The country’s biggest law enforcement and electronic security agencies are about to have their cyber crime fight capabilities increased by tens of millions of dollars.
In its budget announced Tuesday the government proposes giving the Communications Security Establishment more than $155 million over five years to create a new Canadian Centre for Cyber Security to consolidate its cyber expertise from across the federal government under one roof. That includes the Canadian Cyber Incident Response Centre, the national threat sharing service.
More importantly, the Centre for Cyber Security will have the mandate of providing residents and businesses with a place online to turn to for cyber security information. Until now that’s been handled by Public Saftey Canada, but the Centre for Cyber Security is a more catchy name.
While most government cyber security functions will go into the CCCS, which reports to the defence department, Public Safety Canada still has responsibility for cyber policy.
However, before the centre can be created Parliament has to pass legislation allowing various government cyber security units to be folded into it. Federal responsibility to investigate potential criminal activities will remain with the RCMP.
Separately the CSE, responsible for securing federal networks including making encryption solutions for secure communications and breaking the encryption of Canadian adversaries, will get $225 million over four years, starting in fiscal year 2020–21, and $62.1 million ongoing, to keep up its ability to capture foreign signals intelligence.
The government also plans to give the RCMP $116 million over five years to create its much-sought-after National Cybercrime Co-ordination Unit, which not only will act as a hub for cybercrime investigations across Canada, it will also be a one-spot place where residents and businesses can report cyber crime.
The unit will also be a resource to municipal and provincial police forces.
Both centers will also receive extra annual funding to support ongoing operations.
The government is also dedicating $236.5 million over five years, and $41.2 million per year ongoing, to support the upcoming refresh of the National Cyber Security Strategy. Details of the strategy will be announced shortly, but in its budget statement the government says the new strategy will
- Ensure secure and resilient Canadian cyber systems by enhancing the Government of Canada’s ability to investigate cybercrime, developing threat assessments, keeping critical infrastructure safe, and work in collaboration with the financial and energy sectors on bolstering their cyber security;
- Invest in an innovative and adaptive cyber ecosystem by supporting work-integrated cyber learning placements for students and helping businesses improve their cyber security posture through the creation of a voluntary cyber certification program; and,
- Strengthen leadership, governance and collaboration by taking the lead, both at home and abroad, to advance cyber security in Canada, working closely with provincial, territorial, private sector and trusted international partners.
There are no details about the business cyber certification program, but it is believed this is a reference to New Brunswick’s CyberNB Cyber Essentials Canada program, an adaptation of the U.K.’s program with a similar name. Meeting a standard allows a business to display a logo to show customers and staff it has taken steps to protect personal data.
Public Safety Canada will get $1.4 million in the fiscal year that starts April 1 to continue operations of the Regional Resilience Assessment Program and the Virtual Risk Analysis Cell. These programs support assessments of critical infrastructure facilities, such as energy grids, information and communication technology networks and hospitals. The Virtual Risk Analysis Cell also promotes online information sharing across the critical infrastructure community. Both are part of the current national cyber security strategy.
“Taken together, these investments will allow Canadians to continue to benefit from digital connections in a way that protects them, their personal information and our infrastructure from cybercrime,” the budget says.
There’s also $2.2 billion for the continuing effort to modernize government systems. That includes $2.2 billion over six years, starting in fiscal 2018 –plus $349.8 million per year after that — to improve the management and provision of federal IT services and infrastructure and to support related cyber security measures.
All this comes after a Public Safety Canada review last fall of the country’s current national cyber strategy included complaints the public is confused about which agency to report cyber incidents, and that federal and provincial security bureaucrats weren’t sharing information well.
And there will be $110 million over six years, starting in fiscal 2018, for Shared Services Canada’s partner departments and agencies to help them migrate their applications from older data centres into more secure modern data centres or cloud solutions. This follows complaints from the RCMP about Shared Services Canada’s performance. Shared Services provides a number of merged services to most departments.
A majority of the funding for these initiatives will be reallocated from federal organizations that receive mandatory services from Shared Services Canada. The ability of the Government’s IT systems to protect Canadians’ data and meet future demands will depend on a strong IT governance structure. To support this, the government says it will redefine the role of the federal Chief Information Officer in an unspecified way.
