Imraan Bashir is Partner and National Public Sector Cyber Lead at KPMG in Canada.
Prior to joining KPMG, Imraan directed the policy, strategy, implementation, and oversight of Government of Canada enterprise-wide cyber initiatives, including leadership of key programs such as cloud security and digital identity. Imraan was named one of the world’s top 100 most influential people in digital government by Apolitical in 2019. He discusses some challenges facing Canada’s critical infrastructure with Touraj Riazi.
21st century threats:
Canada’s critical infrastructure (CI) has been described as a system that is massive, fragile, complex, interconnected, geographically dispersed, largely privatized and increasingly vulnerable. Disruptions to Canada’s CI can potentially generate significant economic and social harm. Disruptions to CI are also rarely circumscribed to the initially affected sector or location of an incident because of the highly interconnected nature of CI.
Accelerated digitalization trends across all industries since the outbreak of COVID-19 have further expanded the kind and complexity of attack surfaces against Canada’s CI. No sector is immune from disruption and various CI sectors have been impacted in recent years, ranging from energy to telcos to government.
This trend will likely continue as terrorists, hacktivists and other nation states increasingly resort to cyber-attacks. A survey of 500 US critical infrastructure suppliers revealed that over 50% of suppliers surveyed had reported attempts to control their industrial systems, while 40% had experienced attempts to shut down systems.
The Government’s guideline for developing an operational technology (OT) and information technology (IT) incident response plan even notes that many critical industrial control systems (ICS) which Canadians rely on (e.g., for food and energy production) “may lack basic protection mechanisms, such as strong authentication, authorization, auditing, and input validation, as OT systems are not typically designed with cyber security as a priority.” While a given vulnerability may not always translate into a risk that requires urgent mitigation, more work is clearly needed to strengthen the resiliency of Canada’s CI in the 21st century.
In this insightful conversation, Imraan Bashir shares an astute assessment of how the interconnected nature of Canada’s CI creates significant policy and operational challenges for all stakeholders involved in strengthening the resiliency of Canada’s CI. Imraan also draws on his extensive public and private sector experience to discuss ways to address some of these challenges and help create better outcomes for Canada.
What does critical infrastructure mean to you?
No universal definition of critical infrastructure exists, and different jurisdictions assess which sectors qualify as “critical” differently. Canada has developed its own National Strategy for CI which seeks to “build a safer, more secure and more resilient Canada,” along with an Action Plan to address gaps in the protection of Canada’s CI.
The National Strategy defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government.
It identifies 10 critical sectors:
- Energy & Utilities
- Finance
- Food
- Transportation
- Government
- ICT
- Health
- Water
- Safety
- Manufacturing
Imraan says that the “vision behind the definition is solid, but the definition is not as inclusive as it should be because there are several other sectors outside of those 10 that affect the health, safety, security, or economic well-being of Canada, such as space, academia, research, and democratic institutions”.
Canada’s definition also needs to “focus on the interdependencies and interlinkages of its CI” and “introduce an element of prioritization or the concept of tiers” into the definition because “if everything goes offline at the same time, what are you going to bring back first?”
In the plausible scenario that an adversary successfully inflicts damage on multiple ‘critical’ sectors, we should prioritize the recovery of sectors that are necessary for our basic survival as biological beings such as food, water, and health before focusing on other critical sectors that are necessary for the general functioning of society (like democratic institutions, which are primarily relied upon during an election, or academia and research).
Ultimately, “a more inclusive definition of CI will help strengthen the resiliency of Canada’s CI by allowing everyone to have equal access to resources that can make them more resilient instead of creating a collection of ‘haves’ and ‘have-nots.’ This is not what we want when protecting our CI.”
A more inclusive definition would, for example, allow more sectors to participate in the National Cross Sector Forum – an entity that brings together leaders from Canada’s ten present critical infrastructure sectors to identify priorities, and discuss cross-sector issues and initiatives to enhance the resilience of Canada’s vital assets and systems – and greater participation in such forums “will result in more information sharing which will benefit everybody.”
