What should Canada’s next cybersecurity strategy look like? The federal government is asking the country how it should the harden private and public sector against attack. Public services minister Ralph Goodale announced the three-month consultation in late August, after voicing the need for an update.
Items on the government’s agenda include certification schemes for business cybersecurity, best practice frameworks, and fostering better board-level governance around cybersecurity. The government is also mulling a national cybercrime centre to help manage cross-jurisdictional cybercrime investigations, which would join the existing Cyber Incident Response Centre.
Some of the questions for citizens in the associated workbook include how law enforcement can better address cybercrime challenges, and how public and private sector organizations can better protect themselves from cybercrime threats including ransomware and identity theft. The government wants to know whether public expectations for policing in cyberspace differ from those for policing in the physical world.
The consultation is the current government’s first foray into cybersecurity policy, but it isn’t Canada’s first. Back in 2010, then-public safety Minister Vic Toews launched a five-year plan for cybersecurity which included a $90 million budget, along with $18 million in ongoing funding.
That strategy had several key points. The government was to secure its own systems, and will also partner to secure those at a provincial level and in the private sector. It also vowed to help Canadian citizens be more secure online. So how has it done?
Let’s look at the federal government’s efforts to secure its own systems. In 2011, it announced its Shared Services Canada (SSC) centralized IT initiative, which at the time vowed to consolidate over 300 datacentres to less than 20, and over 100 different email systems into a single email service. Better security was outlined as a key SSC goal, along with cost savings.
Five years on, the Canadian government is running servers across 485 datacentres, 6200 of which are running obsolete Windows 2003 operating systems and a dozen unsupported operating systems, application servers, web servers and database servers. More than 50% of the servers in its legacy datacentres are past their useful lives, it has admitted. It will take $383.8 million over two years to stabilize critical systems, networks, and storage units, according to its deputy minister for datacentre services, along with another $77.4 million over five years to better protect its networks against various threats.
Five years on, the Canadian government is running servers across 485 datacentres, 6200 of which are running obsolete Windows 2003 operating systems.
An Auditor General’s report from February 2016 revealed that SSC “rarely established expectations or provided sufficient information to partners on core elements of security” (partners are the government departments that it was working with to consolidate everything). Where there were draft security standards, it doesn’t appear to have reported internally or externally on how it was meeting those expectations.
“Furthermore, we found that SSC did not perform a formal threat and risk assessments or corresponding security assurance activities on the infrastructure supporting mission-critical systems or existing legacy systems transferred from partners,” the report added.
Email consolidation, which was SSC’s other big IT project, was supposed to take three years, completing on 31 March 2015. It has been delayed for over a year, and the eventual project costs are impossible to document, because the agency didn’t include the costs for government departments to do the work. There are 43 such partners, and some have said that the costs hit $7 million or more.
What about efforts on citizen and private sector safety? Australia and the US run online cybercrime reporting services, but in Canada online crime complaints have typically gone directly to private sector companies, which left Canadian police chiefs calling for more coordination between the RCMP and private sector businesses. We have security consultants pressing for better protection for our national infrastructure, and rating us behind the US and western Europe in our cybersecurity efforts.
There have been some upsides. The Digital Privacy Act updated Canada’s PIPEDA private sector privacy nor to include data breach notification requirements for businesses. PwC notes in its 2016 Global State of Information Security survey that security budgets in Canada’s private sector are up, and financial losses from security incidents are down. This December, the Canadian Cyber Threat Exchange (CCTX) is scheduled to be fully operational, enabling companies to share cyberthreat information between each other.
Still, it’s pretty clear that Canada has a long way to go when it comes to protecting its citizens (and their public sector data) from attack. Now, everyone has the chance to pitch in and tell the government what needs to be done as it gears up to refresh a six year-old cybersecurity mandate. Aside from ‘finish what you started’, what would your advice be?