In addition, the government says it will give Canada Revenue Agency $30 million over five years to enhance the security of its systems, which hold taxpayer information.
In an interview Satyamoorthy Kabilan, director of national foresight at the Conference Board of Canada, said the Canadian Centre for Cyber Security sounds like it’s based on the U.K.’s National Cybersecurity Centre. Like the Canadian centre, the U.K. site is tied to that country’s electronic spy agency, the Government Communications Headquarters (GCHQ), and has a wide range of online resources.
“It’s one of the good examples of how you communicate cyber security, particularly to the general public and small businesses. The challenge will be in the execution — will it get the same reach to be able to have the same standing as what I think is a very good model in the U.K.”
However, Kabilan wonders how much of the new RCMP funding will go to investigating cyber crime.
“Right now investigating cyber crime is a very big challenge. I would hazard a guess that not even ($116 million) will make a huge dent in the cyber crime piece,” he said. (The unit will also get $23 million a year for operating costs.) “There’s talk here (in the budget of working with) international partners” — such as law enforcement agencies in other countries — “but can we actually go after people in different countries? What is our capacity to bring people to justice? Right now, because of the costs and complexity of cyber crime, most law enforcement agencies because of restricted budgets tend to focus on the most damaging crime.”
The U.S. Justice Department and European police have sometimes credited the help of the RCMP in providing information that has led to indictments or arrests of suspects involved in cyber crime.
Kabilan did express regret the security section of the budget doesn’t talk about putting more resources educating the public about cyber security. That is part of the new Canadian Cyber Security Centre’s responsibilities, but Kabilan said one of the biggest problems in cyber security is improving the public’s knowledge about how to protect themselves and their businesses.
To Imran Ahmad, a cyber security and privacy lawyer who is also a board member of the cyber council Canadian Advanced Technology Alliance (CATA), the most notable announcement is the creation of the Canadian Centre for Cyber Security (CCCS). “While the initial commitment for $155.2 over five years is modest, at least there’s a minimal commitment for ongoing funding which shows a long-term commitment,” he said in an email.
“A lot will depend on what the CCCS actually does and how quickly it can be stood up. Being the primary point of contact, it will be interesting to see if the CCCS will have the bandwidth to keep up with the demand. It will also be interesting to see how much of the CCCS’s work will be focused public versus private sector support.
“It would have been nice if the Government outlined the timeline for setting up the CCCS.”
The RCMP National Cybercrime Co-ordination Unit “is also a good initiative and one which all levels of law enforcement will welcome.” However, he noted it is unclear whether it will be mandatory for the public or businesses to report cyber crime.
Currently, few local police forces have the resources to investigate cyber crime the way they do fraud and robbery. Also, often Canadian businesses decide not to report, sometimes on the advice of their lawyers because police want to seize original evidence — like servers and hard drives. That means cyber crime is under-reported. To some degree that will be covered when businesses have to face mandatory data breach reporting information to the federal privacy commissioner. The deadline for starting that reporting hasn’t been set yet, but it might be part of the national cyber security strategy roll-out.
Scott Tod, deputy chief of the North Bay, Ont., police force and co-chair of the electronic crime advisory council to the Canadian Chiefs of Police, said the group is pleased with Ottawa’s decision. The council, which includes businesses and members of CATA, has been lobbying for two years for a national cyber crime reporting centre. Such data is needed to identify the depth of cyber crime here and develop solutions, he said. “We’re glad to see the RCMP leading it because we see them as the leaders in cyber crime investigations across Canada.”It’s nice to see a significant amount of money being put into cyber security.”
David Swan, head of cyber intelligence at the consultancy Centre for Strategic Cyberspace + Security Science, said in an interview the RCMP needs more funds to prosecute cyber crime. But, he also said the budget shows the government doesn’t understand the private sector needs the more help in fighting attackers. Companies want help in prevention and mitigation, he said.
“No one is responsble for what I call ‘preventive ops,'” he said. The words in the budget suggest the government’s main effort is to prosecute crime, which Swan said amounts to “react after we’ve been hit.” That, he said, is the wrong emphasis.
“The dollar figure might work,” he acknowledged, “but I what I want to hear is support to business and private Canadians about threat sharing … and an emphasis on preventing cyber crime.”