From: Ottawa Citizen

CSIS paper proposes helping protect critical infrastructure

By Jordan Press

The federal government should consider subsidizing IT security for businesses across the country in the name of national security, suggests a research paper from Canada’s spy agency.

The paper written for the Canadian Security Intelligence Service in March and posted online recently, makes the suggestion that to secure the networks running the country’s critical infrastructure, such as electricity grids and transport systems, the government could provide cash to companies to help them harden their defences against cyber-attacks.

Public Safety Canada internal documents show that some companies may be skimping on cyber-security, finding the cost to protect their systems too high to afford.

Because of that, a hacker who breaches computers at a company could gain access to personal information of customers, and piggyback his or her attacks to other computers and devices, leaving more than just one company at risk.

The CSIS report makes a similar conclusion, noting that some executives take a see-no-evil, hear-no-evil approach to protecting their networks.

Research cited in the CSIS report suggested many executives refuse to meet with IT security staff, fearing that by knowing the vulnerabilities in their systems, they’ll be held liable for breaches.

A separate study, conducted in 2011 for an industry association, suggested that a legislative void in Canada about reporting data breaches has led Canadian companies to not invest in IT security.

“While the onus for protections against criminal threats falls clearly on the owner/operators themselves as a cost of doing business, national security-related threats have ramifications that extend beyond the private domain and also affect the public interest,” the CSIS study said.

“Accordingly, it would seem appropriate that the costs of protecting critical infrastructure against certain threats to national security be borne in a proportionate manner by all those who benefit: Some assistance from central government revenue to ensure that critical infrastructure owner/operators take account of low-probability but high-consequence risks would better safeguard not only the commercial interests of the owner/operators of critical infrastructure but also benefit the public more broadly and enhance their confidence in government to maintain essential services in times of crisis.”

The government’s cyber-security strategy doesn’t legislate IT security standards for businesses or citizens, nor does it provide cash to businesses that oversee critical infrastructure in Canada.

In late October, a high-ranking Tory senator said in a speech that the government wasn’t interested in legislating IT security standards.

One day later, a former British cyber-spy chief suggested governments needed to legislate cyber-security standards because market forces weren’t working.

“That said, the government of Canada does provide support to ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada’s national security, public safety and economic prosperity,” Public Safety Canada spokesman Jean Paul Duval said in an email.

The suggestion in the CSIS report is not the first time that government subsidies for cyber-security have been floated around Parliament Hill.

An internal Industry Canada report, created in March 2012 and released to Postmedia News under access to information legislation, says the industry asked the Tories to create new “regulatory rules that create demand and procurement procedures” that helped small and medium-sized companies earn government contracts, and compete nationally and internationally.

Questions to Public Safety Canada and Industry Canada about whether the government would consider funding cyber-security in the private sector were not answered.