The federal government isn’t working closely enough with the cyber security sector in purchasing products or sharing threat information, says a recent report from the country’s defence sector.
The report by the Canadian Association of Defence and Security Industries (CADSI), says there’s an urgent need for the Canadian Armed Forces (CAF) to operate, defend and project power in the cyber domain.
However, it complains the military places an “overemphasis on resiliency, emergency management and disaster recovery, at the possible expense of defensive and offensive cyber operations.” That “has left the CAF trailing allies and adversaries in certain cyber defence capabilities.”
“Adversaries and allies have also demonstrated their ability to deploy new cyber capabilities in months or weeks, while the CAF remains burdened by a years-long and sometimes decades-long procurement cycle,” says the report.
Meanwhile leading cyber countries like the U.S., the U.K. and Australia, have a “porous” boundary between government and industry, resulting in industrial bases that are “highly mobilized and integral to countering cyber threats.”
“For Canada to win on the cyber-enabled battlefield, government and industry must collaborate intentionally, as our allies do.”
Among its recommendations:
–more formal co-operation between industry, provincial and federal departments on cyber issues;
–create a secure online cyber defence network threat sharing;
–modernize federal cyber procurement by creating different authorities for cyber defence purchases, and by overhauling the government classification of products and services;
–increase the pool of talent through a talent-sharing agreement between government and industry.
“Silos are preventing key companies from having meaningful collaboration and capacity building,” association president Christyn Cianfarani said in an interview.
About 15 federal government departments make cyber-related purchases, with four entities (including Public Services and Procurement Canada) that industry has to deal with. The no centralized lead for decision-making on buying “you get no one leading it.”
And generally Ottawa thinks foreign companies have better software and hardware solutions than Canadian firms, she added.
One key part of the report details a number of Canadian-owned or foreign firms with Canadian offices have cyber-related products and services. There are 26 companies with capabilities relevant or adjacent to cyber defence, 12 companies with demonstrable cyber defence capability, and 18 at the core of the cyber defence industry with broad in-country strength. While these last two categories total 30 firms, “these companies possess strong situational awareness and the means to mitigate threats proactively, with precision and agility, at cyber speed,” said the report. “They can develop and deploy new cyber technologies, training programs and services in ten months or less.
The report also has an extensive list of capabilities of the sector, ranging from “Over-the-Horizon (OTH) Offensive Cyber Threat Capability Research” to :Irregular / Unconventional Warfare Influence and Information Activities.”
Cianfarani said this directory of suppliers is not only proof of Canadian capability but also a list that hasn’t been compiled before.
A key finding is that “government and industry lack the mutual trust required to effectively collaborate in the cyber defence of Canada.” Among those who agree is Christian Leuprecht, a security and defence expert at the Macdonald Laurier Institute, and a professor at Queen’s University.
Ottawa ‘likes to play alone’
The Canadian government “likes to play very much alone … they keep all the threats and vulnerabilities to themselves,” he said in an interview, “they don’t share a whole lot of intelligence, and to share that you have to have trust.”
“We don’t have the networks with industry that exist elsewhere.”‘
Cyber technology moves quickly, he added. “If you want to have globally competitive companies, they need to be aware of what’s happening. Large corporations can do that themselves, but if you’re a small or medium-sized company … you don’t have a lot of extra bandwidth to invest in research in what’s happening in the world.”
Asked for comment on the report, Public Services and Procurement referred a reporter to National Defence.
On procurement complains, the department said “all Government of Canada contracting is done in a manner that enhances access, competition and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown and the Canadian people.
“We follow rigorous, fair processes to ensure both value for money, while ensuring institutional needs to meet its mandate of protecting Canada.
Cyber is an ‘essential enabler’
Asked to comment on the report’s finding that “industry does not perceive government to be a strong adopter of Canadian cyber defence technologies,” the department said it is only one of many federal departments that use cyber defence technologies, so it would be inappropriate to comment on behalf of the entire government.
“That said, cyberspace has become an essential enabler of military operations,” it added
“This is why Canada’s new Defence Policy calls for a more assertive posture in the cyber domain by hardening our defences, and by conducting active cyber operations against potential adversaries in the context of government-authorized military missions.”
The report has had an impact, Cianfarani said. “The reception to this report from government officials has been very positive.” In addition to asking for briefings from the association, the government says the department of Innovation, Science and Economic Development and Statistics Canada will collaborate on a study to capture more detail on the cyber sector, Public Safety and the Defence department are talking about working closer with industry and the Canadian Cyber Security Centre (the government’s centre of excellence) has asked about closer ties.
“It’s clear to me there is a real appetite to look at this problem space differently than in the past,” she said. “I think there’s an understanding that doing the same thing that we’ve done repeatedly for the last 10 years is not going to cut it.”