Intercast February 2024 – Canada Bill C-26

Welcome to the February 2024 edition of Intercast’s monthly newsletter for cybersecurity professionals. As always, we’ll bring you the latest news and views to bring you up to speed.

In This Issue:

  • Client Insight: Bill C-26- Is the Juice Worth The Squeeze?
  • LastPass Responds At Last
  • North Korea Cashes In On Crypto
  • We Don’t Need No Education?

Client Insight

Each month we ask our clients what’s on their mind to find out more about what’s important in the industry. This month’s debate is still raging about Canada’s Bill C-26, a major legislative proposal on cybersecurity. While introduced more than 18 months ago, the proposals have only just reached the committee stage. That’s where they are examined in more detail before legislators make a final decision.

The new law will initially cover critical infrastructure in key sectors such as banking, energy and telecoms but may expand its reach later. It would require critical infrastructure providers to:

  • Implement, maintain and report on a cybersecurity program
  • Report cyber incidents to the Canadian Centre for Cyber Security
  • Officials could also order operators to discontinue using certain products or suppliers

Based on our conversations with clients, many people support the broad aims but have questions about the implementation. Overall consensus is that addressing cyber in the legislature is positive. But more government reporting more often than not results in more red tape and slower implementation of transformational risk reduction programs.


LastPass Responds At Last

LastPass is finally enforcing a 12-character minimum for its master password for long-time customers. It’s taken more than a year to make the move after a serious breach.

Back in 2022, hackers accessed LastPass customers’ encrypted vaults. That meant that if and when they cracked the customer’s master password, they could access their complete set of stored passwords and other login details.

LastPass’s argument that this wasn’t a total disaster as long as customers had a suitably secure master password was undermined by the fact that it didn’t have a minimum length requirement. From April last year it introduced a 12-character minimum (and minimum hashing iterations) for new customers and for anyone changing or resetting their master password.

However, it’s only now going to force existing customers to switch to a longer password if they don’t currently meet the minimum requirements. Why it didn’t do so last year – or better still, long before the breach happened – remains unclear.


North Korea Cashes In On Crypto

An estimated one-third of all stolen cryptocurrency (by value) winds up in North Korea according to new research. TRM says hackers in the country took $600 million in 2023.

It’s almost certainly from state-backed operations given virtually no citizens of the country have private access to the Internet or any useful way of spending the loot. The government backing could also explain why the average North Korean-originated attack takes around 10 times as much cryptocurrency as those from elsewhere.

The incentive is certainly there. Given the country is under widespread economic sanctions, crypto-heists are one of the few ways the government can generate money to fund state operations.

We Don’t Need No Education?

Many cybersecurity pros feel their college or university education was of limited use for their eventual career. The positive spin may be that a wider range of candidates could be available to the industry through professional training after finishing education.

The figures come from a survey for Kaspersky of 1,012 security pros across 29 countries. Headline findings include an even split between those who found their higher education “very” or “extremely” useful for their day-to-day work and those who described it as “somewhat”, “slightly” or “not at all” useful.

It’s hard to read too much into the figures as only 36 percent of respondents studied information technology or computer science, with engineering, business management and science making up the bulk of the other subjects studied. Meanwhile only 43 percent of all respondents said they had any form of information security in their curriculum.

Common complaints included availability of information security courses being poor, courses offering a lack of hands-on experience, and too many teachers not having real-life cybersecurity experience. Nearly half of respondents said they’d taken professional cyber education courses to develop their career.


Best Of The Rest

Here’s our round up of what else you need to know: