The federal government should follow Washington’s lead and create an advisory committee of experts on national cybersecurity — announced yesterday — including both the public and private sector, says a security lawyer.
“I do believe that Canada would benefit from a similar setup where the Minister of Public Safety, the Minister of Defence and the Prime Minister could get input and recommendations from a panel made up of experts/stakeholders from the private, public, law enforcement and academic sectors,” Imran Ahmad of the firm Cassels Brock, who also sits on the advisory board of the Canadian Advanced Technologies Alliance’s (CATA) Cyber Security Council, said in an interview.
Ottawa “would benefit from a holistic view on cybersecurity threats to Canada that are affecting Canadians on a daily basis and that go beyond a narrow national security lens.
His view was echoed by Kevin Wennekes, CATA’s chief business officer, who said creating a public-private sector advisory committee is “long overdue,” he said. The security industry “is the the first to know of the threats,” he said.
Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, said such a commission could be a good idea here. But he added, it wouldn’t be as easy as in the U.S. or Britain, where the public and private sectors are closer. Before coming to Canada Kabilan helped develop the U.K.’s National Counter Terrorism Strategy and has worked on security with other allies and knows how this country compares. “We haven’t even broken the ground to enable looking at the potential for something like that, because those relationships and the ability of the private sector to be a part of all of these discussions and part of the input into policy and decisions in the security sphere is not quite as well developed in Canada.”
There’s still a “huge reluctance” by both the public and private sectors in this country to share cyber threat information with information, he said — the private sector worrying that certain information (like a data breach) will get into the hands of competitors, while Ottawa worries about passing on classified information.
If that communications were better, he added, a U.S.-style commission might not be necessary.
On Wednesday President Barak Obama announced 12 members of the blue-ribbon commission, including vice-chair Sam Palmisano, former CEO of IBM, Microsoft vice-president of research Peter Lee, MasterCard CEO Ajay Banga, and Joe Sullivan, CSO of Uber and former CSO of Facebook. They will hold their first meeting today, with a goal or reporting back to the president by the beginning of December.
According to the White House, they are charged with recommending “bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cybersecurity in today’s digital world.”
“My sense is the (Canadian) government takes a narrow view when it comes to cybersecurity, focusing only on the security aspect of things,” Ahmad said. “I think there has to be a broader discussion — the effect on Canadian businesses, the effect on organizations, hospitals, not-for-profits and the like. These are important things to consider, and I think there needs to be a forum.”
A Canadian committee should also include provincial representatives who could discuss cyber gaps between governments, he said. He noted the U.S. commission has broad representation, from the head of MasterCard to a former director of the National Security Agency (see list below).
Obama announced the intention to create the committee in February following the discovery last year of the huge data breach at the Office of Personnel Management, which oversees much of the U.S. public service hiring. Background records of an estimated 21.5 million current and former federal employees including the fingerprints of 5.6 million individuals — were stolen in a breach that started in 2014. On top of that a second attack went after millions of records of Americans who applied for security clearance.
OPM director Katherine Archuleta resigned over the incidents.
Asked this morning about the possibility of creating a similar commission here, Scott Bardsley, press secretary to Public Safety Minister Ralph Goodale, noted Goodale was directed by Prime Minister Justin Trudeau to lead a review of existing measures to protect Canadians and the country’s critical infrastructure from cyber-threats.
Canada has not been immune from cyber attacks. In 2011 the Finance department and Treasury Boards were attacked. The National Research Council admitted in 2014 it had been hacked . Last December federal privacy commissioner Daniel Therrien reported there were a record number of privacy violations in 2015, although most were accidental.
The U.S. commission members include
- Tom Donilon, former assistant to the President and National Security Advisor (Chair)
- Sam Palmisano, former CEO of IBM (Vice Chair)
- General Keith Alexander, CEO of IronNet Cybersecurity, former Director of the National Security Agency and former Commander of U.S. Cyber Command
- Annie Antón, professor and chair of the School of Interactive Computing at Georgia Tech.
- Ajay Banga, CEO of MasterCard
- Steven Chabinsky, Chief Risk Officer of CrowdStrike
- Patrick Gallagher, Chancellor of the University of Pittsburgh and former Director of the National Institute of Standards and Technology
- Peter Lee, corporate vice-president of Microsoft Research
- Herbert Lin, senior research scholar for Cyber Policy and Security at the Stanford Center for International Security and Co-operation and Research Fellow at the Hoover Institution
- Heather Murren, former member of the Financial Crisis Inquiry Commission and co-founder of the Nevada Cancer Institute
- Joe Sullivan, Chief Security Officer of Uber and former Chief Security Officer of Facebook
- Maggie Wilderotter, executive chairman of Frontier Communications.
The committee has been told to make detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of government, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security.
One problem it faces is that a new administration and Congress will take office next January, a month after the committee reports. There’s no assurance the recommendations will be acted on.
Do you think Canada should create a similar commission? Let us know in the Comments section below