The NATO Association of Canada would like to thank everyone at Pubic Safety Canada who contributed to this in-depth departmental response
1. First off, would you be able to tell us a little about the Canadian Cyber Incident Response Centre (CCIRC) within Public Safety? What is its mandate? Where does it sit in the federal government cyber security structure?
CCIRC works within Public Safety Canada and serves as the single point of contact for owners and operators of critical infrastructure to report cyber incidents and seek assistance. We work in partnership with provinces, territories, municipalities, and private sector organizations to protect their critical cyber systems. As Canada’s national computer security incident response team, we are also responsible to coordinate the national response to any serious cyber security incident.
Among CCIRC’s core activities, we provide incident response assistance to our partners free of charge. We also provide advice and support to prepare for and mitigate against cyber events by issuing a range of guidance documents, security bulletins, and technical reports related to cyber security issues. This helps our partners better understand cyber risks and make informed decisions. Owners and operators of cyber systems work with CCIRC on a voluntary basis, to improve the security on their cyber systems through information sharing on cyber threats and mitigation strategies.
2. The Minister of Public Safety released a new National Cyber Security Strategy in June 2018. Could you explain to us what Canada’s vision is for cyber security for the years to come?
The Government of Canada launched its first Cyber Security Strategy in 2010. Due to the fast pace at which the digital environment is changing, the Canadian government initiated a review of its cyber strategy. In 2016, a broad consultation undertaken across Canada helped identify gaps and opportunities, as well as new ideas to work together to keep Canadians safe. While it is important to be aware of cyber threats, Canada’s cyber security policy was not driven out of fear or defensiveness. The new Strategy rather aims to capitalize on the advantages of new technologies and the digital economy while managing its risks.
As cyber threats become more frequent and severe, they have the potential to undermine the resiliency of our critical networks and infrastructure and bring significant harm to our national security and economic prosperity. The Strategy identifies the leadership role of the Government of Canada and conveys the importance of strengthening collaboration with our stakeholders and partners. The Government of Canada and partners will look to the Strategy to provide direction for the decision-making challenges of the future.
With this in mind, the Strategy’s core goals are reflected in the Budget 2018’s substantial investments in cyber security, which totals more than $500 million over five years. This is the largest single investment in cyber security made by the Canadian government, which clearly demonstrates Canada’s commitment to safety and security in the digital age. With these enhanced capabilities and in collaboration with its partners, the new national cyber security Strategy will better protect Canadians from cybercrime, respond to evolving threats, and help defend government and private sector’s critical systems.
3. Outlined in the National Cyber Security Strategy is the creation of the Canadian Centre for Cyber Security, to begin initial operations in fall 2018. CCIRC will be one of the federal branches consolidated into it, along with functions from Shared Services Canada and the Communications Security Establishment (CSE). How will a unified centre help strengthen Canada’s cyber security practices?
The creation of the Canadian Centre for Cyber Security addresses many of the coordination gaps raised during the consultation. As you previously mentioned, the Cyber Centre will bring together the cyber security operational experience and technical expertise of CCIRC, CSE, and the Security Operations Centre of Shared Services Canada into a single, unified source of expert advice, guidance and services. Once it becomes operational in the fall 2018, the Cyber Centre will be the first Government of Canada integrated source of expert advice, guidance, services and support on cyber security operations for governments as well as critical infrastructure owners and operators. The Cyber Centre will also be a trusted source of general cyber security information for Canadians and the private sector.
The Cyber Centre will inform, communicate, and educate all Canadians about cyber security issues by providing a clear and trusted voice on issues that affect their daily lives. The Centre will reduce cyber security risks to Canadians by providing expert advice, guidance, services and support. It will also monitor the cyber security environment and use that understanding to identify, address, and share knowledge about systemic threats, risks and vulnerabilities. Ultimately, the Centre will provide quicker, more effective information flow between the Government and private sector partners resulting in stronger cyber protection, defence, and security for the Government, the private sector, and all Canadians.
The decision to house the new Cyber Centre within CSE was made in part because CSE already has the necessary legal authorities in place, with its review and privacy protection mechanisms, to support the Centre. Overall, the Cyber Centre will strengthen Canada’s cyber ecosystem and support a resilient cyber community.
