The country’s new consolidated cyber security hub opens today, promising better government co-operation with the private sector on threat analysis and security issues as well as more efficient help to all federal departments.
Perhaps fittingly, the Canadian Cyber Security Centre, announced in the federal budget seven months ago, begins with the start of the annual international Cyber Security Awareness Month.
Among the centre’s mandates is to provide Canadian citizens and businesses with a one-stop place to turn to for cyber security information, both online and in person. It will also be a place where the private sector can come for advice and to test products they want to sell to Ottawa as well as commercially.
“The model we’ve taken for the Cyber Centre is ‘Security through collaboration,’” Scott Jones, who heads the centre, told a parliamentary committee last month. “We don’t have all the expertise in certain fields. We have expertise in threats, cryptography, how to mitigate [risks and attacks]. But, for example, the energy sector brings expertise in their own environment, so we’ve got to work together.”
The CSE — part of the Defence department — is the country’s electronic spy agency, which also protects government communications. Jones is its deputy minister for information security technology.
Cyber security staff and resources from several departments have been transferred to the centre. These include Public Safety Canada’s Canadian Cyber Incident Response Centre (CCIRC) and the Get Cyber Safe public awareness campaign; many functions of the Shared Services Canada’s Security Operations Centre; and the entire IT Security branch of the Communications Security Establishment (CSE), which now has responsibility for the centre. Shared Services Canada is a service which operates datacentres for much of the federal government.
However, for the next 10 months or so the centre will have to run out of their existing offices until a new facility for its staff of 750 is ready next summer. The centre won’t be fully operational until 2020.
That separate facility is needed. “If you come and visit CSE now, we take your technology away because you’re entering a top-secret building,” Jones told MPs. “The cyber centre will not be that way. The physical facility will be a place where people can collaborate, bring their stuff so we can see how it works so we can work together on things.”
While the centre will continue to work with the 10 critical infrastructure sectors identified by the government several years ago (including telecom, financial and manufacturing), which are dominated by large companies, Jones told the committee the centre will also push to improve the knowledge and capabilities of small and medium-sized businesses – in particular, practical things they can do such as making sure software is patched as soon as updates are available.
Overall, he told the committee, the goal is to improve the private sector’s resiliency to sustain a cyber attack.
In many ways the centre is modeled after the two-year-old U.K. National Cyber Security Centre, which – in addition to defensive cyber security responsibilities — pulls together a wide range of papers, reports, advice and alerts on a web site with catchy graphics. NCSC activities to raise cyber security awareness include supporting the study of cyber security in public schools. It also runs the Active Cyber Defence program, which, among other things, gets Internet service providers remove malicious content pretending to be related to U.K. government and certain types of malicious content hosted in the country.
Until today Canada’s current online efforts were somewhat scattered and text-heavy, largely coming under Public Safety Canada’s website, which includes getcybersafe.ca and the site of the Canadian Cyber Security Incident Response Centre (CCSIRC). All of federal cyber security efforts have been folded into the new centre, which should have the advantage of giving CCSIRC – which receives reports of attacks, notifies victims they’ve been hacked and co-ordinates the national response to any serious cyber security incident – more reach.
There’s a new website, cyber.gc.ca, as well as a new Twitter feed from the centre.
“You no longer have to go to multiple government websites to figure out what’s going on on cyber security,” Jones said in an interview today.
For the broad private sector, “over time you’ll see us putting out our advice and guidance in a way that’s not specific to government any more, that’s much more accessible to Canadian industry and business that they can take advantage of.”
Canada’s isn’t the prime target for criminals, nation states or hactivists. Nor, however, is it immune from attack, which is why experts say the country needs a more centralized effort – as much as one can in a federal state – to spread awareness. The centre may also be a place for centralized reporting to fill in sorely-needed data on attacks. Even then, because the federal government’s mandatory data breach reporting regime only starts November 1, it will be a year before fairly solid statistics on the numbers and types of breaches will be available – although only breaches of security safeguards that involve real risk of substantial harm to victims have to be reported.
Much of what is known is collected by security vendors, who have their own methodology. For example, Rapid 7 ranked Canada in the top 10 of nations with computers that have the most unsecured services open to the Internet. In a survey of 421 Canadian IT professionals by Scalar Decisions, 87 per cent of respondents said their organization had suffered at least one data breach in the previous 12 months.
The year was barely a month old before Bell Canada said it had suffered a data breach. In May, the Bank of Montreal and CIBC’s Simplii Financial online bank were apparently stung.
A survey by the federal privacy commissioner last year raised questions about the readiness of Canadian businesses to face a cyber attack. Only four in 10 firms said they have policies or procedures in place in the event of a breach involving customer personal information—a number that remains unchanged since 2015. Just over half of respondents said their company does not have any breach response protocols or procedures in place (eight per cent were uncertain whether or not their business has protocols).
When the federal government announced the creation of the Canadian Centre for Cyber Security one of reasons was to create a single, trusted source of information on cyber security for Canadians and businesses.
Separately, the government is updating and clarifying the mandate of the Communications Security Establishment through Bill C-59, now making its way through the Senate. That bill will give CSE new authority to help defend important private sector networks, and explicitly allow CSE – through the cyber security centre – to share threat information with the private sector. owners of systems outside the government so they can better protect their networks and the information on it.
However, in an interview earlier this year Jones cautioned that he and his staff won’t be giving away secrets of how CSE gathers its threat intelligence.
One of the key priorities of the cyber security centre, Jones told MPs, is not only building trust and credibility with the private sector, but also leaning on them as well as federal departments. “We need to be very vocal about increasing all of our expectations – the private sector, the government – as we look at the security challenges we all face.” Starting to have more open discussions about cyber threats will be part of that, he said. “All too often we concentrate on the threat actor, and not about the threat activity and how to raise that bar.
“The first thing is increasing resilience – Canadian resilience in general is low. We don’t talk about doing the simple things, (but) we’re looking to defend against some of the most sophisticated threats. In reality a few simple things can raise that bar for all of us and make us more immune and resilient – something as simple as patching systems.”
A second priority is ensuring the centre can manage major cyber incidents. “We’ve done a number of exercises over the summer to make sure we’re ready to manage any incident, large or small, national or international in scope within the federal government or private sector to make sure we’re ready to do our part. so on day one we’re ready to provide the federal lead, working with either the victim or other jurisdictions to manage an incident.”
(This story was updated from the original with comments from an interview with Scott Jones this afternoon)