More candid threat sharing between companies and governments is needed to help protect critical infrastructure and residents from cyber attacks, said experts, including a senior official of the Bank of Canada, at a meeting on Tuesday with the Information Technology Association of Canada (ITAC).
“We need to urgently step up the spirit of collaboration throughout the Canadian economy,” Filipe Dinis, the bank’s chief operating officer said during the meeting. “We need to encourage regular exercises that present companies with complex scenarios to test their cyber defenses and response capabilities. Even the process of designing risk scenarios can help companies determine potential sources of risk.”
He also suggested that regulators who oversee various industries might create “trusted secure channels” so sensitive threat-related information from a victim can be exchanged while protecting them from being publicly shamed.
“Further, governments could also consider strengthening minimum requirements around cyber resilience and mandate industry-wide and cross-sectoral testing that requires institutions to fix problems identified by the tests.”
The Bank of Canada plans to hold “regular, realistic and stringent” tabletop tests with financial institutions.
“I don’t expect that we’ll design the perfect regulations here today,” he told the meeting. “But I would suggest that there is room to enhance our current regulatory frameworks that rely on financial penalties, albeit not exclusively. After all, if company management is unable to accurately gauge the risk of a systemic cyber event, it may well decide the fine for non-compliance is a cost that is worth paying.”
A number of sectors are doing some collaboration, he added, citing the work of ITAC — which represents some of the country’s biggest tech companies — and the CIO Strategy Council.
But significant challenges remain, he added.
“What’s more, we need to act quickly and forcefully to deal with them,” he said.
He urged industry groups to work with public sector authorities, including regulatory bodies and intelligence agencies, to design and implement national cyber exercises and penetration tests.
“It’s now time to build exercises that involve multiple economic sectors, to provide a more demanding and realistic test of our economic cybersecurity.
“We need to build mechanisms that will significantly increase the sharing of cyber threat information and cyber defense best practices between public and private sector organizations. This will be particularly important for smaller companies that have fewer resources to dedicate to cybersecurity.
“We should also consider opportunities to build sector-wide cyber defense approaches and systems to protect many companies at a time. These would maximize resilience, rather than having each company solely responsible for its own defenses. Think about how cloud computing companies work to provide specific services for many companies, freeing those smaller firms to concentrate on their core lines of business.”
Related story: Canadian cyber attack led to new mining industry threat sharing centre
Billed by ITAC as a cybersecurity update, the meeting also featured an expert panel, all of who agreed on the need for more threat intel and remediation collaboration but pointed out a number of obstacles.
Jack Pagano, regional director of cybersecurity for Cisco Systems Canada, said his firm collaborates with “fierce competitors”, but that collaboration only works if you remove it from the business and focus on the greater good to “help solve the cybersecurity problems we’re all facing.”
But, he added, “the minute the business gets their fingers into it if you find a threat it becomes a competitive advantage.” Then “you do a press tour and a whole bunch of marketing around it, which defeats the purpose.”
Michelle Mullen, director-general of partnerships and risk mitigation at the federal government’s Canadian Cyber Security Centre, said it’s “really great to talk about collaboration and singing ‘Kumbaya’ when it’s peacetime [meaning there are no cyber attacks] … but when the chips are down and you’re in the middle of an incident we find it’s much harder for anybody to be open and collaborative and sharing of what’s happening to them because of the reputational risk.”
“Ask everyone…to learn to be a good victim and collaborate even through the worst times,” she urged.
Related story: Threat sharing efforts still fall short, says McAfee
Mohammad Qureshi, enterprise chief information officer and chief information security officer for the province of Ontario, noted that the new government has promised to set up a cybersecurity centre of excellence for sharing information. It’s still being worked on.
He also noted provincial and territorial governments are increasingly talking to each other: Once a month provincial CISOs network through a teleconference, and meet face to face every six months, sharing threat intelligence and experience on what technology solutions work, or don’t work.
Interestingly, no one mentioned the Canadian Cyber Threat Exchange (CCTX), which has created a special pricing model to entice local governments, hospitals and institutions of higher education to join the not-for-profit data exchange and participate in newly set-up private sector discussion forums.
Mullen said now that the Canadian Cyber Security Centre — which is just over a year old — has a mandate not just to secure federal IT networks but also to work with the private and public sectors it is increasingly working with the provinces.
But she also said companies should be more willing to call the Centre for help if attacked. The Centre won’t tell the media it is working with a victim firm, nor report it to a regulator, she said. In fact, she added, it requires a letter of request for help from a firm, and in return gets a non-disclosure agreement from the Centre. No incident information is shared without permission.
However, Mullen also said spreading the word about the Centre’s capabilities and knowledge is “my biggest problem.” She’s looking for industry associations, managed service providers, sectoral entities to reach organizations.
On the other hand, spreading the message about cybersecurity within certain federal departments is still a problem. There are “different viewpoints on how serious this problem really is,” Mullen said, “all of that continues to shock us” at the Centre.
Ray Boisvert, currently an associate partner at IBM Security and former assistant director of the intelligence directorate of the Canadian Security Intelligence Service (CSIS), said permission for organizations to collaborate is a matter of corporate leadership.