The hack of the Canadian-based dating website Ashley Madison made waves in the cybersecurity community last year. The company put its users’ personal data at risk, and as a result it now faces lawsuits worth CAD$750 million due to negligence and breach of privacy. A decade ago this kind of incident would have been unthinkable in Canada. Indeed, only in the last six years has Canada made strides toward establishing a national legal and regulatory framework for cybersecurity.
Yet, despite these efforts by the Canadian government, the cybersecurity infrastructure in the nation’s private sector is largely lacking. For example, a 2015 study by Deloitte found that Canadian businesses scored 2.2 on a 5-point scale for the effectiveness of their cybersecurity protocols. Worse, only half of the surveyed organizations had resiliency and recovery processes for properly responding to a cyberattack. In a 2014 study, the International Cyber Security Protection Alliance found Canadian businesses affected by a cyberattack involved the police or governmental agencies only 11 percent of the time. Why were they not consulted? As it turns out, 33 percent of businesses were dissatisfied after engaging with them in response to a cybersecurity issue. Moreover, only 12 percent of Canadian businesses are aware that the police and the government offer these services and resources.
It appears the Canadian government is struggling to bridge the gap to reach the private sector. That being said, the implementation of its cybersecurity initiatives is still in the early stages of development. What, then, is the Canadian government doing to create a safe cybersecurity environment within its borders, and how is it responding to the needs of its citizens and businesses?
Canadian Cyber Security Strategy
Canada’s first serious attempt to tackle national cybersecurity came in 2010. The official Canadian Cyber Security Strategy (CCSS) laid the groundwork for establishing a safe cyber environment for the nation and its businesses. Although the CCSS doesn’t provide specific policy, it does propose three key avenues to secure Canadian cyberspace. First and foremost, the federal government must secure its own systems. Second, the federal government must partner with provincial and territorial governments to secure their systems. This partnership is then extended to the private sector to enable reporting of cyberattacks to the government. Finally, the government must help its everyday citizens practice good cyber hygiene.
Since the CCSS’s introduction, the Canadian government has been trying to pass legislation to iron out the details of the plan. For example, until recently, Canada was the only nation in the Group of 8 to not have an anti-spam law. This changed in December 2010 when Parliament passed Bill C-28, which provides regulatory guidelines on spam email messages and grants civil action rights to businesses and individuals. Still, given these initial efforts, only 7 percent of Canadian businesses are familiar with the CCSS. So there is still some ground to make up for the Canadian government to spread awareness within the private sector.
Cyber Incident Management Framework
Let’s imagine a plausible scenario: A group of hackers attacks Canada’s critical electrical grid control systems with a particularly nasty type of ransomware. The grid effectively is crippled, bringing the country to a standstill. Who responds to such an incident? More importantly, how do they respond, and to whom do they turn for help? The Canadian Cyber Security Strategy doesn’t provide guidance for such an emergency—or any emergency, for that matter. The Canadian government acted to resolve this problem by establishing the Cyber Incident Management Framework (CIMF) in 2013.
In the broadest sense, Canada handles significant emergencies, such as natural disasters, at the national level under the Emergency Management Act. Until 2013 there were no meaningful guidelines to handle substantial cyberattacks, such as the one in our imagined scenario. For all intents and purposes, the CIMF is an enhancement of the broader Emergency Management Act. The CIMF is meant to provide nonfederal governments and the private sector with the means to report and to respond to cybersecurity incidents.
However, compliance with and participation in the CIMF are completely voluntary which limits its success and application. From the Canadian government’s standpoint, the role of establishing good cybersecurity practices belongs to local governments and the private sector. That is, national cybersecurity is built largely on the expectation that individuals—persons and businesses—will observe proper cyber hygiene. The CIMF exists only to facilitate assistance in the event of a cyber incident, and even then, its success depends wholly upon the cybersecurity efforts of nonfederal governments and businesses.
Supposing someone does need to report a cyber incident, they may either go to local law enforcement, or they may turn to the national Canadian Cyber Incident Response Centre (CCIRC). The CCIRC is responsible for implementing the CIMF and assisting in preparedness for and response to cyber incidents. So, if a business in Alberta is hit by a denial-of-service attack, then it may conduct internal assessments with the option to seek assistance from the government via the CCIRC. A major downside is that reporting to the CCIRC is not mandatory because compliance with the CIMF is completely voluntary. This means that companies may prefer to conceal the fact that they have experienced a cyber incident, especially if they may face costly lawsuits and a damaged reputation. This, in turn, can hurt consumers and reduce public trust in the private sector.
Digital Privacy Act of 2015
In 2014, a total of 57 reported incidents resulted in 276,789 stolen records from governmental organizations, banks, and hospitals. This was a massive breach of security and individuals’ personal information. The worst part is that most of the affected organizations were not required to publicly report the full extent of the breaches! The Canadian government has since acted to amend its existing privacy law (known as PIPEDA) to correct this issue.
Ultimately, the Canadian government is interested in protecting the public. The Canadian Cyber Security Strategy is great in theory, but it offers no practical policies. The CIMF is a good resource for businesses and nonfederal governments, but it is completely voluntary. Businesses and governments interact with public consumers, but until now it hasn’t been wholly clear where consumers fit into the Canadian system. What is being done to protect everyday people?
The Digital Privacy Act of 2015 amends existing law to make reporting data breaches mandatory. Any federally regulated organization—banks, telecommunications, transportation, energy, and so on—must protect personal information and disclose when an incident may result in “real significant harm” to affected individuals. For better or worse, the affected organizations are responsible for determining what constitutes “real significant harm.” There is also no established timeline for reporting breaches. That being said, if an organization knowingly fails to notify affected individuals and the Office of the Privacy Commissioner, then the organization faces fines up to CAD$100,000. The new amendment is a promising start, but it’s not perfect. This year Parliament has been considering formalizing the rules set by existing laws. If more formal regulations can be provided, then Canada will be that much closer to creating a secure cyber environment.
Each year Canada experiences an increasing number of cyberattacks. But only recently has Canada seriously questioned its national cybersecurity framework. In the last three years the nation has made considerable strides toward establishing robust national cybersecurity; however, that progress has tended to be reactionary, as with the Digital Privacy Act. If Canada truly wishes to strengthen its national cybersecurity, its government and private sector together will need to take a proactive approach.