Limited awareness of technology and its risks. Reduced access to specialists who can help. Uncertainty about who leads the response when something goes wrong. Vulnerable populations.
Those are just a few of the things worrying Jarrett Davis about northern cybersecurity.
Davis, a senior manager at CSIS – the Canadian Security Intelligence Service – says states like Russia and China have demonstrated their interest in the Arctic and their ability to exploit weak cyber defences.
Nations attempting to get into systems that control northern infrastructure and “lie in wait” are at one end of the threat spectrum. Northern knowledge is under attack, too, and Davis gave the example of researchers in the North being specifically targeted.
The other end of that spectrum, says Inuvik Web Services’ Robert Privett, is scammers exploiting the trust of Elders or shutting down small businesses with ransomware.
Advertisement.
Advertisement.
Privett said he had helped businesses recover $100,000 or more during attacks and had found hundreds of vulnerabilities in the NWT government’s online presence.
“If that’s the situation with the territorial government, you can imagine small businesses have a much more difficult time,” he said.
Davis and Privett appeared on the same cybersecurity panel at last week’s Arctic Development Expo in Inuvik. Their overarching message is that northerners need to do more – and be more aware – to protect against digital attacks.
“We’re not ready,” said Davis, characterizing Canada as a whole in the face of increasingly sophisticated “threat actors.”
Advertisement.
Advertisement.
“When I say we, we’re all not ready. Whether you represent an industry partner, whether you represent a municipal government, whether you represent a territorial government or you’re here from the federal government, we are not ready.”
At the same time, Dan Couillard – who leads risk mitigation at the Canadian Centre for Cyber Security, another federal agency – said help is available.
The Cyber Centre, as it is known for short, offers guides tailored to individuals, small businesses, large organizations (including those in charge of infrastructure), governments and academics.
“Our mandate is to work with other government, private sector, critical infrastructure and Canadian citizen to build resilience and assist in incident response,” said Couillard.
“Obviously, we’re government, so we’re not pushing any product, but we will give you independent advice on how to implement security controls.”
Call for regional cybersecurity network
The NWT government has had its share of cybersecurity incidents. In 2020, the territory’s power corporation was hit by a ransomware attack that officials still could not fully explain following an extensive investigation.
Privett, whose company provides digital services to Inuvik and NWT customers, said his firm had scanned 270 IPs belonging to the GNWT and found public-facing servers running end-of-life software, expired security certificates, and online portals without secure configuration.
“A total of 485 vulnerabilities and exploits” were detected across one range of IPs, he told expo attendees last week.
Advertisement.
Advertisement.
More broadly, Privett said his company sees “a lot of end-of-life software, hardware, unpatched systems across the board, reused passwords across organizations, no two-factor authentication.”
“If you have a password that’s Inuvik then the date, go change it please,” he instructed the audience, while expressing concern that northern firms and governments often don’t back up data and suffer from “employee churn,” meaning new staff arrive, aren’t aware of issues and don’t address them.
He said people should stop using free email services for work purposes, noting they often don’t come with the security protections you can find through paid services, while two-factor authentication can be a major help.
Two-factor authentication is the process by which a service requires a second form of confirmation from you – like a code from a text message or an authenticator app – before it lets you in, even if you had the right password.
“You can do very little and get a long way. Two-factor authentication is all you need a lot of the time. Things can happen otherwise, but that makes a huge difference,” Privett said.
Describing what can happen when things go wrong, he gave examples like fake anti-virus software “screaming” that a machine is infected, then systematically extorting cash from people as they follow instructions to “fix” the issue.
“The Arctic is high in vulnerable populations. Small businesses can’t recover from $100,000 losses. Non-profits, they can only do what’s funded. If there’s no funding available for security, then it’s just not happening, right?” Privett said.
“Elders are very easy social engineering targets, especially with AI coming around the corner – and it’s already here. Small town social media, privacy settings, we’re not training our youth to protect themselves.”
Advertisement.
Advertisement.
Privett called for a “regional cybersecurity network” in the North so people can more readily share their experiences and strategies. He urged people to invest up front in protection to avoid damaging losses later.
“Under $5,000 can save a business, organization, entire industry in the Arctic. It’s sometimes well under that. It’s really worth it,” he said.
‘Real-life targeting’ of key individuals
For Davis, the scale is different.
His role requires him to focus on the threat posed by the likes of Russia, China and Iran, who may be less likely to go after an Elder and more likely to target power infrastructure, knowledge repositories or government networks.
“Let me be very, very clear that from a national security threat space, the threat actors are already here,” Davis said last week.
“There’s a clear recognition that small and remote communities, including the northern populations, must be protected to the same extent as those in the major urban centres,” he said, giving two examples of problems those communities have faced.
In one, BC’s First Nations Health Authority suffered a 2024 attack that the authority said “impacted many people’s personal information.”
In another, Davis said, CSIS “identified specific targeting of Canadian Arctic research” that allowed attackers to “harvest” the login credentials of researchers by creating fake websites that pretended to be legitimate academic portals.
Advertisement.
Advertisement.
The attackers then began “long-term monitoring of communications and research progress,” he said, extracting data as they went.
He said nations like Russia are now engaged in “real-life targeting” of defence contractors, military technology researchers, geopolitical experts and workers in aerospace, defence and Arctic technology.
“Not a James Bond film. These are really happening,” Davis said. “Are you prepared? Do you even know what to look for to be able to identify when that threat happens with one of your people, one of your employees, or with yourself?”
Asked if the North and its industries and governments were being clearly targeted, Davis said the evidence was unequivocal.
“There have been very widely publicized policy documents – on the part of both the Russian government as well as the Chinese government – that specifically identify the prioritization and funding and, in some cases, the standing up of very comprehensive, multifaceted organizations within both of those governments specifically targeting polar monitoring and forecasting,” he said.
“There is no question, in terms of the strategic race that’s on the go right now and the importance they’re putting in the North.”
