Ottawa has released its long-awaited update to its national cyber security strategy, promising to better protect Canadians from cyber crime, to respond to evolving threats, and defend critical government and private sector systems.
“The strategy is the roadmap for Canada’s path forward on cyber security, and is designed to meet the objectives and priorities of Canadians,” Public Safety Minister Ralph Goodale said in releasing the document.
It promises that working with provincial and private sector partners it will improve cyber security in the public and private sectors. In addition, it vows to support advanced research, foster digital innovation and assist in developing cyber skills and knowledge, the federal government will position Canada as a global leader in cyber security.
As part of the effort the government promised to create a recognizable certification for cyber security providers to help small and medium-sized businesses show customers they meet a baseline set of security practices. The idea is participating companies would use a badge or logo for competitive advantage and to promote trust.
The United Kingdom, Australia, and New Zealand already have similar programs.
The Canadian program will be created in consultation with industry, SMEs and potential certification bodies. The department of Innovation, Science and Economic Development (ISED) will be responsible for approving the program, with the Communications Security Establishment (CSE), which oversees security for federal systems, defining a basic set of measures SMEs would have to follow. The Standards Council of Canada will approve certification bodies to assure evaluate SMEs have met the standard.
One model might be Cyber New Brunswick’s Cyber Essentials Canada program, which has been adopted from the U.K.’s Cyber Essentials.
The government says currently SMEs in Canada are not adequately protected against cybersecurity threats. Approximately 71 per cent of data breaches in Canada involve a small or medium-sized business.
Ottawa “will take a leadership role to advance cyber security in Canada and will, in co-ordination with allies, work to shape the international cyber security environment in Canada’s favour,” the strategy document also says.
The strategy is rooted in several decisions already made by the government in its latest budget, including
- creating a new Canadian Centre for Cyber Security, which brings federal cyber resources under one roof to not only better protect federal data networks but also to be a resource for Canadian citizens and businesses to turn to for advice. Scott Jones, assistant deputy minister of IT Security, has just been named to head the centre,;
- creating the National Cybercrime Co-ordination Unit to expand the RCMP’s capacity to investigate cyber crime, The unit will be a central place for residents and businesses to report cyber crime.
In the strategy is rooted in five principles:
- Protect the safety and security of Canadians and our critical infrastructure
- Promote and protect rights and freedoms online
- Encourage cyber security for business, economic growth, and prosperity
- Collaborate and support coordination across jurisdictions and sectors to strengthen Canada’s cyber resilience
- Proactively adapt to changes in the cyber security landscape and the emergence of new technology.
The government still has to create action plans to execute the strategy.
The strategy should also be considered in part with the just-announced update to the federal government’s ongoing action plan for securing critical infrastructure.
Cyber security is increasingly driving innovation and economic activity in Canada, the strategy notes. It already contributes $1.7 billion to Canada’s GDP and consists of over 11,000 jobs. “With the global cyber security industry forecasted to grow by 66 per cent by 2021, thousands of additional jobs could be created for Canadians in the years ahead. Governments, academia, and members of the private sector can work together to create new opportunities, drive investment, and foster leading-edge research and development.”
By supporting advanced research, fostering digital innovation, and developing cyber skills and knowledge, the federal government will position Canada as a global leader in cyber security, the strategy vows.
“The Government of Canada will work with partners to drive investment and foster cyber research and development. The government will focus on emerging areas of Canadian excellence, such as quantum computing and blockchain technologies. The federal government is already making progress in this regard, with Budget 2017 announcing the creation of a Pan-Canadian Artificial Intelligence Strategy for research and talent.
Together, we will explore initiatives to ensure that Canadian companies can bring their products to a global market. The Government will explore initiatives to drive domestic demand for cyber security technologies and services.”
Ottawa will also explore new ideas for making businesses and Canadians more cyber secure, the document says, in part by programs such as such as coding education for kids.
“The federal government is aiming for national cyber security excellence. Reaching this target will involve enhancing and growing cyber security capabilities in government and industry. It will entail supporting Canada’s leading-edge research and development, as well as the range of organizations and businesses that do not have strong cyber security measures in place. Private sector leaders will have a central role to play, as a collaborative effort is needed to ensure that all Canadians are as equipped as possible to prevent and respond to cyber threats.”
