On December 16, Prime Minister Justin Trudeau released mandate letters tasking his ministers of national defense, foreign affairs, public safety, and industry to develop a new “National Cyber Security Strategy.” He specifically highlighted the need for the strategy to “articulate Canada’s long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behavior in cyberspace,” as quoted by Global News.
The directive did not appear out of nowhere. Canada’s intelligence community has issued several key warnings of cyberattacks in the past few years. Back on March 19, 2020, for example, the Communications Security Establishment (CSE) released an alert revealing that cyber criminals and nation-state actors were actively attempting to exploit fears surrounding the COVID-19 pandemic to target Canadian healthcare organizations with attack attempts and data theft. Most recently, CSE released a report in which it revealed that more than half of Canada’s known ransomware victims for 2021 were critical infrastructure providers. The agency also confirmed that it had used its “legal authority to conduct cyber operations to disrupt foreign-based threats to Canada, including cybercriminals,” per CBC News.
Streamlining Cyber Security Strategy
It is great to see the initiative here to build a National Cyber Security Strategy in Canada. However, the key here will be how swiftly can Trudeau’s ministers develop and implement that strategy. Cybersecurity threats are evolving quickly, and as we have seen most recently with Log4J, sometimes they need to be addressed very quickly. It will be important for this National Cyber Security Strategy to include things that ensure a well-built foundation of best practices.
The good thing is that Canada does not need to reinvent the wheel. Why would they when they can look to best practices such as the Center for Internet Security’s Critical Security Controls (CIS Controls) as a basis for their work? Version 8 of the CIS Controls even breaks down those security measures into three Implementation Groups that organizations can use to achieve increasingly mature levels of cyber security hygiene.
How Can the CIS Controls Drive Cyber Security in Canada?
If we take a quick look at the CIS Controls, we see that a key building block is understanding which devices resources need protection. That’s why the first two CIS Controls emphasize the importance of building an inventory of enterprise assets and of software assets. These resources include standard IT assets that most organizations have deployed on the production side of things. But they can also include Operational Technology (OT) and other specialized equipment used by critical infrastructure. With more remotely connected users than ever, it also involves a barrage of Internet of Things (IoT) devices that could be anywhere in the country. Those devices could be anywhere in the world accessing services within Canada.
So, in addition to the technical considerations I’ve already touched upon, policy makers must ensure that this National Cyber Security Strategy considers foreign and domestic policy as the evolution of the Internet continues to shrink our borders.
Some Important Questions to Consider
Once that high-level strategy is created, the Canadian government must answer several questions. How does this National Cyber Security Strategy translate into technical controls that can be widely implemented? And how can it help to secure funding that critical infrastructure providers and other organizations can use to protect identified critical assets?
If we look at sectors such as healthcare, manufacturing, and energy, we see that many of those responsible for securing their devices are underfunded and understaffed. So, will this strategy include measures to train more cybersecurity professionals? Implement mandates for compliance to security requirements? Provide funding to organizations in these critical sectors to boost their cyber security posture? And will the CSE provide free assessments? Those questions remain to be answered. We’ll need to wait until the National Cyber Security Strategy is released.
Another aspect to consider is that if there is a new compliance requirement, the strategy will need to include provisions to ensure that the compliance does not merely consist of checking off a box. The controls that are implemented need to provide actual value to improving the risk posture of individuals, organizations, and the country overall.
Finally, Canada should not limit its training to cybersecurity professionals only. On the contrary, it can also focus on bringing better cybersecurity awareness to the greater population of Canada. This can be enacted through universal cybersecurity awareness training that begins in primary education and reinforces basic cyber hygiene throughout the primary and secondary school curriculum. Empowering individual citizens to know what to look for and how to better use their connected services is another way of providing greater cybersecurity for the entire country.
Global News noted that there is no deadline for the delivery of Canada’s new National Cyber Security Strategy. Trudeau did tell his ministers that he expects to receive regular and public updates on their progress, however. We at the State of Security will keep you informed about those updates and what they mean for cybersecurity in Canada going forward.