The arguments for a consistent, coordinated approach to IT security are irrefutable. Our society, and the world in which we live, have become increasingly if not irreversibly dependent on uninterrupted computer systems and computer-mediated communication. Not only is information technology in itself critical infrastructure, it is the horizontal foundation for the other critical infrastructure upon which we depend, from law enforcement and first response to medical care, from antiterrorism to road, rail and air transport.
There is nothing easy about IT security. Even the most straightforward collective initiatives can run into trouble. In recent weeks, one such effort was launched, a common naming protocol for computer viruses, only to encounter a storm of criticism – too many big anti-virus vendors are involved; each anti-virus system perceives viruses differently; who will process incoming data, how will threat notifications be released. On the frontlines, far too many Computer Security Incident Response Teams still work in isolation or through bilateral or regional arrangements. Most would probably prefer to belong to a true international detection, alert and response system, but it does not yet exist. One authoritative source estimates that it may still be years away, after almost two decades of tinkering.
It has been 18 months since the federal government released Securing An Open Society: Canada’s National Security Policy. The new policy came with a shopping list for some big-ticket purchases, like $308 million for Marine Security and $100 million for a Real Time Identification Project for fingerprints. Arguably, however, the most important technology item was the least expensive — $5 million for a Cyber-Security Task Force.
The new body was billed as essential to Canada’s National Security Policy, to fulfill political commitments to better emergency coordination. Bringing together representatives of both public and private sectors, supported by a secretariat within Public Safety and Emergency Preparedness Canada and operating with a high degree of autonomy, the Task Force would assume the development of a “national cyber-security strategy that is representative of government and private sector interests.”
The terms of reference for the Task Force call for a description of the cyber threats Canada might face; an inventory of the country’s critical IT infrastructure; an assessment of our readiness to face attacks and recover from them, and, above all, recommendations for action plans to better protect our cyber assets.
As the Information Technology Association of Canada has pointed out, it is disappointing that, as of this fall, the Task Force had still not been named. Disappointing – but hardly surprising, given the range of threats that the national security apparatus must address, the inevitable distractions of a minority government, and, quite possibly, an extended period of recruitment, negotiation and tuning of the terms of reference.
In fact, the announcement of the Cyber-Security Task Force might have been either too late or too early for other important events, most notably the process leading up to the modernization of the Emergency Preparedness Act. In a consultation paper released in July, Public Safety and Emergency Preparedness Canada (PSEPC) noted that “the existing legislation does not … provide direction for widespread cooperation and information sharing on cyber threats, incidents and protective measures, which are required in our computer-dependent world.”
As well, the current act was written at a time when information gathering, processing and storage took place on a different scale. Most importantly, however, it “does not provide the statutory basis to address threats to Canada’s critical infrastructure and cyber networks.”
To its credit, the federal government has been extremely busy on homeland security, trying to cover a range of issues, each with a valid claim to priority. Agencies with strong core missions can present their cases and receive ministerial support. IT security does not get the attention it deserves because it is diffused throughout government. Twenty years ago, there was no Minister for Typewriter and Telephone Security, because we didn’t need one. Today there is no Minister for Information Technology Security, but we do need one.
There has been progress. PSEPC has established a 24-hour seven-days-a-week Government Operations Centre to coordinate a national emergency response, and within that, the Canadian Cyber Incident Response Centre provides the same kind of coverage and coordination for cyber incidents involving critical infrastructure.
IT security threats have steadily progressed from vandalism to organized crime. There is credible evidence that terrorists or even national governments may launch the next level of attacks. Threats can never be entirely predictable; some attacks may always lie beyond our power to anticipate and avert. But all the administrative structures to coordinate our defensive measures and the technology and talent needed to implement them are under our control. Leadership is the missing variable. It is increasingly likely that the necessary administrative apparatus to prevent and mitigate disasters will only emerge after they have happened. Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in technology and security issues.