The time for Canada to renew its cybersecurity policy is long overdue. But despite the completion of Public Safety Canada’s months-long public consultation process on cybersecurity in January, the government is still yet to act.
Over the course of this summer, two of the most devastating cyberattacks in a decade have taken place: the WannaCry and Petya attacks. Between these two cyberattacks, critical services like the UK’s National Health Service, Russia’s interior ministry and Chernobyl’s radiation monitoring system were all held for ransom by hackers.
Worse yet, we know that hackers from around the world are compromising important systems for profit — selling access to the highest bidder on the Darknet. For example, CMarket, one of the biggest Darknet markets, sold access to NATO databases, compromising information on government officials around the globe and access to critical infrastructure such as energy grids.
The notion that organized crime and foreign state actors are stealing and selling access to the systems on which we depend in our everyday lives should worry Canadians. The critical infrastructure that these hackers target keeps our electrical grids running, our telecommunications systems online and our dams from overflowing, among many other vital roles. Losing even one form of critical infrastructure could lead to the loss of many lives.
Despite the imminent threat that cyberattacks pose to our critical infrastructure, Canada is lagging behind its allies in cybersecurity. In fact, our national cybersecurity strategy has not changed for seven years, despite the fact that the threat of cyberattacks has dramatically evolved since then. As a result, Canada has become incredibly vulnerable to cyberattacks.
For example, Canada’s private sector has fallen far behind others in terms of its efforts to update defences against the ever-evolving threat of cyberattacks, despite the fact that it owns a significant amount of Canada’s infrastructure. According to a Deloitte survey, only 9% of Canada’s organizations can be considered highly secure against cyberattacks. And to make matters worse, 68% of Canada’s organizations lack the ability to recover effectively from successful cyberattacks.
This happens because our government offers the private sector little incentive and funding to improve. As a result, many companies simply opt out of using proper cybersecurity defences, since they are often expensive and seen as harmful to their bottom line.
The contrast between Canada and the rest of the world could not be clearer.
The United States, United Kingdom, and Australia have all recently updated their cybersecurity strategies with budgets in the billions of dollars and are forming strong relationships with the private sector to ensure that their systems are protected too.
Meanwhile, the Trudeau government only allocated $77.4 million to cybersecurity in its first budget and is expected to spend just $27 million on cybersecurity by 2019. If Canada is serious about safeguarding the threat of cyberattacks, then it must create a new strategy that will forge stronger relationships with the private sector and allocate the necessary funding.
That being said, Canada’s greatest vulnerability is its people. Those who operate our critical infrastructure and access sensitive information daily are not being adequately trained. Our outdated public digital literacy programs simply do not teach Canadians about how to handle the constantly evolving threats they will encounter online.
As a result, several practices that put our systems at risk have become widespread in Canada. For example, one in three Canadians don’t change their passwords and often use the same password for their different accounts. Most Canadians do not know how to report cybercrime.
This is one of the most urgent areas that a renewed cybersecurity strategy must address. Any barriers against cyberattacks become useless if attackers are unwittingly let in past them by unsuspecting Canadians. It is the government’s responsibility to ensure that Canadians understand this threat.
When Public Safety Canada completed its consultations on cybersecurity, many hoped that it would lead to the creation of a new cyber defence strategy.
Furthermore, during the consultations, the government received a stunning 2399 responses about how best to update Canada’s cybersecurity policy, resulting in a final report with recommendations that were applauded by experts across the field.
Unfortunately, our government has still not even discussed updating its cybersecurity strategy. This is simply unacceptable. Without an update, Canada could easily fall prey to the next major cyberattack.
The time to act is now.
This article appeared in the September 11, 2017 edition of the Hill Times.