Ottawa has to give Canadian banks more pointed direction to improve their ability to withstand cyber attacks, says the country’s former national security advisor.
“Government legislatively has to impose obligations on financial institutions, much in the same way they have done with money laundering,” Richard Fadden told parliament’s Public Safety committee on Wednesday.
For example, he said, to fight money laundering Canadian banks have an obligation to know their customers. (As part of that banks have to preserve financial trails for transactions over $10,000).
Politicians “have to require them to do a variety of things,” Fadden said, without being specific, “whereas now things are done in the self-interest of the financial institutions.”
In an interview he expanded on his testimony, saying financial institutions should have to disclose to regulators any information about cyber attacks or attempted cyber attacks, as well as basic information on the precautions they are taking to resist cyber attacks. This would help regulators rate the effectiveness of defences.
He also said Parliament needs to change the recently-passed data breach notification law to “up significantly” the duty of banks to report data breaches and attempted breaches. The change to the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect last November, requires companies under federal jurisdiction to report breaches of security controls to the privacy commissioner if the firm believes it will result in a real risk of serious harm to a person. Some experts complain that leaves too much power in the hands of companies to decide whether they believe an incident will cause serious harm.
The law is “not as fulsome as it might be,” Fadden said. The U.S. and the U.K. have “severe penalties for institutions” for not reporting breaches, he said. “I don’t know how we can deal effectively with breaches if we don’t know when they are occurring.”
Fadden didn’t want to put all the fault on banks. He also said the government needs to empower its cyber security experts to share more of the threat intelligence it knows with the private sector, including banks.
“I don’t think we share enough classified information with the private sector,” he said. “We’ve done better than we did 15 years ago,” he added, but if a government official isn’t authorized to share sensitive information how can banks order their security staff to work closer with government.
The U.S. and the U.K. clear people in the private sector to get government classified information, he pointed out.
Last June, when the government released an update to its action plan for critical infrastructure, it promised to work with federal departments to increase the number of private sector officials with secret-level clearance so sensitive threat information can be shared.
Fadden was testifying at an ongoing investigation by the Public Safety and National Security committee into cyber security in the financial sector.
Since January it has heard from 36 witnesses, including the RCMP and the Canadian Bankers Association, and according to a spokesperson for committee chairman John McKay has 20 more on its list. Still, it hopes to have a final report by the time Parliament rises at the end of June for the summer.
The hearings take place in the context of a January statement by Public Safety Minister Ralph Goodale that the government wants to pass a new legislative framework for critical infrastructure so the private sector understands its cyber obligations. This could include setting data protection standards and best practices. The recent federal budget briefly mentioned this.
Also testifying Wednesday was Mark Ryland, director of the office of the chief information officer at Amazon Web Services, a cloud service provider. He said governments over-emphasize the importance of keeping personal data held by companies within national borders. Cloud computing, he said, offers good security, especially if data is encrypted. “There should be flexibility for banks and other institutions as to where they physically place their data, and they should be able to run their workloads around the globe reaching their global customers.”
Earlier witnesses recommended Canada adopt a “sovereign data localization strategy, reinforced by legislative and tax incentives. to require critical data to be retained only in Canadian jurisdictions.”
According to a transcript of his testimony last month, Charles Docherty, assistant general counsel to the Canadian Bankers Association (CBA) told the committee Candian banks are leaders in cybersecurity and have invested heavily to protect the financial system and the personal information of their customers from cyber-threats.
To foster information sharing the CBA recommended the government consider legislative options such as changes to privacy legislation and the introduction of safe harbour provisions to ensure companies are protected from civil or criminal liability when sharing cyber threat information.
“Protecting against threats from industries or other nations requires a defensive response that is coordinated between the government and the private sector,” Docherty said. The government can play a pivotal role in coordinating among critical infrastructure partners and other stakeholders, building upon existing efforts to respond to cyber-threats. Establishing clear and streamlined processes among all major stakeholders will enhance Canada’s ability to effectively respond to, and defend against, cyber-threats.”
Under questioning Docherty also denied banks are reluctant to disclose they have been attacked. Under PIPEDA, he said, any firm suffering a breach of its security safeguards has to notify the federal privacy commissioner and impacted people.
That’s not quite accurate. PIPEDA only requires companies to record in their files violations of their security controls — which may not include data breaches. The privacy commissioner can see those files at any time. Companies are only required to notify customers and the privacy commissioner of data breaches of personal information that could result in real risk of serious harm. For its part the privacy commissioner’s office is not obliged to publicly report every data breach it learns of.
Under new rules set by the Office of the Superintendent of Financial Institutions, federally regulated financial institutions — including insurance companies — do have to report high or critical severity technology or cyber security incidents. That includes “material impact to … operational or customer data.” This document further defines high severity incidents.
In response to an emailed question about whether such reports are made public, an OFSI spokesperson said it must maintain confidentiality in its dealings with federally regulated financial institutions.
Can’t do it alone
In his testimony Fadden also said its a serious mistake for Canadian financial institutions — and governments –to think they can master cyber security alone. They need international co-operation, he said, because of the number and skill of adversaries.
These include Russia, China, criminals, extremists, North Korea, Iran and terrorists. Unfortunately, he added, they face a “dysfunctional West, because we’re not fighting them together.” The U.S., Germany, France and the U.K. are focused on domestic issues, he said, leaving Russia and China to “poke and prod in a way they could not do if we were a little bit more together.”
“We need to start re-building those close ties that we had amongst some countries since World War II.”
Otherwise, he added, “we’re really behind the eight-ball.”
Finally, he said many Canadians underestimate the cyber threat because we’re a small country. So he made a request to the MPs for their final report:
“It’s especially important for the committee to make the point the financial sector is threatened by cyber attacks, because I don’t think a lot of people believe that”
(This article has been changed from the original to include expanded comments from Richard Fadden)