Public Safety Canada will help create “a community of critical infrastructure cyber security experts” as part of its ongoing effort to improve the protection and resilience of the country’s vital sectors, including the financial, telecommunications and energy industries.
That’s one of 33 goals set to be reached over the next three years in the latest update of the federal government’s ongoing action plan for securing critical infrastructure.
Released last week, the action plan for 2018-2020 is the third of a series for implementing Ottawa’s 2010 national critical infrastructure strategy.
The deepening convergence of cyber and physical threats, terrorism and the effects climate change are the three main hazards that could impact the risk profile of Canada’s 10 critical infrastructure sectors, says updated plan.
Among the goals for the next three years, Public Safety Canada is charged with strengthening partnerships in the area of cyber security “by leading the creation of a community of critical infrastructure cyber security experts.” The plan suggests this will done within the next 12 months. However, the action plan gives no detail about how open this community will be, whether membership will be limited or how the experts will communicate.
Among the possibilities is creating a dedicated section within the Critical Infrastructure Information Gateway, a federally-run bilingual portal where industries share unclassified information, or using the Canadian Cyber Threat Exchange (CCTX), a non-profit site where infosec pros share threat data.
Public Saftey Canada didn’t reply to a question on what it has in mind.
The online world poses a two-edged sword, the updated action plan notes. On the one hand the growth of connected public services, automation, artificial intelligence, and the multiplication of internet-connected devices has great potential for improving critical infrastructure sectors and Canada’s economy. These technologies enable faster analytics and assist in running systems more effectively, it says.
“However, the increased reliance of organizations on cyber systems and technologies creates exposure to new risks that could produce significant physical consequences. ICS (industrial control systems) are at the intersection of the cyber and physical security domains. These systems, many of which were developed prior to the internet era, are used in a variety of critical applications, including within the energy and utilities, transportation, health, manufacturing, food and water sectors. For a variety of reasons, including efforts to minimize costs and increase efficiencies, these systems are increasingly connected to the internet, which can result in exposure to more advanced threats than those considered at the time of their design.”
A spokesperson for Public Safety Canada said cyber security-related goals include training on how to protect key industrial control systems and convening stakeholders to share their knowledge and experience in mitigating cyber threats. More broadly, he added, the government has also demonstrated a commitment to improving cyber security by proposing significant new spending in the recent federal budget.
Briefly, this new action plan calls for all levels of government and industry to continue working together and share information to strengthen the 10 critical infrastructure sectors: Government, finance, water, energy, transportation, health, food, safety, manufacturing, and the information and communications industries.
One of the main goals is to strengthen the resilience of these sectors to attacks or failures. As part of that there are quiet cross-sector exercises to strengthen preparedness and response.
A lot of this action plan looks like the last one, which covered 2014-2017.
The latest action plan lists a number of deliverables for the next three years. In addition to creating the network of cyber security experts, arguably the most important are
— working with federal departments to increase the number of private sector officials with secret-level clearance so sensitive government information can be shared;
— the modernization of Public Safety Canada’s Critical Infrastructure Information Gateway, a private bilingual portal where industries can share unclassified information. The department will also work to expand wider regional and sectoral use of the portal;
— a promise from Public Safety Canada to develop and implement an outreach strategy for key resilience enhancement programs. One of those is the Regional Resilience Assessment Program (RRAP), which includes free assessments to help organizations measure and improve their resilience to all hazards in Canada, such as cyber threats, accidental or intentional man-made events, and natural catastrophes. One aim of the updated action plan is to find ways to better deliver these assessments;
— the creation of an implementation work plan by the Federal/Provincial/Territorial Critical Infrastructure Working Group, which has representatives from those levels of government;
— and a review by Ottawa of the 2010 national strategy to see if it needs to be updated.