4. Another area discussed in the new Cyber Security Strategy is the importance of collaboration with private industry. What has the government been doing to further establish these ties?
The Strategy highlights cyber security as one of the most serious economic and national security concerns for Canada. Although digital technologies and the Internet are integral to innovation and economic growth, Canadian small and medium-size businesses may not always realize the risks present in their cyber environment. Failure to protect adequately their IT systems can lead to adverse economic consequences including data breaches and theft of valuable intellectual property. Adopting good cyber security practices are critical to maintain Canada’s economic competitiveness, stability and long-term prosperity. However, the government cannot do this alone; defending our national interests against cyber threats is a shared responsibility.
Over the years, CCIRC has relied on its extensive partnerships with owners and operators of critical infrastructure across Canada to identify cyber issues and to enable the information sharing that is critical to preventing, preparing for, responding to, and recovering from cyber incidents. Among the approaches used to facilitate information sharing, CCIRC hosts sector based community calls to provide a regular exchange of information on cyber threats and trends experienced by specific sectors. We also participate in conferences that give us an opportunity to directly engage with critical infrastructure sectors and inform them about vulnerabilities specifically affecting their sector of activity. The health of the cyber ecosystem in Canada is heavily reliant on the collaboration and information exchange that occurs between all the relevant stakeholders responsible for critical cyber systems underpinning Canada’s national security, public safety, economic prosperity and innovation.
The new Cyber Centre will continue to build on the collaboration that was previously established by CCIRC and other federal agencies with owners and operators of critical infrastructure across Canada. The Centre will be an outward-facing organization and will welcome collaborative partnerships and projects with the Canadian cyber security sector. It will be open to regular engagement with industry, governments, academia, and the media. It will also advance new partnerships and dialogue with other jurisdictions, the business community, and international partners. These partnerships will help us defend our Canadian interests against cyber threats in a mutually beneficial manner.
5. As mentioned, an integral part to Canada’s cyber security is the safekeeping of its critical infrastructure. What has Public Safety been doing to build resiliency? What have been some of the main challenges in doing so?
Public Safety has been working particularly closely in recent years with critical infrastructure sectors to strengthen their cyber resilience. As outlined in the National Strategy for Critical Infrastructure, Public Safety is continuously working to enhance critical infrastructure resilience and better protect Canada and Canadians by raising awareness of threats and vulnerabilities, and by working with industry partners to prepare for all types of disruptions, including cyber-based incidents. The challenges associated with safeguarding critical infrastructure from cyber threats vary by organization, but can include incomplete adoption of top cyber hygiene practices, variable alignment with standards, varied knowledge and experience of staff, and in some cases resource constraints to improve staff training or upgrade equipment.
The Critical Infrastructure and Strategic Coordination Directorate within Public Safety has developed a range of programs designed to strengthen the cyber resilience of critical infrastructure. First, Public Safety conducts cyber security assessments under the Regional Resilience Assessment Program (RRAP). These assessments help owners and operators of critical infrastructure identify and address cyber vulnerabilities, from both an organizational and technical perspective, through the delivery of on-site interviews and network testing. Public Safety also organizes Industrial Control Systems (ICS) Security Symposiums to provide a forum for critical infrastructure sectors to build partnerships and share information on the latest cyber security trends and mitigation measures. These events include technical workshops designed to provide ICS operators with hands-on opportunities to learn and practice mitigation and defence techniques. In addition, Public Safety works with critical infrastructure owners and operators to develop and deliver cyber security exercises to test cyber security practices and incident response capabilities. These exercises aim to foster enhanced cooperation and information sharing among public-private sector partners and help improve the overall cyber security posture of Canada’s critical infrastructure.
6. Canada and the U.S. share some of their critical infrastructure, are there agreements in place for shared cooperation on their cyber security? How has this cooperation changed with the new American government?
