Canada has had a national strategy to protect critical infrastructure for years and is toughening federal cyber defences, but the president of a major U.S. incident response company says Ottawa isn’t working closely enough the private sector nor doing enough to educate citizens on security awareness.
“Your government is further behind other governments around the world,” FireEye president Travis Reese said in an interview Tuesday from Toronto, where he was visiting customers. “It seems to me that you need to be doing a better job in terms of bringing in cyber security education and awareness to make sure we’re involving the workforce.
“I think the government’s got to make some additional investments and think about creating the right level of cyber visibility, victim notification programs, how to get the public-private interaction working well.”
He praised the passing of a law compelling organizations that come under federal jurisdiction to report serious data breaches to victims – although Ottawa is still drafting regulations and the law hasn’t come into effect year – as an example that Canada is “just starting to get serious.”
But, he noted other countries, including the U.S., have created “very robust national law enforcement capabilities where the government has very sophisticated monitoring across the Internet, and they’re the ones that are detecting a significant amount of the nation-state breaches and have created formal programs to let commercial companies know they’ve been breached.
“Every day the FBI is doing notifications across almost every vertical that organizations have been broken into by the Chinese, the Russians or other places, and provide evidence to those commercial companies. There’s much more formal public-private communications … There’s an evolution I think [Canada] needs to go through where the government needs to get good visibility on to Internet activity from threat actors, and then create a public/private sharing mechanism in a way that makes sure they’re getting the private community to disclose the problems that are occurring so people can’t put their head in the sand” about cyber attacks. “And that’s important because if you want to catch bad guys you have to get government involved. Attribution is the responsibility of government, not commercial organizations.”
And while the federal government is a partner in the fledgling Canadian Cyber Threat Exchange, a commercial intelligence sharing platform, Reese said he’s “not convinced the Canadian government does a whole lot of sharing” with the private sector.
“So I think [Canada] has some work to do.”
Asked for comment, Public Safety Minister Ralph Goodale’s office noted the government is in the middle of updating the national security strategy. “The outcomes of this review will inform policy and program decisions to help make Canada more resilient and secure, improve public education about cybersecurity, and enhance cybersecurity for all Canadians,” the statement said.
There was no indication on when the new strategy will be released.
But Reese also had some critical words for the private sector, saying at a dinner Monday night for financial sector CISOs few were able to say they know who to call in local police departments if they suffer a cyber incident. He also said Canadian companies have to do a better job in expanding the number of infosec workers through intership programs.
Reese also said that while there have been few reports of major cyber security incidents here, Canadians shouldn’t be complacent. FireEye will shortly issue a report on a North American-based ransomware group that has been extorting businesses in this country since 2013.
Reese is in Toronto this week meeting with FireEye customers, including a number of financial institutions. The company, best known for its next-generation firewalls and its Mandiant incident response service, focuses on serving the biggest governments and private sector firms in the world. It has 15 consultants here (52 staff overall), and Reese said, that number will expand.
FireEye’s recently issued annual M-Trends report noted most of its customers who had been breached lacked fundamental security controls and capabilities to either prevent breaches or to minimize the damages.
Asked why, Travis that “it comes down to business risk decisions.” He also blamed the failure of “traditional” anti-virus and firewall vendors and the technology stacks CISOs have built around them. The best defences are a combination of people, process and technologies, he said, including using artificial intelligence and machine learning solutions.
Similarly, he said no amount of security awareness training will completely solve the problem of phishing attacks, the main way organizations are breached. The solution is a combination of training and technology, he said.