In October, the federal government launched Canada’s Cyber Security Strategy, bringing together the prior work of federal departments and agencies to set a comprehensive and coordinated approach to the security challenges of cyber space. Robert Dick, director general of National Cyber Security at Public Safety Canada, spoke with associate editor Chris Thatcher about the strategy.
Cyberspace is complex and this strategy was some years in the making: what were the biggest challenges in developing a truly national strategy?
It is incredibly complex. We’ve made these information systems so integrated and prevalent in our lifestyle and in the way in which government and the economy operates. Cyberspace is a pretty fluid environment and things evolve rapidly, so the complexity derived from how all encompassing this strategy is and the fact that no one actor can do it all. It really was a matter of unravelling a bit of that complexity, figuring out the different elements and what everybody has to do in a federated environment where 85 percent of critical infrastructure is owned or operated outside the federal domain and where responsibility for many issues lies in the jurisdictions of the provinces and territories, including regulating much of Canada’s critical infrastructure. That requires a lot more sharing and collaboration than perhaps we’ve been doing in this space. So delineating the roles and responsibilities of the various federal departments and agencies, committing ourselves to better engage and partner with the key stakeholders, and getting everybody pulling in the same direction was one of the greatest challenges of developing the strategy, and it’s also the challenge of implementing as we move forward.
Most departments have been doing “cyber security” for a while now, even if they did not call it cyber. Did you have to develop a common baseline?
You’re quite right. Every department and most industries have an IT department, so they do the basics of cyber security. Hopefully many individual Canadians do the same thing. More sophisticated enterprises like government or big businesses have greater technical capacity, and so do more. It’s now a matter of recognizing that the threat is changing so rapidly that allowing each government, department, industry or person to sort of go it alone, despite their best intentions and best efforts, will not deliver the result we want. How do we combine our efforts and our knowledge to deliver a better outcome?
The strategy highlights three areas of threat – state-sponsored espionage or military activities, terrorist attacks, and cyber crime: Is one more significant than the others?
They all pose a serious threat, so it is difficult to rank them. From a national security and economic security perspective, the more sophisticated threats would come from state-sponsored espionage and military activities. Addressing these threats is paramount to ensuring our ability to maintain our political, economic, commercial and military advantages. But we also know that terrorist groups are using the Internet for coordination and recruitment activities. It really depends on which lens you are looking through on a given day. Fortunately, if you are putting in place defences, you put in place the same defences for all those types of attacks. You don’t differentiate how they come at you. So the same good practices, the same techniques will improve the security posture against any actor.
How does the government respond to cyber incidents? Is the Canadian Cyber Incident Response Centre the first point of contact? Or do you need a command centre?
The CCIRC, which resides at Public Safety, receives the first notification. It does not have the authority to prescribe actions to be taken by federal departments and agencies, provinces and territories, or private industry. However, it operates a cyber triage unit, which means it can convene partners from across government – from the intelligence apparatus, from defence, from law enforcement – to determine who would have the investigative lead, how to proceed to manage the response to an incident, and loop back with external stakeholders when we should.
The CCIRC has been in place for a couple of years. It is a division within the Government Operations Centre, so there is no need for an additional command centre. But we need to make it better. We need to ensure there is greater awareness of it and that it is serving clients not just inside government but also outside – we need to know what they are seeing and help to broker information and get the word out about what’s happening and what can be done so that they can take the appropriate measures to defend their own systems. It really is about the flow of information and improving that knowledge and coordination.
Will the CCIRC become something akin to the Integrated Threat Assessment Centre, with representatives from several departments?
At the moment it is staffed by Public Safety, but some of those people certainly have lots of experience in other departments. The possibility exists in the future to contemplate those arrangements within government and with critical infrastructure partners. We’d have to weigh pros and cons and figure out how best to enhance its capacity and effectiveness.
Does it change your response whether the issue falls between defence or law enforcement?
I think the techniques that we put in place are the same. In Canada, we are seeing the most activity on the law enforcement and security side, rather then anything that might be considered a defence issue. When does something become a defence issue is a debate that is being had in different countries and the response depends on their national context. But for the most part, the protective measures are alike across the board; if you are able to get to an attribution stage, then you have to figure out what to do about it.
As you noted, most critical infrastructure is owned or operated by the private sector. How do you collaborate with industry?