This is a really good question. The Canada – U.S. Cybersecurity Action Plan enhances the already strong bilateral cyber security cooperation that exists between our countries to better protect shared critical infrastructure. The Canadian government works closely with the U.S. to protect critical cyber systems to respond to and recover from any cyber disruptions, and to make cyberspace safer for all our citizens. This means working together, not just at the border, but also beyond the border to enhance our security and accelerate the legitimate flow of people, goods and services.
The Cybersecurity Action Plan’s specific goals include enhancing collaboration on cyber incident management between each country’s cyber security operations centres; improving information sharing and engagement with the private sector; and the ongoing collaboration between Canada and the U.S. on the promotion of cyber security awareness to the public.
Both Canada and the U.S. recognize the importance to work together to enhance the protection and resilience of vital cross-border critical infrastructure. When a new government is elected in Canada or the U.S., the transition happens seamlessly as the coordination and collaboration mechanisms in place to prevent and respond to cyber attacks are well-established in the standard operating procedures between Canadian and U.S. cyber security operations centres. There are several important efforts between Canada and the U.S. to deepen our already strong bilateral cyber security cooperation.
7. It has been found there is a low awareness of cyber security threats in Canada’s maritime transportation industry. What has Public Safety been doing to help the industry bolster itself against emerging cyber threats?
The Maritime Cyber Risk Project is an interdepartmental initiative created to provide concrete solutions to protect Canada’s maritime transportation sector from emerging cyber threats. Speaking with Canadian port authorities it was noticed that the maritime industry is still paying a lot of attention to its physical security; but this is insufficient nowadays and cyber security concerns can no longer be ignored. The marine industry is heavily dependent on technologies and commercial ICS devices for its navigation and communication systems. By 2030, new technologies are expected to significantly change the shipping industry’s operations and the supply chain will soon become completely automated. These rapid technological changes may put the industry at risk, as they may introduce vulnerabilities that can get hacked. Currently, 90% of the world trade is carried by sea, making the maritime shipping industry a prime target for cybercriminal activities, especially for fraud attempts.
The Maritime Cyber Risk Project is a whole-of-government effort that has contributed to build a community of experts on cyber security issues in the maritime transportation sector that has involved 10 agencies and departments: Public Safety Canada, Transport Canada, Fisheries and Ocean Canada, the Canadian Coast Guard, the Department of National Defence, Innovation, Science and Economic Development, the Communications Security Establishment, the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, and Defence Research and Development Canada. Last year, the working group outlined concrete recommendations to address gaps identified in maritime policy or operational issues related to cyber security that were briefed to the Interdepartmental Marine Security Working Group, a forum dedicated to identifying and coordinating federal initiatives to enhance the Government of Canada’s maritime security program.
Overall, the marine industry has been active in recent years to promote good cyber security practices. As you may remember, last year in June, one of the world’s biggest container shipping lines was hit by the NotPetya malware that spread across several port terminals. This incident was estimated to have cost between $200-300 million to the company. Following the NotPetya cyber incident, the joint industry group Be Cyber Aware at Sea released a second edition of their Guidelines on Cyber Security Onboard Ships that aligns with the International Maritime Organization’s guidelines on cyber risk management. In addition, in 2016 Transport Canada identified best practices in Understanding Cyber Risk: Best Practices for Canada’s Maritime Sector to support maritime stakeholders’ efforts to secure their cyber systems. The NotPetya cyber incident highlighted to the industry how important it is to invest in cyber security and how failing to do so will only cost more in the end.
8. How has the cyber threat landscape in Canada changed in recent years? Have you found there’s been a shift in which industries are targeted and what methods are being used?
One of the big trends that has changed in recent years is that criminal activities have moved online. With the emergence of virtual currencies and the increasing sophistication of encryption technologies, cyber criminals can avoid having their transactions reported, and we see new types of frauds appear, like ransomware and cryptomining. Also, the threats are becoming more sophisticated; their impacts are larger and cost more money to recover. A good example of this is that recent threats will now use multiple vectors to lure and infect their victims, using various techniques like spear phishing emails, doppelganger domains or watering holes, to avoid detection. As well, many of the vulnerabilities that are currently being exploited are common vulnerabilities and exposures (CVE) for which patches are available, but that remained unpatched. Despite these alarming trends, I there has been an increase in cyber security awareness and more industries are willing to put the time and money into protecting their networks and intellectual property.