This will lead to an improvement over the current state of affairs, where certain critical sectors are excluded by definition, and collective actions taken to strengthen their resiliency fall to “coalitions of the willing” that are formed on an ad hoc basis.
Who is responsible for Canada’s CI?
Sometimes there are questions about who is responsible for a given CI system or subsystem. The owner? The operator? The government? Canada’s National Strategy states that,
“Responsibilities for critical infrastructure in Canada are shared by federal, provincial and territorial governments, local authorities, and critical infrastructure owners and operators – who bear the primary responsibility for protecting their assets and services. Individual Canadians also have a responsibility to be prepared for a disruption and to ensure that they and their families are ready to cope for at least the first 72 hours of an emergency.”
Imraan admits that CI is an “intimidating problem to look at holistically” but this should not stop the stakeholders involved from “cooperating together to prepare for both the unpredictable and the predictable,” although this is “much easier said than done.”
Imraan also acknowledges the challenges created by Canadian federalism and the interdependencies between different levels of government (where, for example, federal business continuity plans rely on power generated by provincial utilities). However, federalism should not be used as an excuse to “finger point” and, instead, a reason to enhance collaboration and leverage the right accountabilities to achieve the desired outcome.
In this context, “transparency and information sharing become even more important,” given the “decentralized governance structure that is responsible for protecting Canada’s CI,” regardless of the risk involved. It is, for example, even “in Canada’s national interest for one level of government to inform another of a threat,” since the impact of an incident on one province might spread if it is not “mitigated in a timely fashion.” “Information must be shared between different levels of government in the spirit of the greater good.”
It is not just governments and organizations, however, that are responsible for ensuring the resiliency of Canada’s CI. Canada’s National Strategy also assigns individual Canadians with the responsibility “to be prepared for a disruption and to ensure that they and their families are ready to cope for at least the first 72 hours of an emergency.”
Imraan believes that “we all need to educate ourselves as to what resilience means to us on an individual basis in terms of what we need to survive and how much risk we are willing to tolerate.” For example, if you have one service provider for your cell phone and another for your home, you are improving your business continuity at home in the event of a communications service outage.
Does it matter who is in charge?
Strengthening the resiliency of CI is “a team sport” because of all the different players involved, which creates its own set of challenges, such as information sharing.
Canada’s National Strategy acknowledges that “timely information sharing, within and across the critical infrastructure sectors and all levels of government, is needed to promote effective risk management” and to strength the resilience of Canada’s CI.
Imraan recognizes that Canada cannot immediately address all the issues confronting its CI at once, which means a tiered, risk-based approach that prioritizes which outcomes to mitigate first is required. Once risks are prioritized, the parties involved can act accordingly.
This notion of prioritization is seen, for example, in the premise of Bill-C26 which sets “a good baseline” for the protection of the most “critical of critical infrastructure” and contains a targeted set of tangible actions.
“While we have not seen implementation details at the time of the interview, we need to see more proactive measures like this from government” because “collaboration and information sharing between different stakeholders is critical to success, but it is important to not let these words become a substitute for tangible actions that must be taken for us to help one another mitigate risks confronting the CI ecosystem.”
Another challenge is created by Canada’s tendency to be reactive with its information sharing. While Canada “does a great job of identifying risk in Canada and sharing information about that risk, there is often the question of what to do next with this information.”
Imraan believes that both government and the private sector are responsible for answering this question because “if everyone ultimately agrees that the priority is to protect Canada’s CI then questions relating to jurisdiction become less important and we can focus more on outcomes for Canada and less on who is responsible.”
Imraan also underscores the importance of approaching CI as a team sport for SMEs that will benefit from greater support, because many SMEs do not have the resources required to fulfill various requirements (like risk assessments or participation in resiliency exercises), and this poses its own set of risks to the CI ecosystem.
In conclusion, “Canada must be creative as it explores how various government resources from grants to financial or tax incentives can support these SMEs in the protection of their systems because a chain is only as strong as its weakest link, which means we need to prioritize all players in the ecosystem to truly achieve resilience at the national level.”