Threat of cyberattacks the biggest worry among all challenges: BoC boss
Poloz shares unease about ripple effect of event as institutions search for solution
OTTAWA Of all the economic fears that could keep Stephen Poloz awake at night, the threat of a cyberattack is perhaps the one that troubles him the most.
The Bank of Canada governor can talk all day about household debt and how a global recession would slow down the economy, push up unemployment and make mortgage payments difficult for some people, and never lose faith that the system would be resilient enough to prevail, he said in an interview.
But a cyberattack against the financial system? Poloz admits he’s unsure what the fallout would be and he struggles to picture what such an event might look like.
For a policy-maker who carefully studies stacks of data before making a decision, the many unknowns surrounding the rapidly evolving world of cyberthreats are disconcerting, to say the least.
“It leaps up to the top of your consciousness pretty quickly — I think in many ways it’s more worrisome than all the other stuff,” Poloz said in an interview at the bank’s headquarters in Ottawa.
“Every event you hear of sounds different, or happens in a different way ... There’s all these things you and you think, ‘My God, how do I get my arms around that whole risk and what are the consequences?”’
Poloz shared his unease at a time when governments, central banks and the private sector around the world are searching for new strategies to counter hacks. Many, including the Bank of Canada, are pouring more resources into the area to learn new ways to prevent an attack, react to contain any damage, and how to pick up the pieces afterwards, if necessary.
The central bank warned Canadians in June that the country’s interconnected banks are vulnerable to a cascading series of cyberattacks, something that could undermine broad confidence in the financial system.
The report, known as the financial system review, also said such structural vulnerability could allow for the easy spread of an initial attack into other sectors, such as energy or water systems. The report urged commercial banks to cooperate on countering the threats.
It pointed to eight high-profile cyberattacks on banks in 2016, including an US$81-million heist at the Bangladesh Bank.
One recent, high-profile example was the cyberhack last summer on Equifax that compromised the personal information of 145 million Americans and 8,000 Canadians.
The federal government, including the finance and public safety departments, have been studying policy options to better protect Canada. In 2016, it promised $77 million in new money over five years to bolster cybersecurity.
The Senate’s banking, trade and commerce committee has also been studying cybersecurity.
Their efforts come amid signs that suggest Canada still has a long way to go.
A federally commissioned report last year warned the government was “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the U.S. to tackle the problem.
Canada was also called a prime target for cybercrime, state-sponsored attacks and lone hackers, said the final draft version of the April 2016 report, which was obtained by The Canadian Press via the Access to Information Act.
On Wednesday, Poloz said government has a critical, co-ordinating role to play in defending the entire system — not just the public sector — from hackers.
“If you continue just to add institution-by-institution guidelines, you will not create enough of an umbrella to protect anybody from the social consequences of a cyber event and, therefore ... there will be one,” said Poloz, who expects cyberattacks to be a key issue on the G7 agenda when Canada plays host next year. “What are the social consequences if our payments system goes down for any length of time? Big disruption to the economy. So, it becomes a macroeconomic consequence from maybe only one member of the payments system having a vulnerability that wasn’t guarded against.”
J. Paul Haynes, president and CEO of a Canadian cybersecurity firm eSentire, said even smaller hacking incidents can ripple through the system and create far greater collateral damage.
“We are one mouse click away from a doomsday situation being set in motion,” said Haynes, who has made presentations on cyberthreats for officials from the Bank of Canada and other regulators.
But even the best efforts sometimes fall short, experts warn. Paul Vallee, president and CEO of the Canadian-based IT services firm Pythian, said the financial system’s vulnerability to a cyberattack is very real despite attempts by companies to defend themselves.
It leaps up to the top of your consciousness pretty quickly — I think in many ways it’s more worrisome than all the other stuff.