Canadian Government Executive - Volume 26 - Issue 05

10 / Canadian Government Executive // September/October 2020 cybersecurity inproductivity accessible through public, private or hybrid clouds. Utilizing zero trust will become more commonplace, not only within the private sector and corporate environments, but also within the public sector. However, the problem with zero trust is that it would not have completely mitigated the SolarWinds scenario, given the fact that the hacker group, APT29, also known as Cozy Bear, inserted source code into the company’s software build process, which was then used to distribute out compromised mal- ware at countless agencies. For Canadian institutions, the discus- sion around detection and response also raises important considerations surround- ing recovery approaches. As with any data breach, government organizations need to establish and put into place a proper after attack review (AAR) to determine the key takeaways, lessons learned and develop the necessary mechanisms to ensure a re- peat scenario does not take place. The nature of the SolarWinds attack was focused on the supply chain. Given these circumstances, government entities need to ensure they have the protection measures in place to monitor and detect potential threats, not just internally, but also amongst their interactions with third- party vendors and partners. This involves ensuring that vulnerabilities are limited within the supply chain link. As with So- larWinds, hackers did not directly attack the network itself to gain access, but rather the products running on company infor- mation infrastructures. As the year progresses, government bod- ies at various levels will likely need to ramp up their usage of enterprise Identity and Access Management (IAM) platforms to build zero trust capabilities. However, these solutions must be able to encom- pass the interactions and connections with partners and contractors to protect against attacks at every level within the government ecosystem. As a long-term strategy, government bodies and agencies will need to maintain and properly estab- lish secure and strong links within their supply chain management solutions. This could take many forms – including requir- ing external, third-party vendors to vali- date or authenticate through code signing on all actively running software on gov- ernment networks. Government work is evolving in scale and sophistication The future of government work, which involves the necessitation of technology to drive its continued value also speaks to the complex ecosystem that government bodies are now part of. Government work is no longer carried out solely in a cubi- cal, with colleagues interacting with one another. Completion of projects and daily tasks involves working collectively with outside actors. Work is now approached and completed through collaboration with outside partners, vendors, and third- party governments. Working within a much more complex ecosystem than in the past, the technology that enables gov- ernment work needs to be secured, since there is an inherent risk to exposure of both public, private, and national secu- rity data. Working within a much more complex ecosystem than in the past, the technology that enables government work needs to be secured, since there is an inherent risk to exposure of both public, private, and national security data. In my recent podcast interview with the City of Toronto’s Chief Technology Officer, Lawrence Eta, he emphasized the impor- tance of closing the digital divide through a digital canopy with a robust city-wide digital infrastructure to support it. This infrastructure would ensure that all new services and devices were stable, scalable, and encourage collaboration workflows to avoid siloed work. The onset of digital resources and trans- mission of sensitive information in the on- line and cloud domains at the municipal level, showcases how facilitating these digital interactions is key to meeting the needs of the city-level population, but also demonstrates another area of consider- ation for developing appropriate respons- es to potential risks and data breaches that directly affect the vital services delivered to city constituents. Omnichannel approach to enable an enriching public sector data privacy landscape Developing a multi-layered approach to security threats at all levels of government involves three key elements: • A well-designed legislative and policy response that has the added capability to be changed and revised as new threat actors arise. • Ensure government agencies and bod - ies hire qualified and experienced talent that can help prevent and respond to se- curity threats. • Reinforce the importance of maintaining proper digital etiquette and provide the knowledge to help government workers spot threats and escalate accordingly.