The relationships are linked closely to our National Strategy and Action Plan for Critical Infrastructure, announced last May. That strategy sets out 10 critical infrastructure sectors, including energy, health care, telecommunications, finance and food production. There is an overarching cross-sectoral table with representatives from each of the sectors. Our commitment to industry is to avoid creating duplication of consultation mechanisms, so we’ll work as much as possible through those sector tables. We have briefed the cross-sectoral group on the cyber security strategy. We are currently working closely with the telecommunications and the energy sectors to begin to build those relationships. We know industry is very concerned about this as well and eager to collaborate, so it is a question of figuring out priorities and where best to work together and leverage our respective expertise.
That also extends to cross border relationships. How much of Canada’s strategy has been influenced by what others are doing?
First, you’re absolutely right. On so many issues, the United States is a close partner for Canada and this is especially true in critical infrastructure. Second, as we’ve talk to others internationally about cyber space, the policy challenges are pretty much the same. We did our policy due diligence and looked at what other countries are doing. And by and large they are having the same experience and coming up with similar actions to be undertaken. So I think you’ll find there is close alignment, in part because we talk, but also because we did the same set of analyses and arrived at similar conclusions.
Has there been a discussion about a shared U.S.-Canada response centre, perhaps something like a cyber NORAD?
I have heard things like that discussed. Cyber space challenges notions of sovereignty and doesn’t recognize borders, so there is a lot to be gained from international cooperation. Whether that is by layering on other institutions is certainly a debate worth having. But for the moment we are focused on strengthening and implementing our own strategy.
There are several Acts currently being proposed. Will you require additional legal or legislative changes to operate in this space?
On the criminal element, we need to give law enforcement the tools to grapple with this new technology and ensure that frameworks are up to date. There has some work being done around lawful access, for instance, because we have to ensure we can apply techniques that we already use in non-cyber domains to new technologies. We are also sending clear signals that cyber space is subject to the rule of law and if you commit identity theft or fraud in this country, it’s a crime. And to the extent that we needed any clarification or strengthening of provisions around that, the government has acted. It’s very hard to predict where this will go, but we are looking at legal frameworks to ensure we have the ability to ensure the security of Canadians in cyber space.
Have most of the legal challenges around information sharing been resolved?
There is a need for information sharing and it is something that we struggle with because there is always a balancing of interests. Our message with the strategy is: everybody is doing their best efforts individually, we have to improve collaboration, and that requires information sharing to some degree. It is something we are working on across the federal government and with the provinces and territories and with our industry partners. If there are barriers, what are they? And are they a problem? It can be simple things like ensuring we have in place the policies and protocols to respect the privacy, commercial sensitivity or confidentiality of information that may come to us. We need to get that right from a policy and operational perspective.
How involved is the Privacy Commissioner in this debate?
The Privacy Commissioner has been consulted throughout the strategy and there are a lot of areas where the messaging aligns. If you are a business or a government, one of the reasons that you want good cyber security practice is because you have a duty to protect sensitive commercial or personal information. We are seeing in the private sector that when something goes wrong, it can have an impact on stock prices, on confidence of management, or on the institution itself. So the privacy commissioner’s messages about the responsibilities as an organization collecting sensitive data to protect it with all due diligence aligns very closely with our messaging.
Will you require more financial investment to implement the strategy?
Budget 2010 provided $90 million over five years and $18 million on an ongoing basis; that’s a substantial funding level. The strategy builds on the existing efforts of National Defence, the Communications Security Establishment, the RCMP, the CCIRC, CSIS – all have significant capacity devoted to cyber security. And of course every department and organization does IT security to a degree. So this is significant new funding to start to deliver on the strategy and we think it will go a long way toward implementing the strategy. The $18 million is intended to put in place some core capabilities in key departments, including Public Safety, to exercise leadership in working with the private sector, provinces and territories in a way that we have not before, and in promoting public awareness, which is something we have not done before. It does give capacity to a number of departments around government. But this is now a priority of the government, so departments will be reallocating toward this priority. And as we better leverage our information, we will be able to achieve a stronger collective security posture without necessarily huge investments in each department.
Are there any key areas in your estimation that remain to be addressed?
The strategy is very broad and all encompassing in its policy mandate. It is deliberately crafted to be flexible, to try to anticipate in an area where it is hard to anticipate. It sets out the principles, the parameters and the areas of focus. What we have to do operationally at a given moment may vary and evolve, but I think the strategy itself will accommodate that. With those guiding principles, we now have the latitude to vary our operations a little bit within those parameters if the landscape shifts. The intention now is to get on with doing it.
An interview with Robert Dick.
