ORILLIA, Ont. — With stretched budgets and small IT departments many municipalities have trouble deciding which hardware, software, cloud and mobile apps they want to buy meet their security needs.
But one infosec pro says municipalities should be able to share their security assessments of these products with each other without getting sued by vendors for possibly violating non-disclosure agreements.
James McCloskey, manager of network and information security for the city of London, Ont., made the pitch Tuesday at the annual security conference of the Ontario wing of the Municipal Information Security Association of Ontario. MISA members are IT pros who work for municipalities.
“The idea is to enable to as much sharing as possible so we maximize the value to taxpayers in not re-testing things and really use the [IT] community to drive better performance from vendors generally,” he said in an interview.
A vendor wouldn’t be able to avoid municipalities that give unfavourable security assessments and sell to others who don’t know about the weaknesses, he added.
McCloskey put the issue into perspective when describing a security assessment toolkit his department created with the help of the consulting firm MNP LLP. It uses a combination of the Center for Internet Security (CIS) security controls, the Open Web Application Security Project (OWASP) security validation standard and penetration testing to create a score of the security capabilities of cloud applications and services.
Out of 31 solutions tested, many met the IT department’s security standards, but some would only pass the bar with mitigations. Of those that failed, a good many would still be approved for a variety of reasons (for example, they were already in use and the city had spent a good deal of money on them).
Sharing of security assessments could be done on a secure federal or provincial platform, McCloskey argued, through MISA or even a bug bounty platform.
However, for legal and other reasons sharing would need some protection from senior levels of government. For example, Ottawa could declare IT products sold to municipalities as protected national security products, as it does for products bought by power plants or water treatment facilities. Utilities in Canada, the U.S. and the E.U. are allowed to confidentially share their assessments of such products. Municipalities should get similar protection, McCloskey argued, because everyone lives in a village, town or city.
McCloskey admits that many vendors aren’t initially enthused about his idea. “It’s a mixed bag. There are some that are very enthusiastic because they want to get better, and know they’re not where they should be. But knowing it could be a competitive differentiator is good in their minds. There are others that are less enthusiastic, but I think it’s a question of making the economic argument more clear to them that it costs us as municipalities and taxpayers when their products aren’t secure.”
When he makes that argument most vendors are persuaded, he said.
Meanwhile McCloskey urged conference attendees to tell MISA and the Canadian Centre for Cyber Security – the federal centre of excellence which has a federal/provincial/municipal partnership program – that they are interested in the idea.