There is a rarely discussed aspect to the high-profile data breaches of Target and Home Depot. In both cases the installation of malware was achieved through small companies who were working with the retail giants, and in both of these cases, the smaller companies were forced out of business as a result.
What these incidents highlight is the growing risk created by the supply chain. In March 2017, the New York State Department of Financial Services – Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) legislation was introduced. As part of this legislation, the industry is now required to include their supply chain as part of their overall risk matrix. This means that for suppliers dealing with a financial services organization there is now an increased responsibility to document and demonstrate a certain level of cybersecurity maturity in order to conduct business. While some have complained that this would limit market access for small to medium-sized businesses, others have commended the industry for being the first to acknowledge the increasing connectivity we have to others, and the risks that this creates.
In the defence sector, the discussion around risk and supply chain is longstanding. In December 2018, The Aerospace Industries Association (AIA), an Arlington, Virginia based trade association that lobbies on behalf of defense contractors, released a set of voluntary standards designed to help U.S. aerospace companies ensure the weapons systems they make for the U.S. military are secure against cyber attacks. With this announcement, the AIA acknowledged that U.S. defense companies now see cybersecurity as part of their competitive advantage as they build complex systems for the military. A Memorandum of Understand (MOU) was signed between Israeli-based Naval Dome and UK’s Lloyds Register (LR) in 2017, in order to develop a set of standards and guidelines for maritime cyber defence. While the standards continue to be developed, both organizations report significant progress during the pilot testing phases.
In Canada, the focus of late has been on the use of foreign materials in the building of and upgrades to Canadian military vessels. CBC released a report last year indicating that François-Philippe Champagne, who was international trade minister at the time, had made an official inquiry to the Department of National Defence. Mr. Champagne who was engaged in the NAFTA negotiations with the U.S. Government indicated that the Americans were becoming increasingly concerned with the involvement of Chinese companies in the defence and high-tech sectors in Canada.
Those working within the cybersecurity sector have also been quite vocal around Chinese affiliations, especially in regard to Chinese telecom giant Huawei. On the manufacturing side, in the Information Note prepared for Minister Harjit Sajjan, procurement officials indicated that while many materials require offshore sourcing only 17 per cent of the naval vessels contained Chinese steel.
In 2013, naval engineer Qing Quentin Huang who worked for Lloyd’s Register, a subcontractor of Irving Shipbuilding Inc., was arrested in Burlington, Ontario and accused of trying to spy for China on Canadian shipbuilding plans. Huang was charged under the Security of Information Act with attempting to communicate secret information to a foreign power. Mr. Huang, who remains on bail and continues to profess innocence, is asking for the charges to be dismissed as the federal government continues to challenge the questions around disclosure of sensitive government intelligence. Prosecutors contend that virtually all of the redactions were covered by a section of the Canada Evidence Act that allows the government to shield information from disclosure due to national security concerns. With tensions increasingly elevated after the detainment of Huawei’s Chief Financial Officer, the relationship between China and Canada – as it pertains to national security, technology and innovation – remains uncertain moving forward.
From an innovation and manufacturing perspective, we are seeing an increased focus on security as it relates to the next generation of military vessel. Ken Hansen, an independent defence and security analyst and owner of Hansen Maritime Horizons, recently wrote an article for Macleans magazine in which he stated that the Canadian military and shipbuilding industry were at a crossroads since the status quo of ship designs would no longer comply with the growing use of technology and innovation in targeted military attacks. In other words, a ship’s cyber “firepower” was becoming just as important as the other weapons housed. With that change in strategy comes the reality that this will impact design, technology requirements, and skills required to operate these new breeds of ships.
The U.S. Inspector General’s office released a report indicating that, overall, the Pentagon was not taking basic cybersecurity steps to protect its ballistic missile system. Although the Pentagon’s weapons are worth roughly $1.66 trillion, the October report found that “nearly all” American missiles, jets, ships and lethal equipment in development are vulnerable to cyberattacks. As a result, the Navy is now looking at three areas of research to help bolster future cyber readiness. They include Deception Tactics, Dynamic Configuration and Artificial Intelligence. These studies will be carried out with both academic and private sector partners.
As the landscape of the global naval defence sector continues to evolve and change, Canada should – and must – watch, learn and adapt to what others are doing to address the cyber threats of the future. The concept of “secure by design” must be embraced in all stages of design and deployment moving forward.