Just over a year after announcing an updated federal cybersecurity strategy, Ottawa has revealed how it will be implemented.
The action plan for improving the resilience of the federal and critical infrastructure includes $10.3 million over five years for special projects created by provincial, territorial and municipal governments, researchers, commercial companies and not for profits. Of that total, $2.3 million has been set aside for the next 12 months.
The action plan timetable also suggests a promised cyber certification program for small and medium-sized companies to publicly show they meet minimum security standards could be launched before the end of this year.
Cyber projects looking for federal funding must come under one of three categories:
- Security and Resilience – this includes research and development of new technologies and tools for increasing the security and resilience of Canadian cyber systems, and support for non-federal partners’ implementing actions to better protect their systems and information
- Cyber Innovation – R&D for tools to address threats posed emerging technologies like IoT or quantum computing), academic research on trends, training and educational programs to advance cyber security skills and knowledge, and projects to help commercialize new technologies
- Effective Leadership – including projects to increase public awareness of cyber threats, gather data and promote collaboration
Part of the action plan includes cyber funding set out in last spring’s federal budget.
The action plan lays out specific initiatives to realize the strategy set out in June 2018. Briefly, the strategy expands on the first plan set out in 2010 to protect the safety and security of federal networks, critical provincially and privately-owned infrastructure (like utilities, hospitals, banks and telecommunications providers) and encourage cyber security awareness across the country.
Part of the strategy includes expanding the RCMP’s cyber capability into the National Cybercrime Co-ordination Unit (NC3) and merging a number of federal cyber services into the Canadian Centre for Cyber Security. However, those agencies won’t be fully running for some time.
The strategy also promised the creation of a voluntary cyber security certification program for SMEs, similar to ones launched by the U.K. and Australia, to show customers an organization has met basic cyber standards. Accredited third parties — likely consultants — would certify these minimum standards have been met. Those standards, however, first have to be set.
Since the plan was announced Innovation, Science, and Economic Development Canada (ISED), has been working with the federal Communications Security Establishment (CSE), which secures federal networks, the Standards Council of Canada and private sector accredited certification bodies to work out standards that organizations would have to meet to be certified. The Standards Council would approve the certification bodies.
According to the action plan, the first step of the certification program is the creation of a list of minimum security controls SMEs would have to meet — for example, doing an inventory of hardware and software assets. Those controls were released last April.
The official launch of the cyber certification program should be done this year, the timetable says.
UPDATE: In an interview this morning Dani Keenan, press secretary to ISED minister Navdeep Bains said the certification program will be launched “in the very near future.”
A planned national standard for cyber security won’t be announced until sometime next year.
It should be noted that while the action plan outlines particular goals — such as the SME certification program — the dates for deliverables are merely by year. For example, the action plan says sometime this year the government will reveal its international cyber strategy. That would presumably cover Canada’s approach to global rules on Internet governance and cyber warfare.
And even though the strategy was released a year ago, some significant work has yet to be done. The promised Industrial Control System Advisory Committee has yet to be established. According to the timetable, work on that is still in the planning stage although the target date of creating the committee is set for at least the end of this year.
As part of the strategy, Public Safety Canada will deliver a comprehensive risk management approach for the 10 critical infrastructure sectors to enable them to better secure their systems and information. That will include improving the department’s capacity to conduct cybersecurity assessments to help organizations identify vulnerabilities — which will rely on a yet-to-be created technical network assessment tool. The government also plans to deliver cyber-based exercises for critical infrastructure to help them respond to, and recover from, cyber-attacks.