From: Ottawa Citizen
By Jordan Press
OTTAWA — Governments should move to now to secure private networks in the name of national security — possibly even forcing standards upon the industry, two top experts in cyber-security said Thursday.
The end of that road could require Canada and other governments to legislate cyber-security standards, according to the former chief of Canada’s ultra-secretive cyber-spy agency, because voluntary standards can be ignored while legal requirements cannot.
About 90 per cent of critical infrastructure in Canada is owned and operated by the private sector.
The Obama administration treaded lightly on this in a recent executive order, announcing only voluntary security standards for companies that run critical infrastructure in the United States.
“It’s a foray, but I’m not sure how successful it’s going to be. First of all, it’s voluntary and secondly there’s always conditions. The private sector, some will play and some won’t and if one’s weak, they’re all weak,” John Adams, the former chief of the Communications Security Establishment Canada (CSEC), told reporters Thursday at a security conference in Ottawa.
“Pass a law,” Adams said. “Make it obligatory.”
Top American politicians and defence officials have suggested the threat in cyberspace is so great that an attack on critical infrastructure could cripple countries, a scenario American officials have repeatedly dubbed a “cyber Pearl Harbor.” Adams said there was no indication that terrorists were interested in carrying out attacks on networks, nor is it clear that countries can easily weaponize computer code.
The number of attacks on American systems has grown as the number of users and devices connected to the Internet continues to grow. Online disruptions successfully targeted Estonian networks in 2007 and last year, a malicious program rendered 30,000 computers at the Saudi Arabian state oil company unusable.
“What we see is an increasing level of activity on the networks. I am concerned that this is going to break a threshold where the private sector can no longer handle it and the government is going to have to step in,” Gen. Keith Alexander, the head of U.S. Cyber Command, said during a panel discussion at the conference.
Much of the concern over government involvement in cyber-security, such as having Internet service providers tell federal security agencies about potential attacks or disruptions to systems, comes down to worries over the loss of civil liberties. The head of U.S. Cyber Command, the central hub for defending American networks from attacks, be it from foreign states or hackers, said without that information, his agency can’t see where attacks are coming from, know that they’re happening, or do anything about it fast enough.
“Most of the people do not understand the magnitude of the threat and the problems we face, nor the impact of the some of the solutions that we put in place,” Alexander said. “There are things that we can do and must do to protect our country.”
A report this week from IT security firm Mandiant alleged a specialized Chinese military unit was behind the hacking of 141 companies in the last six years, stealing corporate secrets from enterprises including Canadian company Televent, which creates the computer systems that operate pipelines. China has denied the accusations.
Worldwide, cyber-criminals are estimated to have stolen $4 trillion annually, Adams said, while companies spent about $15 trillion fighting such losses.
The White House announced Wednesday it would move to punish countries that don’t do enough to crack down on hackers stealing corporate secrets, naming China, India and Russia as possible culprits. A spokesman for Public Safety Minister Vic Toews told Postmedia News didn’t directly respond to the U.S. strategy Wednesday, saying only that through the government’s cyber-security strategy government agencies would “work with the private sector and our allies to guard against these threats.”
Alexander said no secure network will be completely safe from hackers and the best defences can always be compromised. He said governments should move to a secure cloud network to limit the number of vulnerabilities in a traditional network, an option the Harper government has been considering.