Of all the economic fears that could keep Stephen Poloz awake at night, the threat of a cyberattack is perhaps the one that troubles him the most.
The Bank of Canada governor can talk all day about household debt and how a global recession would slow down the economy, push up unemployment and make mortgage payments difficult for some people, and never lose faith that the system would be resilient enough to prevail, he said in an interview.
But a cyberattack against the financial system? Poloz admits he’s unsure what the fallout would be and he struggles to picture what such an event might look like.
For a policy-maker who carefully studies stacks of data before making a decision, the many unknowns surrounding the rapidly evolving world of cyberthreats are disconcerting, to say the least.
“It leaps up to the top of your consciousness pretty quickly — I think in many ways it’s more worrisome than all the other stuff,” Poloz told The Canadian Press in an interview Wednesday at the bank’s headquarters in Ottawa.
“Every event you hear of sounds different, or happens in a different way…. There’s all these things you and you think, ‘My God, how do I get my arms around that whole risk and what are the consequences?”‘
Poloz shared his unease at a time when governments, central banks and the private sector around the world are searching for new strategies to counter hacks. Many, including the Bank of Canada, are pouring more resources into the area to learn new ways to prevent an attack, react to contain any damage, and how to pick up the pieces afterwards, if necessary.
The central bank warned Canadians in June that the country’s interconnected banks are vulnerable to a cascading series of cyberattacks, something that could undermine broad confidence in the financial system.
The report, known as the financial system review, also said such structural vulnerability could allow for the easy spread of an initial attack into other sectors, such as energy or water systems. The report urged commercial banks to co-operate on countering the threats, which aren’t going away any time soon.
It pointed to eight high-profile cyberattacks on banks in 2016, including an US$81-million heist at the Bangladesh Bank.
One recent, high-profile example was the cyberhack last summer of the company Equifax, which collects data on consumer credit histories and provides credit checks. It led to a data breach that compromised the personal information of about 145 million Americans and 8,000 Canadians.
The federal government, including the finance and public safety departments, have been studying policy options to better protect Canada. In 2016, the government promised $77 million in new money over five years to bolster cybersecurity.
The Senate’s banking, trade and commerce committee has also been studying cybersecurity.
Their efforts come amid signs that suggest Canada still has a long way to go.
A federally commissioned report last year warned the government was “simply not up to the overall challenge” of fending off cyberthreats on its own and must partner with the private sector and the United States to tackle the problem.
Canada was also called a prime target for cybercrime, state-sponsored attacks and lone hackers, said the final draft version of the April 2016 report, which was obtained by The Canadian Press via the Access to Information Act.
On Wednesday, Poloz said government has a critical, co-ordinating role to play in defending the entire system — not just the public sector — from hackers.
“If you continue just to add institution-by-institution guidelines, you will not create enough of an umbrella to protect anybody from the social consequences of a cyber event and, therefore, almost definitionally there will be one,” said Poloz, who expects the issue to feature prominently on the G7 agenda when Canada plays host next year.
“What are the social consequences if our payments system goes down for any length of time? Big disruption to the economy. So, it becomes a macroeconomic consequence from maybe only one member of the payments system having a vulnerability that wasn’t guarded against.”
J. Paul Haynes, president and CEO of a Canadian cybersecurity firm eSentire, said even smaller hacking incidents can ripple through the system and create far greater collateral damage.
“We are one mouse click away from a doomsday situation being set in motion,” said Haynes, who has made presentations on cyberthreats for officials from the Bank of Canada and other regulators.
But even the best efforts sometimes fall short, experts warn.
Paul Vallee, president and CEO of the Canadian-based IT services firm Pythian, said the financial system’s vulnerability to a cyberattack is very real despite attempts by companies, such as commercial banks, to defend themselves.
“These people are working very hard on this and they have well-funded initiatives to try to secure their infrastructure,” Vallee said. “It doesn’t change the fact that the likelihood of an incident is almost perfect — it’s almost for sure guaranteed.”