Canadian political and cyber leaders can learn lessons from a new U.S. congressional report on how the U.S. federal government should defend against internet-based threats, says a security expert.
The report by the bipartisan Cyberspace Solarium Commission issued Wednesday is “pretty cutting edge,” said Christian Leuprecht a security and defence expert at Royal Military College and Queen’s University in Kingston, Ont.
“What the commission does is validate many of the moves Canada has already made, but it also shows that there’s a lot of ground left to cover. The government’s going to have to have a much more honest and open conversation with Canadians about this space so they understand it a human behaviour and is not a technical problem. Technology plays a role, but you can invest all the money in the world and you’re not going to get ahead.”
The report notes that about 95 per cent of successful cyber attacks are the fault of what he called “rookie mistakes that people making in configuring technology, or [poor] digital hygiene — not patching, retaining default passwords.”
Named after President Dwight Eisenhower’s 1953 Project Solarium on strategic challenges, the 182-page report makes 75 recommendations across the public and private sector, while presenting several draft bills and proposing changes to government departments and the creation of a National Cyber Director.
(There was a cybersecurity co-ordinator within the U.S. National Security Council, but it was eliminated in 2018).
“The reality is that we are dangerously insecure in cyber,” the executive summary says. “Our country has lost hundreds of billions of dollars to nation-state-sponsored intellectual property theft using cyber espionage. A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast.”
The 14 commissioners — four legislators from Congress, four senior Trump administration executive agency leaders, and six experts from outside of government — admit they didn’t agree on everything.
For example, they couldn’t make a firm recommendation on the controversial issue of whether the government should order tech companies to give law enforcement and intelligence agencies lawful access to encrypted devices. All they could do is provide a common statement of principles.
The report’s recommendations are group into six pillars:
- Reform the U.S. government’s structure and organization for cyberspace so decisions can be made quicker;
- Strengthen international cyber norms, or accepted rules of cyber behaviour, through enforceable agreements;
- Promote national resilience in critical infrastructure, which is the capacity to quickly recover from cyber-attacks;
- Reshape the cyber ecosystem by partnering with the private sector to encourage the baseline of security to rise;
- Improve collaboration with the private sector to not only help the government counter cyber threats but also help business understand them;
- Allow the cyber capabilities of the military to “defend forward” against threats and impose costs on attackers.
Canada’s strategy has a number of elements: An updated 2018 National Cybersecurity Strategy, which for years has included working with 10 critical infrastructure sectors (such as energy, transportation, healthcare, manufacturing and finance) to guide them on improving their cybersecurity and response, backed with a 2019 implementation plan; the merging of several federal cyber units in 2018 to create the Canadian Centre for Cyber Security for better advising the public and private sectors; the creation with the RCMP of a National Cyber Crime Coordination Unit (NC3) for handling complaints; and federal support for the Canadian Cyber Threat Exchange (CCTX), a threat information sharing service largely for the private sector.
However, the Centre for Cyber Security isn’t fully up to steam. A program to certify businesses as meeting minimum security standards has been launched, but won’t be really running until next year, and the RCMP’s NC3 won’t be until 2023.
All this is praised by Leuprecht. “There are some areas where we are exemplary, and the CCTX is a good example.” And so is the Canadian Centre for Cyber Security, once it’s fully operational, he added. “That is something lacking in the U.S.”
However, he complains “there’s lots of talk in Ottawa about resilience, but no one knows how to do it.”
When it comes to Canada’s critical infrastructure, there’s a lot of heavy lifting to be done, especially around the National Cybersecurity Strategy. “We’ve really left much of the private sector up to themselves to try and figure it out.”
He believes a cyber attack against the healthcare sector now during a serious outbreak of a flu-like virus would cause “chaos.”
Rather than act at the speed of cyber, he complained “we have a government structure set up to move at analog speeds. We need much more rapid decision processes, we need a more agile and flatter government” to respond to online threats.