9. What is Canada’s involvement regarding cyber security on the world stage? What actions is Canada taking to build cooperation with other countries?
The strongest strategic alliance within which Canada actively engages is the Five Eyes (FVEY) community. The FVEY is a partnership between Canada, Australia, New Zealand, the United Kingdom, and the United States that facilitates intelligence cooperation and information sharing. Engagement and coordination between Five Eyes countries has been pivotal in ensuring cyber security resilience within our respective countries. In fact, the FVEY strategic dialogue has made significant progress on cyber security issues, particularly with respect to information sharing on the threat environment, coordinated cyber incident response, and international policy coordination.
Canada has made efforts to advance like-minded interests, particularly the promotion of an open, secure and resilient Internet. To this end, Canada has actively participated in cyber security discussions at international fora, including the United Nations Group of Governmental Experts (UN GGE). In addition, Canada’s Anti-Crime and Counter-Terrorism Capacity Building Programs (ACCBP and CTCBP) help support global efforts to combat cybercrime and threats to cyber security. Since 2007, the ACCBP and CTCBP have contributed $15.6M to cyber security capacity building, primarily in the Americas and Southeast Asia.
The new Strategy includes foundational elements that are consistent with our FVEY partners, including strengthening cyber security of government systems, tackling cybercrime and increasing public awareness and engagement among other things. As part of Canada’s new way forward on cyber, the federal government will take a leadership role to advance cyber security in Canada and will, in coordination with allies, work to shape the international cyber security environment in order to promote Canada’s values on the world stage.
10. What are the main changes brought forward by the new national security legislation (Bill C-59) and how will this impact Canada’s Cyber Security Strategy?
With constantly evolving global technological and threat landscapes, governments around the world are re-thinking their national approaches and strategies to protect their citizens. Under the proposed new national security legislation (known as Bill C-59), which is still before Parliament, the Government of Canada would be allowed to use CSE’s unique online capabilities to further protect Canadians and its national interests from cyber threats. This could include, for example, taking action to deter cyber threats targeting critical Canadian networks or to defend against foreign actors looking to interfere with Canada’s democratic process.
It is important to note that none of these proposed activities could be directed at anyone in Canada or at Canadians anywhere. The CSE activities proposed in Bill C-59, including foreign cyber operations, would also be subject to review by the National Security and Intelligence Review Agency (NSIRA) and the National Security and Intelligence Committee of Parliamentarians.
11. In closing, what forms of cyber security threats do you see emerging in the future? What proactive steps could/should Canada take to protect itself?
As new technologies emerge and present new opportunities to improve the lives of Canadians, these same technologies also have a down side as they may have vulnerabilities that could get exploited by actors with malicious intentions. We are seeing innovations that will significantly change our way of lives with autonomous vehicles, smart cities, automated supply chains, smart home devices, artificial intelligence and quantum computing. Nowadays everything is connected to the Internet for better or for worse. Back in 2016, the Mirai botnet caused one of the most disruptive distributed denial of service (DDoS) attacks and brought down an Internet service provider by enrolling a large number of poorly misconfigured Internet exposed devices (e.g. routers, DVR, CCTV). What could be the impacts of a massive DDoS attack if it was used to disrupt the election process? Other similar concerns can be raised with quantum computing. If the technology falls into the wrong hands, it will make all previous encryption obsolete, and State secrets will no longer be protected.
Yet, despite the unforeseen challenges that these new technologies will bring, the National Cyber Security Strategy was designed to take into account the innovative and adaptive aspects of the cyber ecosystem. By committing to position Canada as a global leader in cyber security, the federal government clearly outlined in its Strategy its intent to support advanced research, foster digital innovation, and further develop cyber skills and knowledge domestically. Moreover, initiatives like the creation of the new Canadian Centre for Cyber Security will lead to better coordination of efforts to protect and defend Canada from cyber threats.
Photo: Maple Leaf Outline, by Andre Furtado via Pexels. Licensed Under CC0.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.