Broadly, many of these deliverables involve talking and honing activities already underway. And there are a lot of groups for talking: There’s the National Cross Sector Forum (NCSF) on Critical infrastructure, a group of leaders from the 10 critical infrastructure sectors advising governments; the Multi-Sector Networks, voluntary information sharing groups with representatives from companies or associations; and the Federal/Provincial/Territorial Critical Infrastructure Working Group, which has representatives from those levels of government; and the Lead Federal Department Critical Infrastructure Network, a group of eight federal departments whose responsibilities cover critical infrastructure.
Christian Leuprecht, a member of the faculty at Queen’s University’s school of policy studies and Munk senior fellow at the Macdonald Laurier Institute, said it’s actually positive that many in government and industry talk to one another on this issue.
On the other hand “the fact that they’re talking is a signal that there are a lot of unresolved issues remain to be worked out … That should be a red flag that we still have a lot of heavy lifting do to from 2010.”
Interviewed from Australia, where’s he’s on leave from Queen’s with a group doing research into international cyber crime and threats to infrastructure, Leuprecht complained the Trudeau government isn’t moving fast enough on the critical infrastructure and cyber security files. “When the government started its cyber security and innovation review [in 2016] my comment to was ‘Why don’t we actually get the things done what we decided in 2010 that we need to do, because 80 per cent of that still hasn’t been done.’”
There’s been progress since, he said, but he still figures two-thirds of the 2010 strategy has yet to be fulfilled.
‘We do a mediocre job’
“Overall, we do a pretty mediocre effort at protecting our critical infrastructure,” he said. He admitted part of the problem is much of this infrastructure – energy pipelines, hospitals, manufacturing and telecommunications, for example –is in the private sector. “For them, security is a cost, and there’s lots of debate about whether and how we can do this [security] different – does the government put money in, tax credits … We all have a good idea of what needs to be done, the challenge is how do we actually get it done?”
The good thing about the latest action plan update is Ottawa apparently recognizes this, Leuprecht said, which seems to be why the update has few new goals. He approves of plan’s call for more federal efforts on information sharing, including working on more security clearances with other levels of government and the private sector.
Kevin Quigley, director of the MacEachen Institute for public policy and governance at Dalhousie University, liked the new action plan’s attention to the regional resiliency programs (RRAPs). “I think they need to increase participation in those RRAPs, specifically among Canadian organizations, because some of the data relies on U.S. organizations,” he said.
Critical infrastructure organizations also need to think about what is an appropriate level of public accountability and transparency – in other words, telling the public their true ability to withstand a crisis. “I think that’s a hard one in this field because security is something organizations don’t necessarily like to talk about publicly and you don’t want to empower bad guys with information about vulnerabilities. By the same token, it’s public money and we all have an interest in the state of critical infrastructure, so we must have some level of transparency, whether it’s at a central or regional level, some sort of disclosure around the state of resiliency of the infrastructure.”
While the action plan talks about a partnership between the public and private sectors on securing infrastructure, he noted it leaves the organizations to decide their risk profile.
Quigley did point out that the plan does say the Public Safety department will look at tracking progress on the promised activities. That’s important. “From a public accountability standpoint we need to see what are the goals, how do we know what success looks like in this highly fluid environment?”
Jeremy Littlewood, associate director of the infrastructure and international security program at Carleton University’s school of international affairs, made a similar point, although in a tougher way. What’s missing in the action plan, he said, is a declaration to the sectors, ‘These are the expectations and you are responsible for doing it,’ The plan “doesn’t really have much in terms of concrete measurable deliverables that tell us [the public], ‘We will increase reliance by a certain amount.’”
“It’s hard to put simple metrics on resilience,” he admitted, “but it could be useful to at least provide some statement that. ‘When we first developed the plan we were at this level, this is where we are and this is where we are going, and this is how we will identify whether or not we are moving in that direction.’”
Littlewood said it’s difficult to look at the plan and not think, “‘this process. What’s actually happening? How are you going to demonstrate to me that things have actually changed?”