The average cost of a data breach in Canada is $6.75 million per incident in 2021. That’s up almost half a million from 2020. With each new year, hackers become more sophisticated in their attack methods and who and what they target. Businesses across the country are losing higher amounts of money through data recovery, ransom payments and more.
The Canadian government has a realistic opportunity to support businesses big and small with strong cybersecurity leadership. The renewed mandate provided by the September federal election and leadership change at the Canadian Centre for Cyber Security (CCCS) offers the opportunity to outline new strategic cybersecurity priorities.
In August 2021, Sami Khoury took over as the head of the CCCS. The centre is a relatively new institution – it was created three years ago and only had a year or so of development before the start of the COVID-19 pandemic. As such, it has arguably not yet had the opportunity to make a true impact and establish itself amongst government institutions.
As the public face of the Communications Security Establishment (CSE), the CCCS provides cybersecurity advice and support for the government, critical infrastructure owners and operators, the private sector and the Canadian public.
Cybersecurity is crucial for all industries, from critical infrastructure sectors like oil and gas, water and energy to companies that affect Canadian’s daily lives like retail and financial services. The CCCS can bring cybersecurity to the forefront of Canadian policy discussions, working with the public, internal government agencies and private industry experts to provide direction to all Canadian businesses and organizations.
As an organization, the CCCS could take a page out of the playbooks of similarly allied institutions like the United States’ Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). With Khoury as its new leader and a new year fast approaching, CCCS is in a position to be assertive, innovative in a way that will have the most transparent impact.
But, where to begin?
Start with protecting critical national infrastructure
The centre has the most significant opportunity to have a lasting impact on Canadian cybersecurity by engaging directly with critical national infrastructure organizations to improve their cybersecurity practices and foundations. These will support the overall well-being of everyone in sectors like energy, oil and gas and water treatment.
Under new leadership, the CCCS needs to expand outreach, training and public direction to these critical sectors. While nearly 85 per cent of Canada’s critical national infrastructure is owned and operated in the private sector, government-supported instruction and leadership will be the driving force behind improving cyber-resilience.
The CCCS should begin with educating critical national infrastructure organizations about the importance of updating systems. Critical national infrastructure tends to depend heavily on operational technology (OT) instead of the informational technology (IT) more commonly associated with cyberattacks.
Operational technology (OT) is defined as hardware and software that detects or causes a change by directly monitoring and controlling industrial equipment, assets, processes and events. In many ways, OT is more vulnerable to attack than IT because operational technology typically relies on older, legacy security systems. In addition, most OT systems were never designed with cybersecurity in mind. Attackers can leverage vulnerabilities in outdated OT environments to compromise critical infrastructure.
Developing incident response
Many organizations in the private sector – regardless of their level of cybersecurity maturity – may expect or even demand a government response when things go wrong. The CCCS should consider the approach developed by its U.K. equivalent, the NCSC, which guides the public and businesses in cybersecurity matters.
While the CCCS has guidelines for organizations to create incident response programs, the NCSC’s “Cyber Incident Response” program certifies private companies to help critical infrastructure organizations that have suffered a significant cyberattack. After an attack, organizations must take essential steps, also known as cyber incident response. They must determine the extent of the attack, manage its immediate impact, help rectify the compromised system, and work to increase security across the network. In the U.K., a certified company would support all the activities detailed above.
Critical national infrastructure companies often cannot conduct all these steps in the process. Relying on a government-certified private provider can help these organizations and prevent a devastating attack. While the government must continue to play a substantial and guiding role in protecting critical infrastructure from cyberattacks, a more co-operative position with the private sector in incident response will be vital in safeguarding infrastructure organizations.
By collectively unpacking cyberattacks, the private and public sectors can understand what areas and industries need further resources, budget, and people. Instilling a similar incident response program in Canada will promote collaboration and prepare organizations for dealing with future threats.
Further promoting innovation and collaboration
The CCCS has an immeasurable opportunity to partner with the private sector to improve education about the improved security tools available to critical national infrastructure organizations.
Cyberattacks are becoming increasingly sophisticated. Workforces are more distributed and internet-connected than ever, giving hackers new avenues to breach organizations. Cyberattacks now use methods like ransomware-as-a-service that allow them to download a hacking application and hold a company’s data for ransom without being an experienced hacker with technical prowess.
Critical national infrastructure organizations need to fight back against malicious actors and utilize advanced technologies to update their systems and better protect their OT and IT environments.
While public funding and research efforts – like the recent $407,000 in new funding given to the University of Waterloo from the Department of Natural Resources – can help identify threats, these initiatives cannot help contain them. Canadian organizations need to leverage innovative security tools for total visibility into their networks and increased understanding of their complicated digital infrastructure. Attacks are becoming increasingly automated, and hackers have tools at their disposal that they never had before. It’s apparent: Humans can no longer defend against advanced, machine-speed attacks alone.
Many organizations understand that cyberattacks are a threat yet still rely on firewalls to defend their entire digital infrastructure. COVID-19 has changed the cybergame forever for OT as well as IT. The boundaries of a traditional network have expanded far beyond a data centre and the office. With remote and hybrid work, employees are now everywhere and might be working from unsecured networks and devices. Outmoded defences are not enough especially given the increasing difficulty in clearly defining where the cyber perimeter is.
But solutions like self-learning artificial intelligence can monitor the entire spectrum of an organization’s activity. It can learn an organization’s entire digital ecosystem, determining what “normal” behaviour looks like for that enterprise, from who typically sends emails to who typically accesses applications and when. It can then use this evolving understanding to detect abnormal behaviour and disrupt a threat in its earliest stages before hackers can cause real harm.
However, many critical infrastructure organizations just do not know what tools are available to them. Although the CCCS provides resources, alerts and best cyber practices for businesses and consumers, it does not outline the types of cybersecurity technologies organizations can invest in to protect their digital estates.
The CCCS needs to elevate its role as a bridge between the public and private sectors. Establishing its presence as a support system will be especially crucial in the successful protection of critical national infrastructure. Being open and increasingly visible within the Canadian cybersecurity environment and co-operating with the private sector will be invaluable for Canada’s future cybersecurity.