“Then there are the most organized [attacks] who see the government as a target and they seek financial gains, and those would be more sophisticated. They would tend to look for access to be able to do recognition type things, ”Jones said.
To protect itself, the federal government has installed what is called a “host-based discovery program” on more than half a million computers in more than 50 federal departments.
While the CSE generally says nothing in public about its defensive capabilities and cites operational security in keeping those details private, the agency recently released details of the host-based internal sensor program.
“The host base is really what we can see to make sure nothing… is happening inside government networks that we don’t want and expect,” Jones said.
“Hundreds of thousands of events per day”
The CSE Cyber Center provides the outermost layer of government online defenses by detecting network-level threats. The host-based detection program is the internal layer of defense, alerting system administrators when it detects something abnormal on a government server.
While most malware and phishing attempts are detected by front-line government security, Jones said, these types of scams are getting more sophisticated.
He said if malware somehow got through the palace gate and a government employee clicked on it, the host-based detection program would send out a distress signal.
“We see hundreds of thousands of events a day across government, not all of them malicious. Sometimes it’s just software that is just starting to behave strangely or someone has chosen to upgrade, ”he said.
“And then yes, absolutely, we see malware installed. We are able to stop it and make sure it does not happen again ”
When asked how successful the program has been in stopping attacks, a CSE spokesperson said that while “no network is totally impenetrable … we are very confident in its defense capabilities.”
The program also serves a canary function in a coal mine, helping Canadian guards detect new methods employed by those seeking to infiltrate government technology – and giving them a chance to warn others, Jones said.
“He sees things that we have never seen before. So it’s not in our threat information feeds from commercial vendors, ”he said.
“So yes, you can try to use your malware against us, but we’re going to publish it and make sure people know about it so you can’t use it against anyone else.”
“Which means cybercriminals should go back and redevelop some of their software. They should seek to change the route they use to steal information. Our strategy is actually to make it more expensive. to come after Canada. ”
UK counterparts now embrace the program
The host-based sensors program was officially launched about eight years ago – when the agency realized that most government workers would soon be working on their smartphones and logging into their offices remotely.
The agency has decided to go public now to further explain what it does to Canadians, Jones said.
“I can’t hide the fact that our genesis came from some sort of intelligence agency that boasted that it really wasn’t known,” he said.
“It was really time to start showing people, ‘Here is one of the things that we do for the government, we are good at it.’ I know it’s not Canadian to say things like that, but we’re really good at it. ”
The success of the program recently convinced CSE’s UK counterpart, the National Cyber Security Center, which partnered with the cyber center to implement a version of the host-based system on UK government systems.