14 / 32
14
/ Canadian Government Executive
// September 2016
Strategy
Patrice
Dutil
Mobilizing
Analytics and
Intelligence:
The Canadian Cyber Incident
Response Centre ’s Strategy
C
yber-attacks threaten Canadian
individuals and companies ev-
ery minute of every hour. They
grow more frequent, more com-
plex and can cause a lot of damage. For
businesses with web dependencies and
for Canada’s critical infrastructure (the
systems, facilities, technologies, networks,
assets and services that are essential to the
health, safety, security or economic well-
being of Canadians and Canada), the threat
is exponentially greater. It is estimated that
cybercrime cost businesses around the
world over $400 billion last year.
The Government of Canada, like many
countries, is taking these threats very se-
riously and has created the Public Safety
Canada’s Canadian Cyber Incident Re-
sponse Centre (CCIRC) to help secure the
country in this digital age. With its 24/7
vigil, CCIRC is part of Canada’s first line of
defence. It is also a hub of expertise for cy-
ber security. It works in partnership with
critical infrastructure organizations to
protect vital cyber systems by identifying
cyber risks and addressing threats quickly
and efficiently, minimizing their impact.
CCIRC was originally created in 2005
to monitor federal government systems,
provide advice on mitigating cyber threats
to critical infrastructure and to coordi-
nate the national response to cyber secu-
rity incidents. Prior to 2010, CCIRC had
fewer than ten employees to respond to
incidents and publish technical reports. In
2011, CCIRC’s mandate was refocused to
provide national-level cyber security coor-
dination for systems outside of the federal
government, especially Canadian critical
infrastructure organizations.
In fact, CCIRC no longer monitors fed-
eral systems. This task was transferred to
the Communication Security Establish-
ment’s Cyber Threat Evaluation Centre
(CTEC), a cyber defence analysis unit re-
sponsible for the detection, analysis, and
assessment of cyber threat activity on
nationally important networks. The CTEC
uses leading edge capabilities and exper-
tise to examine constantly growing and
evolving cyber threats targeting federal
government networks. Its analysis and re-
porting on cyber threats enables govern-
ment agencies to better defend their net-
works. CTEC works in close collaboration
with other Canadian cyber coordination
centres, including the Shared Services
Canada Security Operations Centre and
CCIRC. In 2013, CCIRC was formally es-
tablished as the national point of contact
between non-federal entities and the fed-
eral government.
Today, CCIRC is staffed by a multidisci-
plinary team that includes cyber analysts,
engineers, data specialists and engage-
ment officers. It provides expertise to
various organizations from the financial,
health, energy, and utilities sectors as
well as information and communications
technology industries. In 2015, CCIRC pro-
vided 13.66 million notifications to victims
of cyber incidents, and directly handled
1,762 incidents with critical infrastructure
organizations (that is one every five hours,
on average).
CCIRC closely monitors a range of in-
formation feeds, news and reports on na-
tional and global cyber security trends, as
well as over 300,000 malware samples per
day, looking for trends and data that will
enrich its databases. To keep up, CCIRC
should see its staff double in size this fiscal
year, reaching near 80 FTEs.
CCIRC is a data driven organization. It
capitalizes on what it collects to develop
and deliver various products (reports,
alerts, advisories, etc.) that are shared with
partners. These products also provide tech-
nical advice to help organizations respond
to and recover from targeted attacks. The
information is also used to develop appli-
cations and systems to help CCIRC in the
analysis of millions of cyber threats—lever-
aging emerging technologies to improve
its own productivity. All of these products
and tools then serve as reference tools and
guides when addressing new cyber threats
— starting the cycle again.
CCIRC gets its data from various sources,
including its partners, international cyber
CCIRC is a data
driven organization.
It capitalizes on what
it collects to develop
and deliver various
products (reports,
alerts, advisories,
etc.) that are shared
with partners.