Ottawa is determined the two new cyber security agencies announced in the recent federal budget will work closer with business than in the past, the parliamentary secretary to the Public Safety Minister told a cyber security conference on Wednesday.
Addressing the annual International Cyber Risk Management Conference in Toronto, Mark Holland also disclosed that the new federal breach notification regulations will be announced April 18. The government last month quietly announced the regs will come into effect. Nov. 1.
And he seemed to hint the government will appoint someone to lead in some way it’s yet to be announced updated national cyber security strategy.
Twice when talking about how the government will spend $236 million of the roughly $500 million in new spending on cyber security announced in the budget Holland said “leadership” will be a focus. Cyber security touches more than the federal government and the business sector, he said.
“Right now there’s nobody quarterbacking that,” and suggested its something the government will remedy.
While an announcement on exactly how that $236 million over five years will be spent is “imminent,” Holland said in part it will go to helping in “resiliency and protecting the public and private critical infrastructure protection for critical systems … We also want to use it for innovation: (Cyber security) can be a driver of economic activity, and for leadership and how we can use that technology and making sure we’re adaptive as the environment changes.”
Before the new budget responsibility for various facets of cyber security was scattered among eight departments, Holland said. The budget says the government wants to do some consolidation.
The RCMP, which reports to the Solicitor-General, will get a new National Cyber Crime Co-ordination Unit (NC3), a central place where people and business can report cyber incidents; The Communications Security Establishment (CSE), which secures government networks and which reports to the Defence department, gets the new Canadian Centre for Cyber Security. As part of that it pulls from Public Safety Canada the Canadian Incident Response Centre. The new cyber security centre will be a source of information and intelligence for business.
Public Safety Canada retains cyber policy-making responsibility, but it is also responsible for crime prevention, border security and emergency preparedness.
If a new “quarterback” is appointed he or she could be a cyber security czar to whom other departments report.
Note also in 2014 the U.K. appointed a small and medium business cyber czar to help those sectors.
In explaining why $500 million was dedicated to cyber security and the creation of the two new agencies, Holland said “we recognized on cyber crime we were way behind” Canada’s partners in the Five Eyes intelligence network, the U.S., the U.K., Australia and New Zealand. “So this will bring us up to speed.”
The NC3 will be a hub for reporting cyber crime, creating a database of incidents and co-ordinating criminal cyber investigations from various police departments, Holland said. Meanwhile, the Cyber Security Centre will be a source to the public and business on intelligence on threats.
And those agencies will work more closely with the business sector on what it knows about cyber threats than it has in the past, he promised, even though it will mean “a major cultural shift in government.”
“Learning how to interact with the private sector in a way that protects data and information but expands the reach of our actions is a paradigm shift,” he said. “There will be very clear directives on the need to interact and share data where appropriate.”
“The good news is … there’s a profound understanding that needs to occur.” The government “has to proclaim loudly and clearly to public, to business and to its departments that is what we must do,” he added. — and if co-operation isn’t being done effectively it will be corrected.
What the government will demand of the private sector in the upcoming national cyber security strategy has yet to be revealed. But in answer to a question from the audience Holland promised that no obligations will be imposed without industry consultation. “Dropping that on you would be inappropriate.”
In an interview, Holland said an announcement on the new cyber security strategy will be made “very soon.”
As for when the new NC3 and Cyber Security Centre will be operational, he wouldn’t give a date. “It’s going to take a while for it to be actualized … It’s going to take a little while to staff it up.”