Industry comment
In a statement Byron Holland, CEO of the Canadian Internet Registry Authority (CIRA), said the agency is pleased the strategy focuses not just on institutions but on businesses. “Small and medium-sized Canadian businesses are the backbone of our economy but are also the most vulnerable. Providing these businesses with cybersecurity strategies and resources is essential to holding back the tide of cyber threats.”
Christian Leuprecht, a member of the faculty at Queen’s University’s school of policy studies and Royal Military College, noted the strategy talks about “security and prosperity.” That means the government recognizes that an innovation strategy and a cybers security strategy go hand-in-hand. “You can’t generate investment in the digital economy if the resulting research, IP, and profits are not effectively protected from those who want to steal it,” he said in an email. There’s also recognition that the government will help the private sector with resilance, but not do it for them.
“So, this isn’t just old wine in new bottles; this strategy really articulates a vision that is new and different from its antecedent strategy. However, much work from that strategy remains to be done … It will take a lot more than a strategy to bring this vision to fruition.” But, he added, “the government is sending all the right signals.”
Leuprecht was also pleased with the promise of a cyber security certification program for SMEs. On the other hand, he added, “once again Canada is a follower, not a leader: Austraila, New Zealand and the U.K. are well ahead of us on this.”
On the other hand, the Council of Canadian Innovators, which represents a number of young companies, wasn’t happy with the strategy. “It’s disappointing to see lack of commitment to build Canada’s cyber sector,” executive director Benjamin Bergin said in a statement, noting there is no assurance about federal procurement of products and services from Canadian cyber security companies. “Cyber is the fastest growing ICT sector in the world,” Bergin said, “and domestic innovators present an opportunity for our government to grow our economy and deploy world-class technology solutions for protecting Canada’s digital borders. “Canadian cyber innovators hope the new Canadian Centre for Cyber Security will provide an opportunity for our members to work closely with the government and together advance both our national security and prosperity.”
David Swan, Alberta-based director of cyber Intelligence for the Centre for Strategic Cyberspace and Security, called the strategy “a carefully crafted ‘nothing-burger'” that lacks detail.
“Although it elaborates on the elements mentioned in the budget, we really do not have any real detail on the implementation of the strategy,” said Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada. “There was mention of a series of action plans that would come on the back of the strategy and provide metrics for progress on some of the elements of the strategy. We would really need to wait and see what that entails.”
“The concepts within the strategy are generic but accurate. The cyber security framework is also accurate.” But, he added, there is no commitment to either a process or an action that federal bureaucrats, who have to execute the strategy, can rely on.
Not only does there need to be an action plan for the strategy, he said, the government has yet to introduce legislation to carry out the planned changes in announced in February’s budget, including changes to create the new Canadian Centre for Cyber Security and the National Cybercrime Co-ordination Unit.
The Information Technology Association of Canada (ITAC), which represents many of the big tech companies in the country, said the strategy document “is an important step forward for our nation. However, the continued lack of details is discouraging.”
It likes the consolidation of federal resources as previously announced into the Canadian Centre for Cyber Security. And, it notes, ITAC has previously for a cyber certification program for SMBs. However, the statement added, a certification program would require an increase in Canadian cyber talent capacity – which is already in limited supply. “Today’s announcement provided few details on the government’s proposed approach” to certification and to increasing jobs. “It is our hope that these areas are addressed in future announcements.”
Benoit Dupont, scientific director of the Montreal-based Serene-Risc cyber security educaion network, said the fact that Goodale also made the announcement with the defence and innovation ministers sends a message that the government’s strong ministries are involved in cyber security. The fledgling cyber certification program “could have a massive impact” on small and mid-sized busineses, he added, along with the resources available to SMBs through the Canadian Centre for Cyber Security. But like others he noted there were few implementation details in the stratgy. He looks forward to seeing an action plan.
David Masson, manager of the Canadian division of security vendor Darktrace, said the new strategy “makes it clear that cyber security has been brought to the forefront of policy makers and citizens alike. In the last year we’ve seen cyber-attacks become more frequent and sophisticated with the growing scope and seriousness of attacks worldwide making the threat more lethal than ever before. However, organizations across Canada have turned to AI and machine learning, ensuring our nation’s cyber talent, innovation and cyber defense on a government, business and citizen level will continue to prosper into this digital age.”