Cyberspace is first and foremost an information environment. It is an electronic world created by interconnected networks of information technology, the information on those networks and infrastructure that allows it to flow. Cyberspace is made of digitized data that is created, stored and shared.
Cyber attacks means unintentional or unauthorized access and misuse of electronic information and/or the infrastructure that communicates and stores this information. The severity of the cyber attack determines the appropriate level of response and/or mitigation measures: i.e., cyber security.
Canada recognized the threats posed by cyber security back in 2010. The Government of Canada officially published a Cyber Security Policy, which is reviewed and revised periodically.
In the first Cyber Security Policy published by the Canada on October 3, 2010, the government acknowledged that more and more people from Canada - from Ottawa to Ontario and from Alberta to British Columbia - were going online. Even the government of Canada heavily relied on Internet to conduct its business. The first cyber security policy was based on 3 pillars: securing Government of Canada systems; partnering to secure vital cyber systems outside the Government of Canada; and helping Canadians to be secure online. The government of Canada spent $60 million to formulate and finalize the cyber security policy. The contributing organizations were: Public Safety Canada, Communications Security Establishment, Shared Services Canada, National Defence, Treasury Board of Canada Secretariat, Canadian Security Intelligence Service, Global Affairs Canada, Justice Canada and Royal Canadian Mounted Police.
The study inferred that in 2008 itself 74% of households in Canada availed of Internet services, 59% people filed their tax returns online and 67% of people in Canada used online banking (as of 2009)
As of 2017, the penetration of Internet usage in Canada had increased dramatically, with the above figures reaching more than 905 in all cases. It was therefore necessary to review the cyber security policy of 2010.
The latest report cyber security policy published by the Canada is Sept 29, 2017. Termed as the 'Horizontal Evaluation of Canada's Cyber Security Strategy', the basic idea behind the exercise was to examine the efficacy of the existing cyber security policy and to suggest modifications or remedial actions in case of any lacunae. The key parameters used were governance, implementation performance and efficiency performance.
Here is a synopsis of the findings:
While the government structure facilitated collaboration, co-ordination and information sharing, the committee was unable to ascertain the extent to which the guidelines mentioned in the 2010 were followed due to a lack of documentation.
It was also concluded that there was no coherency in information sharing between departments / organizations and there were no clear guidelines about who shares which data with whom. Additionally, there was no efficient mechanism for sharing classified information, particularly in real time.
One more finding was that many of the organizations did not synchronize data sharing, resulting in some chaos for federal departments. On a more positive note, most of the strategy-funded activities were implemented as intended. Secondly, the cyber security policy has increased Canada's capacity to counter cyber attacks. While cyber security is still breached, the percentage of such occurrings has reduced drastically.
In a bid to improve Canada's cyber security plans, the study conducted by the participating organizations identified a number of opportunities for improvement and recommends:
1) Strengthen horizontal governance of cyber security in the Government of Canada by:
a. re-assessing the governance structure to determine the need and demand for the current committee configuration and to improve participation;
b. improving the provision of secretariat support, including coordination, information management and other administrative services;
c. ensuring that governance committees have terms of references that clearly define roles, responsibilities, and expectations from members;
d. ensuring that the oversight committees fulfill their roles and responsibilities as outlined in each oversight committee’s terms of reference; and
e. keeping meeting minutes on a consistent basis.
2) Strengthening the Cyber Security related information–sharing practices by developing policies, procedures and tools to ensure timely and systematic exchange of information among partners and stakeholders.
3) Strengthen the Strategy’s performance measurement and data collection practices by:
a. collecting relevant, reliable and outcome oriented performance information, including information on program expenditures, on a regular and consistent basis;
b. providing performance and expenditure information collected to the appropriate oversight committees on a regular basis to support effective monitoring and accountability.
More Cyber Security Changes to come....
In a recent conference held in Toronto, Colleen Merchant, director general of national cyber security said the fundamental goal of Canada's plan for cyber security was to maximize the benefits of digital life for Canadian citizens and businesses.
It is believed that the new approach will be guided by five principles:
- Protect the safety and security of Canadians online and Canada’s critical infrastructure;
- Promote and protect rights and freedoms online;
- Recognize and encourage the importance of cyber security for business, economic growth and prosperity;
- Adapt and respond to emerging technologies and changing conditions;
- Collaborate and co-ordinate across jurisdictions and sectors to collectively increase Canada’s cyber security.
Canada has taken cyber security of the government and its citizens seriously. It has roped in various reputed organizations from Canada to formulate, review and revise the cyber security policy. The first policy was published in 2010, the last in 2017. Apart from these organizations, the government of Canada also endevours to strengthen Canada’s cyber security by other means as and when needed. Apart from the government’s efforts, private cyber security companies from Canada too do their bit to protect the cyber security.