Ottawa should help SMBs more on cybersecurity: Parliamentary committee

Ottawa should improve the nation’s cybersecurity maturity by helping small and medium businesses buy IT gear, as well as promoting post-secondary cyber defence training programs, says a parliamentary committee.

The recommendations are part of a report issued this month by the House of Commons Public Safety and National Security committee looking into Canada’s readiness to face threats from Russia.

Although prompted by Russia’s February, 2022 invasion of Ukraine, many of the 21 recommendations in the 53-page report are broader than just dealing with Moscow.

They include asking the federal government to:

— work with provincial and territorial governments to create and promote accredited post-secondary cyber defence training programs. The apparent goal is to make a dent in the shortage of cybersecurity talent;

— ensure operators and enterprises of all sizes connected to critical infrastructure have the cyber security experts, expertise, and resources they need to defend against and recover from malicious cyber activity; and that they report on their ability to meet cyber security standards;

— tell the Communications Security Establishment (CSE) — responsible for protecting federal IT networks and advising the private sector through the Canadian Centre for Cyber Security — to broaden the tools used to educate small and medium-sized enterprises about the need to adopt cyber security standards;

— take steps, including possibly an accelerated capital cost allowance or other tax measures, for small and medium-sized enterprises to make the investments necessary to follow the CSE’s baseline cyber security controls;

— examine the full extent of state-backed disinformation targeting Canada and report its findings to Parliament annually.

The report also recommends the government require critical infrastructure operators to prepare for, prevent, and report serious cyber incidents. Without saying so, this recommendation is identical to proposed legislation the government has already introduced.

Reaction to the recommendations was mixed. “Good ideas,” said David Swan, Alberta-based cyber intelligence director of the Center for Strategic CyberSpace and International Studies, an international think tank, “but would take years to implement and longer to see results.” He added, “I am confident that Canada lacks the resources to make some of the recommendations a reality.”

Similar recommendations by this committee have been seen before, and with little follow-up, complained Christian Leuprecht, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute.

“The charitable interpretation I would take is this is something the government doesn’t want to talk about,” he said. “This is not its policy agenda, so it’s not a priority … It will distract from the messaging, distract from the policy agenda and possibly get controversial. A minority government has decided this is not where its priorities lie.”

In fact, he added, the same cybersecurity issues raised at the Public Safety hearings are being raised before the National Defence committee, which this year started sessions on cybersecurity and cyberwar. [Leuprect was a witness last Friday.] “We keep on validating the same problems over and over, and it seems to be very difficult to get any traction,” he said.

“It’s tragic we have committee hearings that do a very good job at writing very good reports, and we now know these reports seem to fall on deaf ears with the Prime Minister’s Office … A lot of the things we need to do to constrain China.”

IT World Canada left phone and email messages for committee chair Liberal MP Ron McKinnon for his comments. There were no replies.

Leuprecht agreed many of the Public Safety committee’s cybersecurity recommendations are vague. But also, he added, “they are lower-hanging fruit. It’s basic things that the government should be doing. And the fact that a committee has to point them out is kind of embarrassing, in my view.”

It is a unanimous report, he said approvingly — but so was a 2018 cybersecurity report on the financial sector from the same committee that Leuprecht believes saw little action. “The longer we don’t act, the further behind we fall.”

One recommendation that impressed him is that Ottawa explore options for a Canada–United States cyber defence command structure. “If we can’t get adversaries to adhere to cyber norms, we need to have an active and offensive posture to draw red lines and hit them hard every time they cross them.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs