Everyone looks forward to April 1 as a sign that spring will really be here. Gwen Beauchemin, director of the federal government’s Canadian Cyber Incident Response Centre (CCIRC) is looking forward to it even more.
That’s because her budget for the new fiscal year starting on that date will allow here to up its staff to 87 from 43, which will help it expand its threat gathering capabilities as well as its threat intelligence services to Canadian organizations.
“We’re very thankful that we’re seeing messages now that the [new Liberal] government would like us to be more forward leaning and outward,” she said in an interview, “so I can only think that will raise awareness and the success of getting that information out to all.”
The centre, part of Public Safety Canada, has 1,200 provincial, municipal and private sector subscribers in the country — largely organizations in critical infrastructure — a number she’d like to substantially increase.
It pulls in over 1 million pieces of spam a day and identifies 300,000 different vulnerabilities. In 2015 it discovered over 87 million new pieces of malware.
The centre categorizes information in four levels based on the Traffic Light Protocol used by 14 countries. Each level carries increased risk to privacy or operations if misused: White, data that can be share with anyone (like a publicly announced Microsoft bug); Green, information that can be shared only with peers, and not via publicly accessible channels.; Amber (shared only with people the centre knows in its trusted community, and only with those who need to know,); and Red (limited distribution, unless it’s urgent).
Unlike the U.S., where a wide range of association-led private sector threat information sharing and analysis centres (ISACs) have sprung up, most of CIRC’s members are organizations.
“We have a variety of partners,” Beauchemin said. “They could be companies that are directly partners with ours — we share information directly with their IT departments — (but) we do have a lot of associations we work with to get information out to their members.”
Nor is the centre picky about its partners, who include non-profits as well as businesses. “Critical to me is, does it affect the fabric of the Canadian Internet?”
The centre’s expansion comes as governments around the world are seeking ways that their cyber intelligence gathering systems can help the private sector protect sensitive systems.
For example, this month the U.S. Department of Homeland Security (DHS) started an Automated Indicator Sharing program with its partners, as obliged under new legislation passed last year. Until now DHS spread unclassified threat information through email and a Web portal to its customers.
The goal is to not only expand the distribution of near real-time threat information but also to free up DHS cybersecurity analysts to focus on more complex problems and threats.
U.S. government official emphasize this is unclassified and not personally-identifiable intel, a touchy subject.
While the private sector welcomes any cyber intelligence it can get, some wonder how much it will help, assuming that Washington — with the multi-billion-dollar budget of the National Security Agency — has more than it wants to share.
“There are major trust issues between the private sector and the (U.S.) government,” Kobi Freedman, CEO of Comilion, which sells a threat information sharing platform organizations can use to build their own networks, said in an interview.
“I would say there’s a lot of skepticism about the fact that until now sharing was mainly done one way — from the private sector to the government. Private companies are saying there is no way they can get meaningful information from the government.”
“Time will tell if DHS will give really meaningful information that we didn’t know until now, or something that will be a real contribution on top of the commercial threat intel companies are already receiving. If they do so that will be a huge step forward to contributing to the security level of the U.S. private sector.”
Few on this side of the border think CCIRC has the vaunted reach of the combined U.S. cyber intelligence community. Still, many think the centre could share more, including Imran Ahmad, a privacy and cyber security lawyer at Cassels Brock in Toronto who is also a member of the Canadian Advanced Technology Alliance’s (CATA) cyber security council.
One problem, he said in an interview, is there are many actors here: CCIRC, the fledgling Canadian Cyber Threat Exchange, university security researchers. Among other things it means there isn’t accurate information on cyber attacks, data breaches, which sectors are targeted and related matters — material that would lead to data-based public policy. CATA has proposed a public-private conference to sort this out.
“We need a framework where we realize that government can provide some help, some structure, and they can be catalyst in some respect, but they don’t have all the solutions,” he said.
Generally cyber experts here think the big banks and the energy sector are ahead of most other industries in threat sharing — but only among themselves. In the absence of ISACs there are hopes that the recently announced private-sector backed Canadian Cyber Threat Exchange (CCTX) will fill a lot of gaps for small and medium-sized firms.
However, the exchange has yet to hire a CEO and according to Benoit Dupont, national scientific director of the Montreal-based SERENE-RISC cybersecurity education exchange and a CCTX advisor, it isn’t expected to be operational until the fourth quarter.
In the meantime many organizations not in CRIC rely on quietly sharing threat intel with trusted peers, create their own sharing platforms or subscribe to commercial threat intel feeds.
Kevvie Fowler, KPMG’s national cyber response leader, cautions that before subscribing organizations should ensure a feed relates to the IT products and systems they use in addition to offering intel on cybercriminals planning or boasting of attacks against them or their industries or indications an employee is starting to go to bad areas of the Internet.
“It’s very easy to subscribe to a threat intelligence feed where you just put in your email address and it will send you anything relating to cybersecurity,” he warns. “You may get 200 or 300 messages that are broad, not focused on technology, not focused on your industry or your company. That is bad threat intelligence. A lot of times companies get this, and it actually slows them down because they take time to read the information.”
While American ISACs have a lot of visibility in the IT security community, Beauchemin doubts there’s a need for them here, suggesting smaller companies there have a hard time getting in. “In Canada we think what would be best is a multi-sector sharing arrangement …. We have over 1,200 partners that have signed, and we don’t care their size. I would think any solution in this space would be for all companies to share and get the word out.”
“If you look at statistics you can see that CCIRC has shared tremendously with industry,” she adds. “The information we receive and analyze is all done at the non-classified level, so we can share it freely. And we do.” The coming CCTX will be another venue though which the centre’s data can be spread, she adds.
She admits there has been pressure from the private sector for her agency to share more threat information. “And I think it’s a two-way conversation,” she said. “We’re always looking to get information from various points on the Internet in Canada so we can analyze it and get it out, and industry of course is looking for rich information back so we can all have that rich situational awareness.”
Meanwhile Beauchemin said among her priorities this year is to help the CCTX get off the ground, raise her centre’s visibility and improve the country’s cyber resilience.
(We’d like to hear from you: Does your organization subscribe to CCIRC, does it get what it needs or should it be sharing more? Let us know in the Comments section below)