• 		Enterprise Infrastructure
  Data Centre Servers and Mainframes Storage and Storage Sub-Systems Operating Systems Systems Management Peripherals Virtualization

• 		Communications Infrastructure
  Network and Management Planning Performance Management and Monitoring Network Devices Unified messaging Carriers and Cellular Wireless LAN

• 		Information Architecture
  Service Oriented Architectures Messaging and Collaboration Databases Data Warehousing Identity Management

• 		Integrating IT
  Development Environments Tools and Languages Project Management Middleware / Utilities Outsourcing and Application Service Providers (ASP)

• 		Departmental and End User Computing
  Personal Systems and Peripherals Personal and Portable Devices Personal and Office Productivity Applications Small-Area Networking (SAN) Help Desk and End-User Support Mobile Applications Future Technology

• 		Enterprise Business Applications
  Enterprise Resource Planning (ERP) Business Intelligence and Data Mining Enterprise Portals Open Source and Linux Online Retailing and Ecommerce Customer Relationship Management (CRM) and Customer Self-Service Supply Chain Management (SCM)

• 		Security
  Security Products, Practices and Infrastructure Disaster Recovery / Business Continuity Hacking and Viruses Alerts, Patches and Fixes Privacy Issues

• 		Voice Data and IP
  Carriers and Service Providers Protocols and Standards Hardware, Software and Emerging Applications Regulatory Issues

• 		IT Workplace
  Human Resources Issues Hiring and Retention Careers and the Job Market Salaries and Benefits Education and Training Consulting and Contracting Knowledge Management Knowledge Worker Tools

• 		Leadership
  Issues for CIOs Budgeting / IT Alignment Value Management and ROI Human Capital Management Best Practices Industry News IT Executive Development

• 		E-Government
  Case Studies and Best Practices From Canada and Internationally Legal and Government Policy Issues Management Issues Privacy and Security

• 		The good the bad and the ugly
  The good The bad and the ugly Useful and fun tips

• 		Green IT
  E-Waste and Recycling Hardware lifecycle management Power and cooling Paper and printers Green thinking

• 		News Briefs
  Breaking News

• 		IT Women
  Training and development Profiles Opinions and commentary Global perspectives

• Blogs

• Salary Calculator

• IT Executive Development Series

• Video Library

• IT World Canada Technology News Daily ITwire Global Newswatch

• Slide Show Library

• White Papers

• Product Reviews

• Careers

• ITWorld Canada RSS Feeds

Making haste slowly

Advertisement

The arguments for a consistent, coordinated approach to IT security are irrefutable. Our society, and the world in which we live, have become increasingly if not irreversibly dependent on uninterrupted computer systems and computer-mediated communication. Not only is information technology in itself critical infrastructure, it is the horizontal foundation for the other critical infrastructure upon which we depend, from law enforcement and first response to medical care, from antiterrorism to road, rail and air transport.

There is nothing easy about IT security. Even the most straightforward collective initiatives can run into trouble. In recent weeks, one such effort was launched, a common naming protocol for computer viruses, only to encounter a storm of criticism – too many big anti-virus vendors are involved; each anti-virus system perceives viruses differently; who will process incoming data, how will threat notifications be released. On the frontlines, far too many Computer Security Incident Response Teams still work in isolation or through bilateral or regional arrangements. Most would probably prefer to belong to a true international detection, alert and response system, but it does not yet exist. One authoritative source estimates that it may still be years away, after almost two decades of tinkering.

It has been 18 months since the federal government released Securing An Open Society: Canada’s National Security Policy. The new policy came with a shopping list for some big-ticket purchases, like $308 million for Marine Security and $100 million for a Real Time Identification Project for fingerprints. Arguably, however, the most important technology item was the least expensive -- $5 million for a Cyber-Security Task Force.

The new body was billed as essential to Canada’s National Security Policy, to fulfill political commitments to better emergency coordination. Bringing together representatives of both public and private sectors, supported by a secretariat within Public Safety and Emergency Preparedness Canada and operating with a high degree of autonomy, the Task Force would assume the development of a “national cyber-security strategy that is representative of government and private sector interests.”

The terms of reference for the Task Force call for a description of the cyber threats Canada might face; an inventory of the country’s critical IT infrastructure; an assessment of our readiness to face attacks and recover from them, and, above all, recommendations for action plans to better protect our cyber assets.

As the Information Technology Association of Canada has pointed out, it is disappointing that, as of this fall, the Task Force had still not been named. Disappointing – but hardly surprising, given the range of threats that the national security apparatus must address, the inevitable distractions of a minority government, and, quite possibly, an extended period of recruitment, negotiation and tuning of the terms of reference.

In fact, the announcement of the Cyber-Security Task Force might have been either too late or too early for other important events, most notably the process leading up to the modernization of the Emergency Preparedness Act. In a consultation paper released in July, Public Safety and Emergency Preparedness Canada (PSEPC) noted that “the existing legislation does not … provide direction for widespread cooperation and information sharing on cyber threats, incidents and protective measures, which are required in our computer-dependent world.”

As well, the current act was written at a time when information gathering, processing and storage took place on a different scale. Most importantly, however, it “does not provide the statutory basis to address threats to Canada’s critical infrastructure and cyber networks.”

Advertisement

To its credit, the federal government has been extremely busy on homeland security, trying to cover a range of issues, each with a valid claim to priority. Agencies with strong core missions can present their cases and receive ministerial support. IT security does not get the attention it deserves because it is diffused throughout government. Twenty years ago, there was no Minister for Typewriter and Telephone Security, because we didn’t need one. Today there is no Minister for Information Technology Security, but we do need one.

There has been progress. PSEPC has established a 24-hour seven-days-a-week Government Operations Centre to coordinate a national emergency response, and within that, the Canadian Cyber Incident Response Centre provides the same kind of coverage and coordination for cyber incidents involving critical infrastructure.

IT security threats have steadily progressed from vandalism to organized crime. There is credible evidence that terrorists or even national governments may launch the next level of attacks. Threats can never be entirely predictable; some attacks may always lie beyond our power to anticipate and avert. But all the administrative structures to coordinate our defensive measures and the technology and talent needed to implement them are under our control. Leadership is the missing variable. It is increasingly likely that the necessary administrative apparatus to prevent and mitigate disasters will only emerge after they have happened. Richard Bray (rbray@itworldcanada.com) is an Ottawa-based freelance journalist specializing in technology and security issues.