The federal government is failing to protect Canadians from increasingly sophisticated cyber attacks that have already victimized millions, according to a scathing Senate committee report released this morning that calls for the creation of a minister of cyber security.
“To date, Canada has offered only limp responses to this real and rising threat,” said the report issued by the Senate committee on banking, trade and commerce. “The federal government should be leading efforts to make Canadians’ information more secure but there is as yet no single, national standard for cyber security, even when it comes to critical infrastructure.”
In 2017 alone, over 10 million Canadians had their personal information compromised through targeted attacks and — more often — through cyber operations directed against businesses that hold Canadians’ private information, says the executive summary of the report.
“Banking information, Internet activity, social insurance numbers, family photos — this wealth of intimate data is up for grabs by malevolent actors who can steal your life from the other side of the world … Hackers have held hospitals hostage by encrypting their critical systems and demanding money to restore them; a quick glance at news headlines south of the border suggests that sinister groups are trying to use technology to sway elections.”
While the federal privacy commissioner is responsible for protecting and promoting privacy rights it doesn’t have the power to make companies comply with the Personal Information Protection and Privacy Act (PIPEDA), which protects Canadian consumers, or to impose fines when companies breach that legislation, the report noted. Privacy commissioner Daniel Therrien has long urged Parliament to give him those powers.
The report complains police “are relatively powerless against the relentless and creative onslaught of cyber scams. Royal
Canadian Mounted Police officers told the committee that cyber crime continues to be underreported; the many
different approaches criminals use also make it difficult for police to develop a coordinated response.
Among the committee’s recommendations:
— all levels of government must prioritize cyber security education as part of the national cyber security strategy. there should be a national cyber literacy program, led by the newly-created Canadian Centre for Cyber Security, to educate consumers and businesses about how to protect themselves;
— Ottawa should create a new national centre of excellence in cyber security and expand two existing centres to promote
university-level research and encourage Canadians to pursue careers in cyber security-related fields. The centres of excellence should be the Canadian Institute for Cybersecurity at the University of New Brunswick, the Cybersecurity and Privacy Institute
at the University of Waterloo, a third yet to be chosen in Western Canada. They would join the Montreal-based Smart
Cybersecurity Network (SERENE-RISC) already receives funding as a centre of excellence;
— the federal government should modernize PIPEDA, including empowering the Office of the Privacy Commissioner to make orders and impose fines against companies that fail to protect their customers’ information, and to allow information sharing
about cyber threats within the private sector and between the private sector, government and relevant international organizations.;
— businesses should be given incentives to invest in cyber security improvements, for example, by making these investments tax deductible;
— a new federal minister of cyber security should be created to co-ordinate cyber security efforts across all levels of government. The minister would have responsibility for the new Canadian Centre for Cyber Security — now overseen by the Defence department — and the RCMP’s National Cybercrime Co-ordination Unit;
–Ottawa should create a federal expert task force on cyber security to provide recommendations regarding the national cyber
security strategy that would establish Canada as a global leader in cyber security. The government released an update to its national security strategy in June;
–the federal government develop standards to protect consumers, businesses and governments from threats related to the Internet of Things devices;
–it should also develop a consistent set of leading cyber security standards that are harmonized with the highest international
standards and would apply to all entities participating in critical infrastructure sectors.
“Governments, businesses and individual Canadians each have a role to play in protecting the country
from this cyber scourge,” says the report. “It should keep you up at night.”
In an interview committee chair Senator Doug Black denied that the report let the private sector off the hook for cyber security by focusing on Ottawa. The report says everyone has a responsiblity — from children to the prime minister, he said. “But the problem is so vast and embodies every industry the government has to show leadership. The government has to be the facilitator, and the enforcer, for ensuring the plan we set out is implemented.”
When it was suggested the report puts all the responsibility on the federal government, he said, “That was certainly not our intention. Our intention is to indicate this is a problem that everyone has to take an oar on to try and solve. The private sector alone can’t do it.”
He would like to see the government act quickly on recommendations to improve public education on cyber security, increase the number of cyber security trained people, improve the ability of the public and private sectors to share security-related information and to create a cabinet-level cyber czar.
Black said he was “shocked” to realize last year 10 million Canadians had personal information compromised in cyber attacks. “The problem is broad and deep and needs urgent, urgent attention.”
Asked how the government feels about being accused of failing Canadians, Scott Bardsley, senior communications advisor to Public Safety Minister Ralph Goodale said in an email, “Our government takes cyber security seriously. We have proceeded in carefully considered way to put Canada on a better cyber security footing. Our new National Cyber Security Strategy is world class, and replaces the previous government’s plan—which was published before Canadians even had Netflix.”
Security experts were quick to respond he report. “I consider this report a breath of fresh air in the Canadian cyber security environment,” said David Swan, Alberta-based director of cyber intelligence defence at the Centre for Strategic Cyberspace + Security, an international consultancy. “I note that there are recommendations not just to educate Canadians, including Canadian businesses but also to “provide incentives for businesses, particularly those in critical infrastructure sectors, to improve their cyber security practices …Other recommendations identify legislative changes needed in order to develop those programs. This appears to be a more viable and comprehensive policy package than anything released by the political parties.”
As for the proposed cyber security cabinet minister, he hopes it would use existing government resources rather than create a new bureaucracy.
In a emailed statement Scott Bardsley, senior communications advisor to Public Safety Minister Ralph Goodale, said the report “underlines the urgency of Canada’s new National Cyber Security Strategy. Backed by investments of over half a billion dollars over five years, this new strategy will guide the Government of Canada’s cyber security activities to safeguard Canadians’ digital privacy, security and economy.
“The new Canadian Centre for Cyber Security is our new national authority. It provides a single window for expert advice and services for governments, critical infrastructure operators, the public and the private sector to strengthen their cyber security. Addressing a priority in the report, the Centre will provide enhanced public awareness and education about cyber security.
“Addressing another priority, the new National Cybercrime Co-ordination Unit in the RCMP will support cybercrime investigations between police forces across the country. New investments will bolster the RCMP’s capacity to investigate cyber crimes, and to support domestic and international partners.”
Referring specifically to the recommendations on PIPEDA, Nilani Logeswaran, a spokesperson for Innovation Minister Navdeep Bains said “our government is committed to making sure that Canadians’ personal information is protected and secure. All private entities operating in Canada are subject to obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) in managing and protecting Canadians’ data. It was recently strengthened to require businesses to inform affected Canadians when their personal information has been lost or stolen as a result of a data security breach. (Starting Nov. 1) they will also have to report these breaches to the Privacy Commissioner and maintain records of all data breaches for at least two years. Once these regulations are in place, any private organizations failing to comply with them will face severe financial penalties.
The government is “committed to privacy rules that are clear and enforceable, and that support the level of privacy protection that Canadians expect.”