Canada ranks fifth among 20 countries in its preparation for and response to cybersecurity threats, according to a standard created by an academic journal and a security vendor.
The Cyber Defence Index, created by MIT Technology Review Insights and sponsored by Code42, gave Canada an average score of 6.94, behind the United States (7.13) and ahead of Poland (6.91).
The leader was Australia (7.83), followed by the Netherlands, South Korea and the U.S.. The U.K., France, Japan, and Switzerland rounded out the top 10. Brazil, Turkey and Indonesia were last.
The difference between first-place Australia and third-place South Korea was only 0.42 points.
The subjective scoring rated nations according to how well institutions have adopted technology and digital practices to be resilient against cyberattacks, and how well their policy frameworks promote cybersecure digital transactions.
The scoring system included what the researchers called “in-depth secondary research and analysis” (secondary information would be, for example, from national policy and regulatory data) along with primary survey data — such as the U.N.’s Global Cybersecurity Index — and interviews with global cybersecurity professionals, technology developers, analysts, and policymakers.
The research was conducted between April and September.
However, the scoring didn’t count reported data breaches. In September, first-place Australia suffered a hack of Optus, the country’s second-largest mobile provider. This month, a ransomware gang suspected of being from Russia apparently copied data on 10 million customers of Australian healthcare provider Medibank.
Australia’s first-place score “reflects its efforts to make robust digital infrastructure widely available,” the report says. “The Australian government is applying digital tools and regulatory frameworks to safeguard personal data and digital transactions. It committed to an overhaul of cybersecurity laws, pledging to shelve a previous roadmap. Public urgency rose after the recent hack of Optus.”
While the scoring rated countries by the perceived robustness and the relative security of their critical infrastructure, it also considered their cybersecurity commitments, data privacy legislation, and other factors
For example, the report says Germany was ranked 13th because it has one of Europe’s lowest e-participation scores, due to low adoption in its small-to-medium-sized enterprises (SMEs), its slow digital service delivery, and its dearth of IT talent.
Another factor considered was the willingness of governments to use artificial intelligence to deliver public services.
The ratings were broken into four categories, which were given weights to get each country’s final score: Critical infrastructure (30 per cent of the score), cybersecurity resources (35 per cent), organizational capacity (20 per cent) and policy commitment (15 per cent).
Canada scored 6.45 on critical infrastructure, 7.12 on cybersecurity resources, 7.29 on organizational capacity and 7.04 on policy commitment.
The U.S. scored 7.49 on critical infrastructure, 7.9 on cybersecurity resources, 6.0 on organizational capacity and 6.14 on policy commitment.
Canada didn’t rank in the top five countries in either critical infrastructure or cybersecurity resources. It did rank third in organizational capacity, and fourth in policy commitment. The position in this category may have reflected the federal government’s proposed cybersecurity legislation, demands on Rogers Communications after a huge network outage, and the proposed updating of the private-sector privacy law.
Many of the world’s efforts to harden critical infrastructure focused on creating secure and tamperproof digital identities, the report notes. “This proved difficult even in the most advanced economies,” it added. For example, it points out that while Canada established the Pan-Canadian Trust Framework to promote the creation of digital IDs in 2020, the Digital ID and Authentication Council of Canada (DIACC) has not been able to develop a national digital identification system, and most provincial governments are still only in the
planning stages.
Related content: Canadian privacy commissioners on digital ID
The report notes that despite growing cybersecurity awareness and knowledge, there is a gap between maintaining rigorous operational discipline and being truly secure. “The future of cyberdefense depends on the collective capabilities of its organizations and institutions
to continuously assess new data,” it says.
“Complete data — about the systems involved in cyberattacks, frequency of attacks, information about the attackers, actions by the companies including any errors made, losses and expected losses, and other sophisticated data — is needed to create a new, secure, and rigorous operational discipline,” says the report.
However, it adds, some companies — like banks — won’t divulge even basic data, fearing legal liability issues.