March 10, 2022
CADSI op-ed: New Cyber Strategy must prioritize industry
The following op-ed appeared on March 9, 2022 in The Hill Times. OTTAWA - "This has been a land, sea, air, cyber, space, and information operation," an official with the Canadian Joint Operations Command summed up on Feb. 24 as Russian troops pushed into Ukraine. "This has been an all-domain operation." As if to drive the point home, in the hours that followed the Communications Security Establishment released what would be its third warning this year to the Canadian private sector, urging it to shore up cyber defences in anticipation that Russian hackers would turn their attention to Ukraine’s Western allies. Our banks, energy and manufacturing sectors, and other critical infrastructure could all be in the crosshairs. It’s one thing to think conceptually about a multi-domain attack launched by a major world power; bringing to bear airstrikes, troop deployments, disinformation campaigns and a series of crippling cyber incursions. It’s quite another to witness one unfolding in real-time. In short: the future of global military conflict is upon us just as the pace of change across the larger geopolitical landscape increases — whether we’re ready for it or not. And there have been worrying signs that Canada remains underprepared. A recent cyber-attack, attributed to none other than Russia, hobbled our foreign service’s online assets for over a month. The past year has also seen breaches involving Rideau Hall, Newfoundland and Labrador’s healthcare system and perhaps most stunningly, The National Security and Intelligence Review Agency itself. Still, there are reasons for optimism. Chief among them is last December’s directives to multiple cabinet ministers to develop and implement a renewed National Cyber Security Strategy. This will be the third iteration of Canada’s overarching plan to tackle cyber, and it represents an opportunity to try something new. To its credit, the Canadian government has come a long way over the last decade using the guideposts set out in past cyber strategies which, by their very nature, were high-level policy documents filled with admirable but lofty goals. The committee of MPs and senators that oversees federal security policy recently lauded efforts to improve central coordination and break down siloes between departments. Networks are better protected, and Canada has blocked numerous sophisticated attacks or limited their worst effects. Getting our cybersecurity house in order takes time, so it may only be now that government is prepared to engage more fully and fulsomely with industry. But engage it must. This latest cyber strategy update, if properly drafted with language and supporting intention to work with the private sector, can send a strong signal that an era of government isolation is ending. It should also expand upon a core idea alluded to in previous versions: namely that a thriving cyber industry in this country is the linchpin of a successful strategy, not a “nice to have.” The private sector controls most of the underlying infrastructure, systems, and talent pool linked to cyber in Canada, and Canadian firms that innovate, export, re-invest, grow, and contribute expertise will form the foundation upon which we build our cyber readiness — now and into the future. If recent briefing notes to the Prime Minister are to be believed, the government knows this. The notes warn that the cyberthreat landscape is outpacing the public sector’s ability to adjust, and cyber "can no longer be seen as the sole responsibility of governments." Similarly, the notion that the government’s own cyber-defences are inherently superior to — or incompatible with — those offered by private industry needs to die a quick death. Not only does this serve to erode an already fragile trust, but it’s verifiably untrue. We have only to look to our allies in the U.S. and UK, who have relied on industry to flag major hacks or sought industry help to recover from public-sector cyber breaches, for proof of the value of combining resources. Without a strong industrial development component — underpinned by leveraging public procurement, export promotion to trusted allies, and a commitment to improved collaboration — the cyber strategy being hammered out in various ministerial offices right now will prove ineffective. The first two months of 2022 have shown us that the world order we have taken for granted is a fragile thing, and state actors with ample resources and nothing to lose won’t hesitate to exploit our weaknesses. Let’s not make it easier for them.