Cyber security in Canada overdue for an update, experts tell Senate open caucusPublished on 20 October 2016 Publications by Senator Art Eggleton (retired)
Cyber security in Canada needs a major overhaul, one that looks at the problem beyond just the virtual scope; that was the message that panelists delivered at a public open caucus meeting hosted by Senate Liberals this past Wednesday during Cyber Security Awareness Month.
“The rate and nature of change requires an evergreen cyber strategy,” said Peter Sloly, executive director with Deloitte Canada, who works in the cyber section of the risk advisory services. “There’s no point in having one in 2010 and updating it in 2014 or having one in 2016 and then updating it four years later around an election cycle.” Sloly, a former deputy chief of the Toronto Police Service, emphasized that like policing, cyber security is more than law enforcement; it requires prevention, engagement, and the protection and promotion of rights. These same elements can, and should, apply to cyber security.
“The human element in cyber security has become increasingly important,” stated Bonnie Butlin, national coordinator and chair of the National Council at Canadian Cybersecurity Alliance. While some solutions can be found in technology itself, cultural change is also important. David Murakami Wood, Canadian research chair for the Surveillance Studies Centre at Queen’s University, concurred. Referencing a study on identity theft, he explained that “it’s not necessarily about cyber security, it’s about fraud, it’s about individuals and behaviour and many of the solutions are conventional in that sense.” He went on to state that organizations are often unwilling to acknowledge their own human vulnerabilities.
Claude A. Sarrazin, president of SIRCO, elaborated on this idea and emphasized that because of the number of variables-both virtual and physical-there can never be absolute cyber security. Using a comparison to physical infrastructure, Sarrazin stated that you could make a building perfectly secure by creating it without doors or windows, and people locked inside would be safe from crime. However, those individuals inside would be unable to have a social life, a job, or visit the hospital. The same is true for cyber security: it’s possible to create a completely secure system but you would have no keyboard, no monitor, and no connection to anything else. With 87 per cent of Canadian homes connected to the internet, we need a regulatory approach that addresses our needs while striking the right balance between security and accessibility.
Sloly proposed that one step the federal government could take is the appointment of a ‘cyber czar,’ someone at the federal level but replicated at provincial/territorial and municipal levels. Their goal would be “to coordinate and develop a level of cyber capacity and update the strategy on a continual basis.” He also envisions a kind of ‘cyber ambassador’ at the federal level, someone “working with the international trade associations, international organizations like the United Nations, [and] the Organization for Security and Co-operation in Europe” in order to deal with server farm issues, often located outside of Canada’s borders. “It is not enough to assert that Canadian law applies to Canadian information wherever it is,” Murakami Wood said. The necessarily borderless nature of online interaction adds another level of deliberation to creating an appropriate policy framework as we must consider the vast differences in legal and social landscapes on a global scale.
“There is nothing fundamental about cyber security that makes it an extraordinary threat,” Murakami Wood went on to say. But there needs to be a new approach to cyber security, one that treats the physical and virtual worlds not as binary, but addresses them together and can create an evolving regulatory framework that is shaped by our changing understanding and interactions with the cyber landscape.