For some time the private sector has complained it isn’t getting enough information from the federal government’s cyber spies when they need help after a security incident.
But despite promises of working better with the private sector, when Ottawa’s new Canadian Centre for Cyber Security opens some things will still be met only with a smile.
“Our secrets tend to be the techniques we’re using to defend” and largely won’t be revealed, Scott Jones, assistant deputy minister for information technology security at the Communications Security Establishment (CSE), which protects federal networks and will oversee the centre, said in an interview Thursday.
“And it’s not because the indicators [of compromise] they generate are classified, it’s the technique itself and how we’re detecting and blocking, which would tell our adversaries how to get around our defences.”
Nor will it quietly say what country is behind the attack that just breached your security controls. When it comes to attribution “I’m encouraging everybody, including the government, to stop asking the question because at the end of the day the effect is the same no matter who it was at the other end. It actually takes a tremendous amount of resources away from the bigger problem [of protecting the network] to figure out who it was.”
What the centre will do is continue to offer as much assistance to businesses, other levels of government and individuals to protect themselves. For businesses that includes as much threat intelligence information it can pass on through the Canadian Incidence Response Centre (CIRC), which will be folded into the cyber security centre. “On indicators of compromise we’ve been trying to add more context to what we give CCIRC in terms of what we share,” Jones said. Such as “these indicators are related to cyber crime, these to ransomware, here’s what you can do to defend against that.”
Where it can, he added, CSE will share some tools it uses so infosec pros can defend their networks.
For example, last fall it released an open source tool it created called Assemblyline, which can analyze large volumes of questionable files captured from security tools.
The Centre for Cyber Security (CCS) – which Jones hopes will open in the fall – will be a one-stop shop for Internet security information and issues by bringing together infosec capabilities of CSE, CIRC and the security operations centre of Shared Services Canada, which offers a number of IT services across many federal departments. CSE is part of the defence department.
“There will be portals to report an incident as well as where to get advice,” Jones said. Staff will bring in a police force for a criminal investigation when needed. “You won’t figure out which bell to ring. We are going to unify that so it’s one-stop. There’s no wrong call.”
“If you’re a provincial, territory or other level of government. I think we’re looking for the centre to be a federal partner, not in the normal hierarchy that forces [formal] relations … but somewhere where we can collaborate as governments.”
Ottawa also hopes to work with provinces and territories to give small and medium enterprises practical tools for defending their networks and making their businesses more resilient.
He also said CSE is increasingly partnering with the private sector and universities on research.
Jones was interviewed on the sidelines of the annual International Cyber Risk Management Conference in Toronto, where he gave a keynote speech.
In it he urged organizations to collaborate on sharing information through industry associations – some of whom already have cyber security collaboration tables – workshops, conferences or the CCTX. “We must commit to sharing best practices and techniques as well as cyber threat information across the community … so we can all benefit from what we each see.
There is already some degree of industry collaboration. Several years ago the federal government identified 10 critical infrastructure sectors (including finance, transportation, energy, food, water, health) and helped set up so-called sector tables where they can exchange information. There’s also a multi-sector forum where different industries can meet together. It isn’t clear how often they meet or what is exchanged.
In a conference panel discussion on public-private sector collaboration Monik Beauregard, senior assistant deputy minister for national and cyber security at Public Safety Canada, said there is also a national cross-sector forum that includes representatives from the 10 sectors plus the provinces. It meets twice a year, she said, where Ottawa passes on secret threat assessments.
Still, Beauregard admitted that the private sector still has qualms about sharing information about cyber incident with Ottawa, fearing it might leak out and damage their competitiveness. The government needs to do a lot of work ensure such information can be passed on anonymously, she said.
Panellist Neil Parmenter, CEO of the Canadian Bankers Association, said his group has concerns that recent changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) could prevent businesses from sharing personally-identifiable information about a possible threat actor with the government.
“The ultimate goal is to make Canada unattractive to malicious cyber actors,” Jones said. “because our community is aware, vigilant and engaged.”