Personal responsibility, not more government regulations, needed to keep Canada cyber-secure, senator says
Editor’s Note: Personal responsibility is a necessary but not sufficient condition for cybersecurity.
From: Vancouver Sun
By Jordan Press
OTTAWA — Canadians and the federal government don’t want more regulations over how we use our mobile and Internet-connected devices all in the name of cyber-security, a high-profile Tory senator says.
Sen. Pamela Wallin, who chairs the Senate’s defence committee, told a room full of security experts Tuesday it was up to businesses to be honest with their customers about cyber-security breaches, and an older generation of Canadians to educate a younger generation who are naïve about their safety from hackers about how to stay safe from cyber-criminals.
And with it easier and cheaper to inflict damage from cyberspace than through conventional arms, it won’t take long for cyber-terrorism to overtake cyber-espionage as a major threat online, she said.
“That’s a whole new paradigm,” Wallin told a security conference Tuesday. “This, as they say, is war.”
In a 30-minute session with attendees to the conference, Wallin said American warnings of a “cyber Pearl Harbor” should be heeded. Hackers were able to take down the government of Estonia’s system five years ago in a two-week long campaign that Wallin called “just a taste of what could happen.”
It was time for Canadians to take some personal responsibility, she said, because too many people don’t follow basic security measures that leave other Canadians vulnerable to hackers.
“This world that we all know and love and use presents unpredictable opportunities for the bad guys,” she said.
Dealing with that threat environment is a challenge for the federal government, with officials telling the auditor general’s office they worried that threats were evolving too quick for the government to keep up. Wallin said every politician and senior bureaucrat tries to keep up with evolving threats, but constant personnel changes within department bureaucracies make it hard for managers to stay on top of departmental cyber-security efforts, she said.
Earlier this year, hackers took down the parliamentary website, and last year hackers using Chinese-based servers infiltrated Treasury Board and Department of Finance servers, although experts suggest they hack was only caught last year and may have been going on for weeks or months. It took more than a week for the latter to be reported to the government’s central cyber-incident monitoring agency.
And when a series of online attacks took down the websites of Quebec government ministries, some departments were so spooked that they pulled the plug on their networks because they were at a loss to defend themselves, said Ray George Chehata, president of Quebec-based cyber-security firm Above Security.
Last week, the auditor general found flaws in the government’s cyber-security strategy, notably that information wasn’t being shared across departments and with the central agency created to evaluate threats and then warn the public and businesses, the Canadian Cyber Incident Reporting Centre. Auditors were also unable to track the majority of the almost $1 billion in one-time and ongoing spending the government approved for cyber-security, only identifying $20.9 million that went to cyber-security.
The incident reporting centre will be open 15 hours a day starting next month, up from the banker’s hours it keeps now. A staffer will still be on call outside business hours, although the auditor general’s report suggested the centre remain open 24 hours a day.
Public Safety Minister Vic Toews defended the government’s actions on cyber-security again on Tuesday, telling the same conference he felt the government had made “exceptional progress in the midst of a rapidly evolving threat environment.”
Canadians should have a better idea of the threat of cyber-crime by the spring. A British-based, independent cyber-security organization announced it was launching a four-month study to put detailed numbers on the scope, nature and price of cyber-crime in Canada.
For the study to be accurate, it will require about 500 businesses across the country and industries to give up information about security efforts and breaches. Many businesses are leery of handing out the information especially to the government, worried that it will be used to turn them into cyber-crime victims.
E-commerce is big business in Canada, with $15 billion in sales happening online. That means cyber-crime is big business too: Canadian banks lose about $2 billion annually to cyber-criminals.
Most large businesses — those that have more than $4 million in revenue — should be able to cover the costs associated with cyber-security, but the same can’t be said of small businesses that are trying to shave costs during a tough economic time and are acting on a “wing and a prayer,” said John Lyon, CEO of the International Cyber Security Protection Alliance, which will conduct the study. Spending on cyber-security, he said, should be about five to eight per cent of IT budget.
For governments, there needs to be one cabinet minister responsible for cyber-security, he said, eliminating “too many people with fingers in the pie.”
“Because technology spreads right across government, and because the threat spreads right across government, and right across our society and our businesses, in my view you need one person who carries the can and has overall responsibility — some great cyber-czar who really has the muscle and prime minister’s backing to take control,” Lyon said.
“It is a mammoth coordination task, but it needs to be done.”