Julie Spallin has security on her mind.
As manager of the recently launched Canadian Cyber Incident Response Centre or CCIRC, Spallin has her work cut out for her.
She and her team at CCIRC (a federal Centre established by Public Safety and Emergency Preparedness Canada) have been tasked with monitoring the cyber threat environment in Canada and coordinating appropriate responses.
A daunting task?
Not to Spallin and her team who lost no time identifying priorities and pursuing them single-mindedly. Two key CCIRC focus areas are: creating the right information exchange mechanisms, and fostering close, ongoing collaboration between the private and public sectors.
Spallin spoke to IT World Canada’s Patricia Pickett how she and her team at CCIRC have gone about accomplishing both.
Why was CCIRC established?
There are a number of things in the Government of Canada’s National Security Policy (released in April 2004) that support what we are doing here. One is the priority of cyber security outlined in the National Policy and another is a more integrated approach to national security as a whole.
In the National Security policy, one commitment is to set up an operations centre to be able to leverage federal capacities in an emergency. That could include hurricanes, SARS, a terrorist attack — and it also includes cyber incidents. In order to effectively provide warnings on cyber threats or coordinate incident response, there needs to be an integrated approach that includes private and public sector interaction. It is important for us to be able to have the mechanisms in place to exchange information on a regular basis, and it is also important that there be no barriers to exchange.
How is the CCIRC different from the former Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP)?
The department of Public Safety and Emergency Preparedness was announced in December 2003. It brought together various departments and agencies in the government of Canada and married them with the Solicitor General’s office as well as Canada Customs. Now we have a larger department that takes care of a whole range of public safety related mandates.
Within OCIPEP there was a cyber protection division in the operations section. But CCIRC is more distinct and integrated than that former division.
By distinct, I mean that the centre is now identified separately, rather than just as a division of a certain department. This makes it a focal point. It is clear to everyone what CCIRC is, and that facilitates incident reporting and getting the warnings out, because everyone knows where the warning is coming from.
At the same time, it is more integrated because as part of the Government Operations Centre, it gives us an opportunity to serve all of the Government of Canada. We can investigate physically-based events to see if there are any cyber components and try to manage emergencies in an integrated way. This is an all-hazards approach to security.
A National Emergency Response system is also being developed right now. With certain structures in place, depending on the nature of event, the system will notify the right people who will come in and deal with the response to an event. So CCIRC is not the beginning and end of cyber security at all, but it is something that is needed to integrate all these capacities that we have.
Why did the Government of Canada sign up for Microsoft’s Security Cooperation Program (SCP)?
Joining the SCP was a key starting point for us on the objective of integration. Microsoft will be able to give us an early heads-up of any threats, enabling us to analyze the threats and warn critical sectors such as banking, finance, telecommunications and the federal government.
The second big advantage is that if there is an incident involving a Microsoft product, we will have access to a Microsoft representative to talk about how we can manage it. The ability to triage with Microsoft is extremely helpful and we will be aware of how they are handling it on their end.
How was the government notified of security breaches in the past?
If we look specifically at some of the vulnerabilities released, we rarely received advance notice from Microsoft. There might have been a notification from our partners, other people in various sectors, but there was not any direct communication with Microsoft and they did not provide us with vulnerability information in advance of releasing that information publicly. That gave us a short timeline in which to analyze for ourselves what impact the vulnerability could have on critical infrastructure (if exploited), and we had a short time to send out a warning.
How will you initially deliver vulnerability information to critical infrastructure owners and operators?
We have e-mail based systems to send out warnings but we also have a callout system that can contact various devices. When there are warnings that need to be addressed very quickly, we can call out to pagers and phones and leave an automated message. This gives us some redundancy (in case e-mail is down).
We also have a Web site and we are hoping it is a place people can pull information off of. It is more targeted toward the home user, the small and medium sized business, that sort of group of people.
How will you collaborate with Microsoft to respond to emergencies?
There are a couple of ways this will happen. Since we are more of a coordination body as opposed to the individuals on the front line trying to mitigate what is going on, it is essential that we get the information out to those individuals as soon as possible and that we have a discussion about how to proceed. Microsoft will also be trying to reach out to its key clients and talk to them about mitigating measures. If there is redundancy, that is good. The value-add is that we will be able to bring the information together quickly and bring it to the right people.
We will have a teleconference with various jurisdictions in the private sector, during which we will come up with solutions and exchange those solutions. It will be very helpful to have Microsoft at the table if it involves Microsoft products — we will have the information right from the source.