Canadian CISOs are about to get help in defending attacks through something few other nations have — Â a national cyber threat information exchange for small, medium and large enterprises from all sectors.
The Canadian Council of Chief Executives announced this morning that it and a group of major corporations including banks and telcos — some of whom have their own private threat sharing networks — are behind the Canadian Cyber Threat Exchange (CCTX) to help businesses and consumers stay ahead of cyber attacks.
“The idea is to really start sharing information on a very big scale so all participants will be able to access intelligence and threat information from their partners and use this information to protect their systems much better,” said Benoit Dupont, national scientific director of the Montreal-based SERENE-RISC cybersecurity information exchange and a board member of CCTX.
The founding members are: Air Canada, Bell Canada, Canadian National Railway Company, HydroOne, Manulife, Royal Bank of Canada, Telus, TD Bank Group and TransCanada Corporation
The non-profit exchange will be up and running in the first quarter of next year, although all of its capabilities won’t be available until the end of the year. A search for an executive director starts today (see below).
Large companies (and the definition of large hasn’t been settled yet) will be charged $50,000 a year, mid-size firms $20,000 and small firms $5,000, with levels of service tailored to each. Services will include sharing and analysis options including, cyber alerts, an ability to anonymously submit and receive threat information, threat conference calls, participant surveys, membership meetings and educational events.
But full members will be entitled to initiate or participate in Circles of Trust within CCTX and with other exchanges, and have unlimited number of named persons access to CCTX proprietary knowledgebase. Associate members will receive a defined number of named accesses to the knowledgebase.
The goal is to give business, security researchers and government subscribers the ability to share sensitive threat information IT teams can act on and mitigations in a way that only a few big companies such as banks do here. It will also be another place consumers can access to free resources to help identify and guard against cyber threats.
Compared to the U.S., Canada is behind in threat information sharing according to experts.
In the U.S. a number of federal, state, municipal and private sector information sharing and analysis centers (ISACs) have been set up, linked by a national council of ISACs.
Cyber experts here have long called for more threat information sharing, arguing that nation-states and criminals share attack techniques, so governments and the private sector need to share threat information such as new attack vectors and suspicious code they discover. Ideally this will come in the form of machine data that can be plugged directly into security appliances.
Five years ago the former Conservative government began encouraging 10 public and private sectors in critical infrastructure from energy to manufacturing to work together  In 2010 it started work by announcing a national strategy  , followed two years later by an action to start implementing the strategy. The banking and energy sectors have been quickest to start up. As part of the strategy Ottawa created a federal Cyber Incident Response Centre for governments and critical infrastructure firms, which is more a resource than a threat exchange.
But that leaves a large number of Canadian firms out. There’s a lot of ad hoc information sharing, relying on trust between people who know each other. However some organizations won’t share threat information with others for competitive, liability or other reasons. Canadian banks may share with each other, but an IT manager with an insurance firm once told ITWorldCanada.com that the insurance industry isn’t part of the club.
“We need more transparency, more information, and now it’s very fragmented and hard to come by,” said Dupont.
Some may think that threat sharing is only important among organizations with large databases of personal or financial information. But Paul Hanley, national cyber security services leader at KPMG Canada, noted in an interview that cyber thieves often use small companies as entranceways into large firms — as they did in the 2014 Target stores attack.
Hanley also added that joining one exchange shouldn’t be the only source of threat information an organization should rely on.
There are a few unanswered questions about the CCTX, such what platform it will use, how organizations join, how users will be screened (perhaps initially it will be invitation only by trusted people), whether there will be groups within the exchange so participants can limit disclosure to a small number of members rather than to all, protections to ensure someone doesn’t upload malicious — or libelous — material and privacy. However, organizers will undoubtedly look at how similar exchanges have already solved these problems.
CCTX members will likely be warned to be careful about making accusations through the exchange, or releasing threat information that includes personal information. The recently-passed Bill C-13 (the Protecting Canadians from Online Crime Act) gives immunity against prosecution to persons who voluntarily disclose personal information to law enforcement agencies without warrants in certain circumstances. But there’s no blanket protection for the passing of personal information as part of threat information between companies.
There are a few unanswered questions, such as how organizations will be screened before joining, how users will be prevented from uploading malicious — or libelous — material.
Members will likely be warned to be careful about making accusations through the exchange, or releasing threat information that includes personal information. The recently-passed Bill C-13 (the Protecting Canadians from Online Crime Act) gives immunity against prosecution to persons who voluntarily disclose personal information to law enforcement agencies without warrants in certain circumstances. But there’s no blanket protection for the passing of personal information as part of threat information between companies.
As for the executive director being sought to run the CCTX, the organization’s new web site says it is looking for a person with a minimum 10 years of senior management experience in the areas of cyber security, building a business unit from the ground up, marketing, strategic planning and/or financial planning and management and a Canadian government security clearance (or will be able to obtain one).
Organizations interested in joining CCTX can contact info@cctx.ca