The federal government has started a three-month public consultation on updating its cyber security strategy, asking security pros and citizens for input on how it should not only strengthen the national IT systems and critical infrastructure in the private sector but also help businesses and residents.
Public Services Minister Ralph Goodale said Tuesday the consultation, which ends Oct. 15, will help identify gaps and opportunities, bring forward new ideas to shape Canada’s renewed approach to cyber security and capitalize on the advantages of new technology and the digital economy.
“We need to get really good at cyber security – across our personal, business, infrastructure and government sectors – so we can take full advantage of the digital economy, while protecting the safety and security of Canadians, and selling our valuable cyber skills and products into a booming market throughout the rest of the world,” Goodale said in a statement.”
In particular the department wants to hear Canadians opinions on the evolution of cyber threats; the increasing economic significance of cyber security; the “expanding frontiers of cyber security”; and what federal strategy should be.
“We need to take our cyber game to a whole new level,” Goodale said in a statement in June previewing the consultation announcement. While major corporations are spending “mega-bucks” to protect themselves, smaller businesses with limited time and resources, can’t. “This represents real risk and missed opportunity,” he wrote.
Meanwhile, he added, the global job market for cyber pros is expected to rise by some six million over the next five years. That’s a career opportunity for Canadians and “a profit centre for businesses … But there’s no sense of this in Canada’s current cyber security strategy, which dates back to 2010 and is decidedly out-of-date. ” Hence the review.
Among the discussion ideas: Certifying businesses that meet recognized cyber security standards, guidelines or best practice framework. Another is “encouraging” senior business executives to report to their boards on the cyber security health of their organizations. A third is creating a national cybercrime centre to co-ordinate cybercrime investigations across jurisdictions. There already is a Canadian Cyber Incident Response Centre, but it is a federal body.
The government is asking for online or written input. There’s a workbook with background and suggested questions to answer for general contributors, some of which will be useful to policy makers (Are there barriers to reporting cybercrimes to law enforcement? How can cybercrime be addressed in a manner that respects Canadians’ privacy rights and protects public safety? How can Canadian businesses be encouraged to adopt better cyber security regimes – particularly small and medium enterprises?”).
But there’s at least one suggested question of interest to infosec pros: What are the constraints to information sharing on advanced cyber threats and associated vulnerabilities?
Threat information sharing is being encouraged by a number of experts as a way to counter the growing number of threat vectors. Exchanging incidents of compromise is one thing. Passing names of suspect hackers and companies is another, depending on the circumstances. Does Canadian law protect private companies from passing such information to police? Note that at the end of 2015, to make the issue clearer, the U.S. Congress passed a law giving liability protection for information sharing. According to a news report the law requires reasonable efforts be made to protect the distribution of personally identifiable information unless it is relevant to cybersecurity.
On the broader issue of threat intelligence sharing, the Conference Board of Canada recently released the results of a survey of more than 500 Canadian infosec pros who rated the quality of the information they get either from other businesses or governments to be only fair to average.
One expert who helped provide advice to Ottawa on the consultation says it’s long overdue. “I think we should have done this a couple of years ago,” said Imran Ahmad, a Toronto lawyer with the Miller Thomson firm and cyber security and privacy specialist who is also a member of the advisory board of the Canadian Advanced Technologies Alliance’s cyber security council. He and other members of CATA made a presentation on the possible shape of a consultation earlier this year.
Still, he called the announcement “a good document.” It asks for input on important questions such as the kind of support business and individuals need to fight cybercrime, he said. “But the key is going to be what they do with this at the end of the day. I’m not sure if three months for a consultation process that starts in the summer will be sufficient for businesses to focus on.”
Robert Wong, executive vice-president and chief information and risk officer of Toronto Hydro, says a public consultation will be useful. “It’s quite a delicate balancing act to try to protect the interests of various stakeholders such as protection of information and infrastructure, national security, individual privacy, intellectual property, financial and economic health, and crime prevention. If the consultation process helps to produce sound and balanced policies and perhaps regulations that effectively support these interests then it would be a worthwhile endeavour.”
As for somehow encouraging reports to boards, Wong said he fully supports the practice of regular reporting of cyber security health to directors so that they can instruct management to ensure any risks are is well managed.
In a mandate letter from Prime Minister Justin Trudeau when he was appointed, Goodale was directed to lead a review of existing measures to protect Canadians and critical infrastructure from cyber-threats in partnership with the ministers of defence, Innovation (formerly Industry Canada), Infrastructure and Communities, Public Services and Procurement and the President of the Treasury Board. The consultation has gone broader than just critical infrastructure.
In its announcement the government suggests cyber security is both a threat and an opportunity. For example, it points out that about 70 per cent of Canadian businesses have been victims of cyber attacks, with an average cost of $15,000 an incident. It also notes that the current global market for cybersecurity products and services is expected to grow to over $170 billion by 2020, and the job market for cyber pros is expected to rise by six million in the next four years.
Canada has had a cyber security strategy dating back over a decade. Initially it was around shoring up federal systems. In 2004 the Chretien government announced $700 million to improve capabilities in a number of departments. In 2010 the Harper government announced a more detailed strategy with a focus on critical infrastructure such as the electricity grid, telecommunications and the finance system — although a year later it was criticized by the auditor-general for being a toothless paper because there was no implementation plan. Eventually a plan was created.
To put this into some context, earlier this year U.S. President Barack Obama announced a national cyber security action plan which included the creation of a Commission on Enhancing National Cybersecurity, and a country-wide cybersecurity awareness campaign headed by the vendor-backed National Cyber Security Alliance.
Satayamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, acknowledged in an interview that Ottawa already has a number of channels through which it quietly pulls in opinions from the security industry. This consultation is a “healthy step” for adding input from ordinary Canadians.
As for the industry taking advantage of the demand for cyber security expertise, he noted that in May New Brunswick announced a strategy to attract security startups to the province. Meanwhile Conference Board staff are about to go to Israel to learn how it has created a cyber security startup ecosystem.