Canada’s National Cyber Security Strategy: Takeaways for the Private Sector
A Renewed Approach
The federal government recently released its 2018 National Cyber Security Strategy (“the Strategy”). The Strategy builds on Canada’s earlier approach set out in 2010, and recognises cyber security as both a necessity and an opportunity for competitive advantage in Canada.
The Strategy functions as a broad mainstay to the Government’s ongoing cyber security efforts, and is meant to be supplemented with more tailored action plans on specific interventions. It is informed by public consultations that asked key stakeholders how a new approach could best support their security needs, while also allowing them to benefit from the opportunities of the digital economy.
Central to the Strategy is a focus on federal leadership and collaboration with the private sector and provincial and territorial governments, and the renewed approach is paired with significant cyber security investments in Budget 2018.
In this post, we provide a snapshot of the Government’s plan as it relates to the private sector, across each of the Strategy’s three key themes: security and resilience, cyber innovation, and leadership and collaboration.
Security and Resilience
The Strategy warns that cyber threats are growing increasingly complex and sophisticated, posing ever-evolving risks to businesses and organizations. These threats range from phishing emails and data breaches for financial gain, to cause-driven breaches seeking to expose wrongdoing or provoke embarrassment, to state-sponsored cyber theft of intellectual property or confidential business strategies.
In light of these threats, the Strategy seeks to make cyber security more accessible – particularly for small and medium organisations. The Government will help support cyber security regimes for enterprises lacking the resources to do so, which in turn is intended to offer these businesses competitive advantage.
For cyber systems of high public importance like electricity grids, communications networks, and financial institutions, the Government seeks to collaborate with the private sector to help set requirements to protect this digital infrastructure.
Security efforts will be further bolstered by the establishment of a new National Cybercrime Coordination Unit, which aims to coordinate the RCMP’s efforts to investigate cybercrime domestically and internationally.
The Strategy is clear that cyber security is not only vital to protecting digital innovation in Canada, but has itself become a source of innovation. As such, continued focus will be placed on business development in this area, including government collaboration to help scale-up innovative companies. Cyber security is noted to currently contribute $1.7 billion to Canada’s GDP, and the global cyber security industry is forecasted at 66% growth by 2021.
As businesses rely increasingly on digital systems, the need to secure these systems is paramount. This is equally true for small or medium enterprises as it is for larger ones, yet lack of expertise or resources can set additional hurdles for smaller enterprises in particular. The Strategy aims to bring balance in this regard by providing advice, guidance, and access to information and tools to help secure the digital systems of smaller organisations.
Advances in quantum technology are also identified as central to innovation. The Strategy sees quantum technology as bringing new ways to secure information, but also having the potential to threaten existing encryption methods used across Canada and the world. Canada is noted to be a leader in quantum computing – a field that the Strategy seeks to continue supporting, alongside STEM and related disciplines – through long-term investments in education and training.
To stimulate investment and foster research and development in cyber security, the Strategy seeks to collaborate with partners in existing areas of Canadian excellence including quantum, blockchain, and artificial intelligence. Working together with the private sector is noted to be necessary at this stage, particularly in addressing the cyber skills gap and supporting a cyber security workforce for the future.
Leadership and Collaboration
The Strategy aims to raise baseline cyber security in Canada – and ultimately achieve global excellence in this area – through collaboration. Private sector leaders are identified as having a central role to play in helping ensure that Canadian businesses and individuals are equipped to prevent and respond to cyber threats.
Collaboration is identified as particularly important in the context of securing blockchain technologies. The Strategy recognizes blockchain as an efficient and risk-reducing technology with a wide range of potential benefits, including secure service delivery, payment processing, and creating records of agreements or legal documents. A collective effort that involves the private sector is said to be important for the smart and safe use of blockchain.
Part of the renewed focus on federal leadership in the Strategy includes establishing a clear focal point for cyber security within the federal government in the form of a new Canadian Centre for Cyber Security. This Centre is intended to bring a streamlined system of support for partners from the private sectors and provincial and territorial governments. It will provide cyber security advice, guidance, and incident response, to facilitate a unified national approach.
Federal leadership also includes investing in cyber security – as seen, for example, through the Government’s Smart Cities initiative in Budget 2017 – and encouraging private sector actors to do the same. Organisations in the private sector are also encouraged to work with the Government to leverage their cutting-edge cyber security capabilities for the benefit of sectors across Canada’s economy.
Finally, the Strategy provides that the Government – in collaboration with the provinces, territories, and the private sector – will develop a national response plan for cyber incidents to ensure coordinated and effective action into the future.
The Strategy moves Canada forward in the area of cybersecurity, an area that Public Safety Canada in its September 2017 Report, “Horizontal Evaluation of Canada’s Cybersecurity Strategy”, noted as being “extremely fragmented”. The Strategy’s goal of coordination and integration of cybersecurity responsibilities and response is a much needed first step in addressing the fragmentation.
Businesses will play a significant role in the implementation of the Strategy, as it promises extensive collaboration and consultation with the private sector in achieving the Strategy’s goals. The level of consultation promised is more significant than has been seen in some other jurisdictions, and where a limited enthusiasm of the private sector to “buy in” to cybersecurity efforts can mean reduced overall effectiveness.
There is little that is concrete in the Strategy; it is meant to be supplemented with more tailored action plans on specific interventions. These will detail the specific initiatives that the Government will undertake over time, with performance metrics and a commitment to report on results achieved. They will also outline the Government's plan for working with internal and external partners to achieve the vision set out in the Strategy. No timeline is provided for such action plans.