Ottawa should improve the nation’s cybersecurity maturity by helping small and medium businesses buy IT gear, as well as promoting post-secondary cyber defence training programs, says a parliamentary committee.
The recommendations are part of a report issued this month by the House of Commons Public Safety and National Security committee looking into Canada’s readiness to face threats from Russia.
Although prompted by Russia’s February, 2022 invasion of Ukraine, many of the 21 recommendations in the 53-page report are broader than just dealing with Moscow.
They include asking the federal government to:
— work with provincial and territorial governments to create and promote accredited post-secondary cyber defence training programs. The apparent goal is to make a dent in the shortage of cybersecurity talent;
— ensure operators and enterprises of all sizes connected to critical infrastructure have the cyber security experts, expertise, and resources they need to defend against and recover from malicious cyber activity; and that they report on their ability to meet cyber security standards;
— tell the Communications Security Establishment (CSE) — responsible for protecting federal IT networks and advising the private sector through the Canadian Centre for Cyber Security — to broaden the tools used to educate small and medium-sized enterprises about the need to adopt cyber security standards;
— take steps, including possibly an accelerated capital cost allowance or other tax measures, for small and medium-sized enterprises to make the investments necessary to follow the CSE’s baseline cyber security controls;
— examine the full extent of state-backed disinformation targeting Canada and report its findings to Parliament annually.
The report also recommends the government require critical infrastructure operators to prepare for, prevent, and report serious cyber incidents. Without saying so, this recommendation is identical to proposed legislation the government has already introduced.
Reaction to the recommendations was mixed. “Good ideas,” said David Swan, Alberta-based cyber intelligence director of the Center for Strategic CyberSpace and International Studies, an international think tank, “but would take years to implement and longer to see results.” He added, “I am confident that Canada lacks the resources to make some of the recommendations a reality.”
Similar recommendations by this committee have been seen before, and with little follow-up, complained Christian Leuprecht, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute.
“The charitable interpretation I would take is this is something the government doesn’t want to talk about,” he said. “This is not its policy agenda, so it’s not a priority … It will distract from the messaging, distract from the policy agenda and possibly get controversial. A minority government has decided this is not where its priorities lie.”
In fact, he added, the same cybersecurity issues raised at the Public Safety hearings are being raised before the National Defence committee, which this year started sessions on cybersecurity and cyberwar. [Leuprect was a witness last Friday.] “We keep on validating the same problems over and over, and it seems to be very difficult to get any traction,” he said.
“It’s tragic we have committee hearings that do a very good job at writing very good reports, and we now know these reports seem to fall on deaf ears with the Prime Minister’s Office … A lot of the things we need to do to constrain China.”
IT World Canada left phone and email messages for committee chair Liberal MP Ron McKinnon for his comments. There were no replies.
Leuprecht agreed many of the Public Safety committee’s cybersecurity recommendations are vague. But also, he added, “they are lower-hanging fruit. It’s basic things that the government should be doing. And the fact that a committee has to point them out is kind of embarrassing, in my view.”
It is a unanimous report, he said approvingly — but so was a 2018 cybersecurity report on the financial sector from the same committee that Leuprecht believes saw little action. “The longer we don’t act, the further behind we fall.”
One recommendation that impressed him is that Ottawa explore options for a Canada–United States cyber defence command structure. “If we can’t get adversaries to adhere to cyber norms, we need to have an active and offensive posture to draw red lines and hit them hard every time they cross them.”