It’s one thing when a security vendor or consulting firm talks about how increasingly difficult it is to fend off cyber attackers, but when a senior Canadian government official admits things are bad and only going to get worse it makes one pause.
But that’s what Scott Jones, assistant deputy minister of the Canadian Communications Security Establishment – which is responsible for securing federal government networks — said Thursday at the third International Cyber Risk Management Conference in Toronto.
He said the public and private sectors are going to have to work better together on cyber defence, but also wondered if governments need carrots or sticks to get operators of critical infrastructure to improve their cyber security.
And just as Finance Minister Bill Morneau is preparing the to release next fiscal year’s budget, Jones complained Ottawa isn’t spending enough on IT.
“Even in the government of Canada, where we’ve made actual strides (in cyber defence), we still chronically under-invest in IT because we see it only in the cost ledger, we don’t see what it does. So we’re not putting the right investments in to actually run the plant properly.
“We want to cut the cost, we want to cut how much we’re spending on this type of thing because we think, ‘That (IT) is not our business.’ Except its needed in everything our organizations do.”
Small wonder, he continued, that nation states spend relatively little on cyber attacks to “disrupt [an adversary] by shaping opinion, by blackmailing, by discrediting, by shaming.”
In an echo of allegations that Russia tried to interfere with the recent U.S. federal election, Scott agreed the goal of some nation state attacks against Western countries is “to fundamentally undermine our confidence in democratic institutions.”
Attribution, he added, is difficult. “Advantage attacker, all the time,” he concluded,
In an interview Jones said it’s not just Ottawa that sees IT as an expense. “I think the entire world sees IT as a cost, and we forget to see what the investment enables, that it allows us to do our business. And we’ve made technology a thing that’s only the domain of magicians, and so people don’t understand and don’t trust it.”
During a panel discussion on lessons learned from cyber attacks in 2016, Jones agreed with others who said the number of attacks aimed at disrupting operations of enterprises or critical infrastructure radically increased last year.
Incident response, Jones added, “is not treating the actual disease we’ve got, which is the cyber platform is essentially insecure, it’s not getting better – in fact it’s getting worse, and the Internet of Things is only going to accelerate that.”
“Somehow we’re going to have to start changing that conversation, changing that incentive and educating folks to ask the right questions, to ask for security features” when buying things.
In addition, “the next thing we’re going to have to work on is how are we going to change the relationship between governments and private sector to actually start addressing this in a holistic way– and I don’t think we have that right yet.”
On protecting critical infrastructure in Canada, Jones said federal and provincial governments are too slow to at setting security standards to match the pace of technological change. “So number one we’re going to have to figure out how to co-develop with experts in industry … It means having something that can evolve quickly to face the threat But we’ve also got to change approach from security by obscurity … to security by design.”
But, he added, it isn’t clear how to encourage the private sector to do that – by carrots (tax incentives) or sticks (fines).
In the interview he admitted governments have an adversarial relationship with vendors. “We need a legitimate win-win relationship, one where we can talk about what are the right standards, how do we apply to this technology environment that’s going to grow faster that a regulatory environment can keep up. It’s always a challenge. I’m sure we’ll have to take an evolutionary approach and learn as we implement.”
And while he and other panelists sometimes painted a bleak picture of seemingly defenceless organizations and governments, Jones said there’s lots of basic hygene that can be done. Ottawa has posted 10 tips for departments, many of which the private sector can implement for big effect, he said, such as ensuring all system are patched.
“Every compromise in 2013 in the (federal) government was because we hadn’t patched our systems,” he said. “That’s no longer the case. Now people (attackers) have to throw very expensive zero-day vulnerabilities to try to compromise the government.”