Canada is under an unprecedented cyber siege and without immediate action, our standard of living and economic future is in jeopardy.
The evidence is in the headlines. The escalating cyber risk from the Russian invasion of Ukraine. The recent multi-day disruption at Global Affairs Canada from a cyberattack. The complete shutdown of an entire provincial health-care system in Newfoundland in 2021. Ransomware impacting supply chains, such as oil pipelines and meat packing plants.
While a lot of attention is rightfully on these headline-worthy attacks, the reality is that defending organizations requires a sustained and substantial amount of effort and resources. The pandemic and a significant move to remote work has exacerbated the challenges we already faced to secure systems, protect privacy and help people work, play, innovate and connect online. Our recovery from the pandemic requires trust in systems and data to ensure citizens are confident working and living in a new online reality — a reality we never envisioned two years ago.
Institutions across Canada are working hard to mitigate these cyber-security risks, using their limited resources and talents to plug an ever-changing set of holes in an effort to achieve “defence in depth.” Yet, with the threats we face, it may not be enough because our adversaries are well funded, trained and motivated. We significantly improve our chance of succeeding if we work collectively to secure our digital future.
For example, six Canadian research universities – University of British Columbia, University of Alberta, McMaster University, University of Toronto, Ryerson University and McGill University – in partnership with CANARIE and Canada’s National Research and Education Network founded the Canadian Shared Security Operations Centre (CanSSOC) to create a shared approach for colleges and universities across the country to reduce costs and improve capacity to detect and respond to cyberattacks. More than 150 academic institutions, and growing, now participate.
Efforts such as CanSSOC create a unified front for higher education to collectively meet the challenge. But across the country, each sector still works in too much isolation and our governments are not creating the right opportunities to collaborate.
The old approach of each organization attempting “defence in depth” doesn’t work anymore. What we really need is “defence through partnership.”
We need a revamp of our national cybersecurity strategy and resourcing to ensure that we level the playing field, so that all Canadian organizations can effectively partner with federal and provincial agencies tasked with improving our cyber defence. This must go beyond simple information sharing. We need security professionals working side-by-side with timely access to tools and data to resolve vulnerabilities and threats before they become breaches.
Specifically, the Canadian Centre for Cyber Security (CCCS) should be empowered to truly coordinate efforts across the federal and provincial government, major sectors and industry partners to enable our security analysts to work together with the best, actionable threat intelligence. CCCS leaders must look to the new leadership model of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and be more visible, active and open in their messaging.
It requires federal and provincial governments to develop a shared funding model to help institutions in critical sectors upgrade their technologies, with an incentive for collaborative or shared investments.
This is not just a call for funding, but also a call to action for all implicated parties to develop a more cohesive and integrated approach to the shared problem of cybersecurity capacity and resilience. Such an approach would engage all partners – from CCSS, CANARIE, CanSSOC, and the Digital Research Alliance of Canada, to the recently announced Cyber Security Innovation Network (CSIN) – in the development of a national strategy for this critical sector. This approach would also provide sustainable funding to build capacity, and enable directed research and development partnerships to continue to strengthen Canada’s ability to defend against our adversaries into the future.
If we do not prioritize working together towards solutions, we pay one way or another. Criminal activity has become effectively a global tax on individuals, corporations, public entities and governments, funding ever-more-brazen attacks.
We must do all of this in a way that increases digital access for citizens and residents, while protecting our personal privacy, providing transparency and promoting trust.
And most importantly: We must act now.
Isaac Straley is the Chief Information Security Officer, University of Toronto