'All it takes is one click': Chief cyberspy warns Canadians to protect themselves from online crime

The head of Canada's cyberspy agency says Canadian individuals, organizations and critical infrastructure all face an increased threat from cybercriminals looking for economic advantage or to punish people for supporting Ukraine.

In her first interview as head of the Communications Security Establishment (CSE), the federal agency responsible for signals intelligence and cyber-defence, Caroline Xavier told CBC's The House that ransomware attacks have become increasingly popular among cybercriminals. And security services can't fight back without the public's help, she added.

"It can't just be on the government. We all have to do our part," Xavier told host Catherine Cullen during the interview, which airs Saturday.

Even simple steps like keeping software updated and being aware of commonplace scams can help reduce risk across the board, she said. The CSE has compiled a series of guides for individuals and organizations across the country to enhance their online defences.

"We talk about phishing and emails that could be coming into your organization and paying close attention to who sent it to you," Xavier said. "We tell you that for a reason, because all it takes is one click to be into a whole new game that you weren't expecting."

The CSE has warned Canadians about online risks before, but the threat has become even more apparent in recent years due to a series of high-profile attacks.

The agency said earlier this year that at one point, a cyber actor "had the potential to cause physical damage" to a piece of critical infrastructure in Canada. Hydro-Québec was the victim of a cyberattack on its website in April. Attacks on disparate targets such as Newfoundland and Labrador's health system and the bookseller Indigo have shut down important systems or exposed Canadians' personal information.

Hackers temporarily shut down a series of Canadian government websites earlier this year, coinciding with the visit of Ukrainian Prime Minister Denys Shmyhal.

"It's not uncommon for Russian hackers to target countries as they are showing their steadfast support for Ukraine ... so the timing isn't surprising," Prime Minister Justin Trudeau said during a joint news conference with Shmyhal in April.

Xavier cited the Colonial Pipeline attack in the United States last year as an example of a dangerous assault on critical infrastructure. The CSE issued a report this week outlining the threat to Canada's oil and gas industry posed by bad actors online.

"Just imagine that if you get to a gas distribution and the pressure mounts, it could potentially explode and that could be really harmful to a local neighborhood, for example, or people that are surrounding it," Xavier said.

The likelihood of such an attack by a state-sponsored actor in the absence of outright hostilities is very low, said the CSE report.

Still, the pace of attacks by foreign actors has increased since Russia's invasion of Ukraine last year, she added.

"We're definitely seeing a rise in cyber crime or people that are potentially passionate toward the cause of the Russians rather than Ukrainians, who are perhaps wanting to leverage these opportunities to do harm to those that are mostly supporting Ukraine," she said.