BRAMPTON, Ont. — Canadian manufacturers should work together to identify and solve cyber security problems as well as to avoid government imposing security regulation, says a senior federal official.
“You should be thinking harder about collaboration,” Adam Hatfield, the Canadian Cyber Security Centre’s director of partnerships told manufacturers Thursday at a conference here.
“One of the simplest things you can do if you’re a small business and the cyber thing is scary, if there’s a bunch of people in your industry you have coffee with, schedule a meeting and talk: What’s happening on your network this week? Just start talking. You’ll be amazed at often someone says, ‘We had this,’ and six other people at the table say, ‘That happened to me’
“In small groups, and big groups like this, collaboration is where you’ll see a huge difference.”
He also said firms should work together to create industry standards for making digital products safer.
“You want to get together and say, ‘We build this kind of gear, it has some digital technology in it and it needs to be secure,”
“No one knows more about your work and what the cyber security implications are than you,” he said.
“Find your competitors and get together and say, ‘We’re going to put together a code of practice for how we put produce that stuff : How we maintain it in the field, how we ensure it is secure. If we find its insecure how do we pull it back from the customer and fix it.”
Then, Hatfield added, show it to the world and say “This is the Canadian model, throw some rocks at it, help us make it better.”
He was speaking at a cyber conference for the manufacturing sector hosted by the Centre, the federal government’s central authority for advising businesses, and Ryerson University, which is about to open a cyber innovation hub called the Cybersecure Catalyst in this city just west of Toronto.
However, it isn’t clear how willing the private sector is to work together on cyber security. Industry analysts have said for years that companies need to work together to share threat information and best practices to fight well-financed threat actors.
However, unlike the country’s biggest banks, who have a long history of co-operating on security, the Canadian manufacturing sector — like many others — has yet to adopt that model. Large companies may be part of information sharing and analysis groups called ISACs, but mid to small firms rarely form them.
In an interview on the sidelines of the conference, the head of information technology for a small group of local companies gave some insight into why.
Jeffrey Estrela, IT manager for the Bempro Global Group, which includes a custom metal manufacturer. a company that makes industrial cooling solutions and a firm that makes racks and cabinets for data centers, suspects firms are afraid the talk will lead to revelation of a security incident which could be used against them. “Companies really don’t like when you talk to competitors, he said.”
Which is troubling because Estrela’s firm is a good example of why sharing threat information could be useful. Although overseeing a small operation with an IT staff of four, Estrela has had to deal with online attacks he’s certain came from a foreign government looking for intellectual property to steal.
The fear of working too closely with a competitor is a problem, agreed Ira Goldstein, senior vice -president of field operations and corporate development at the Herjavec Group, a security consultancy, who was one of the speakers at the conference. “We need to facilitate that interaction in a safe space.”
One possibility is the Canadian Cyber Threat Exchange (CCTX), which in January began actively recruiting SMBs for members. Among the services offered is a collaboration portal.
“There’s no question that we have to do better” at collaborating, Charles Finlay, executive director of Ryerson’s Cybersecure Catalyst, said in an interview here. “And not just the manufacturing sector but lots of sectors of the economy have to work together more effectively to meet this challenge. The question for us is what do we do, and the answer is fill rooms like this and get people talking to each other and build those connections.”
The Ryerson hub is a not-for-profit innovation and training centre with a number of goals: To train and increase certifications of existing cyber and IT employees; to attract women and under-represented people to cyber security; and to host a cyber incubator. That part will open in 2020.
In an interview Hatfield said the centre doesn’t know how extensively manufacturers collaborate on cyber security. “But every time I talk to people I hear more than I would have expected. So I’m actually excited and reassured from what I’m seeing in this sector, because every time we come to an event like this it’s standing room only at the back. That is tremendously heartening.”
Formed last fall, the Canadian Cyber Security Centre (CCSC) is the public face of the Communications Security Establishment, which has the responsibility for securing federal communications and networks. When fully up and running the centre will be a place where businesses can take their solutions for cyber testing.
One of Hatfield’s messages was that the CCSC also welcomes calls from infosec pros as soon as they see a cyber attack. They may tip off the Centre about a new attack; if not staff may be able to offer advice on how to deal with the attack.
However, he also made two other points: The centre can’t handle all issues; it is most interested in problems that could affect all Canadians. (In other words, he said, don’t call if there’s a problem with a digital sign outside your firm). And, he added, the centre is not a replacement for publicly or commercially available security resources.
“If you want to catch the bad guys, call law enforcement. We’re here to help you fix the problem.”
Nor, he added, is the centre a place for more information about publicly-reported hacks. “Anything we learn that can help you protect your network we will share with you. We won’t tell you where we got it … If you’re having a cyber incident ultimately it’s you who has to fix it. We can help you do that. We can be a safe player on your team.”
He also urged manufacturers involved in or selling to critical industries to register with centre to receive cyber alerts.
Separately, when asked what to do about the shortage of infosec pros with cyber security experience, Hatfield said he agreed with a solution he heard at another conference: “Stop whining, hire smart people and train them.”
Finally, Hatfield said conference attendees should ask these questions of their managers:
–is cyber security a priority?
–how prepared are we for a cyber attack?
–do all firms in our supply chain have adequate cyber protection? If not work with them to improve.
–are we collaborating with others on cyber security and leveraging publicly-available and commercial resources?