Internet, up from 68 per cent last year.

According to industry estimates, computer intrusion attempts are tripling annually, and hacking activity is becoming more destructive.

In a committee report in January, Mr. Kelly quoted the director of the U.S. Federal Bureau of Investigation, Louis Freeh, as saying Canada is a "hacker haven" -- a safe base for attacks on computers in other countries.

Hackers themselves say it is exceptionally easy to break into Internet service providers and Web sites.

Mr. Davis, convicted last May of offences related to illegally obtained passwords he used to gain free Internet access, now hacks for a living, legally, for Thunderline Internet Solutions, a company that tests systems, networks or Web sites to see how hackable they are.

"Most companies are just sloppy when they set up their Web sites. They don't take the time to become aware of how their systems function. Some even forget to set up passwords", he said.

Mr. Davis is appealing his sentence, for which he served six months in jail and was ordered to pay $10,000 restitution.

Hacking can include anything from splashing graffiti on a Web site, to spreading a destructive virus, to theft of valuable data.

David McMahon, a security analyst for Ottawa-based Electronic Warfare Canada Inc., said the most common hacking activity is scanning -- in which a hacker will secretly monitor what someone is doing while logged on to the Internet. There is usually no specific target. "It's like a bunch of kids going down the street rattling doorknobs until they find a door that's open."

EWA Inc. co-ordinates the national hacker-tracker network, called the Canadian Computer Emergency Response Team, or CanCERT. Offered as a free public service, CanCERT investigates computer security breaches by locating and stopping intruders and recording the incident.

In its first year, it has logged 2,500 incidents, but that is "just the tip of the iceburg", Mr. McMahon said. Network administrators catch only about one in 10,000 or 20,000 hacks, and only a fraction of those get reported to CanCERT, he said.

"Usually we find out who it is and shut them down by pulling the plug on their Internet account, but sadly, they'll just get a new one."

Mr. McMahon said the Internet is still a grey area for regulators, and the rate of criminal convictions for hacking is extremely low.

The computer security threat "is like car accidents; it becomes an epidemic when you don't have rules and traffic lights, stop signs or speeding limits. Right now, the Internet is like the Wild West."

There are also new threats from "hacktivists" -- hackers with political agendas -- and cyber-terrorists. Mr. McMahon said Canada has not yet fallen prey to such terrorism, but some Canadian hacktivists have been wreaking havoc abroad. Still, cyber-terrorism is not running rampant.

"Terrorists have been collecting the knowledge and the technology to do bad things, but they haven't done them yet", said Mr. McMahon. "But it's certainly a very uncomfortable time to be considering Canada's vulnerabilities."

EWA Inc. President Brian Nix said it will be up to the policymakers to set the rules and decide how CanCERT fits into the national landscape of communications security. He added that in order to expand its operations, CanCERT will need alternative funding, which he hopes will come partly from government.

The chairman for the national strategy meeting said only so much can be done out of Ottawa.

"You need to develop this not just nationally, but locally and globally", said meeting chairman Robert Garigue, who is the chief technology and infrastructure officer for Manitoba.

Copyright © 1999 by The Globe & Mail. All Rights Reserved. Reprinted with permission.