In late August, the Canadian Centre for Cyber-Security (CCCS: a federal entity within Public Safety Canada) sounded the alarm. Their assessment found that more than 70,000 instances of fraud in 2022 accounted for at least $530 million in stolen assets, surely an under-stated figure given that an estimated ten percent of victims report such crimes. In briefing the media, government officials warned that criminal hackers are especially targeting education, energy, utility, and health-care facilities. With regards to hospitals, notably, fallout from cyber-attacks has meant otherwise avoidable death.
With deepening alliances between organized criminals and hostile states (Russia and Iran both specified), CCCS warned that such nebulous formations will ‘very likely pose a threat to Canada’s national security and economic prosperity over the next two years.’ Strangely omitted, one can certainly add democratic stability to the list of concerns, especially given a pending public inquiry on foreign interference that will feature significant digital elements.
For government, the dauntingly unprecedented and two-fold cyber challenge is to orchestrate collective digital readiness for the country as a whole – in concert with a variety of stakeholders, while also ensuring the stability and resilience of public sector operations. In the latter realm, the Government of Canada alone estimates that its networks face more than three billion hostile actions daily. While most are harmless automations, just one breach can mean cascading data, financial, and human risks.
Even as the formation and efforts of federal entities such as CCCS are a step in the right direction, by its own admission the Government of Canada is not keeping up both internally and across the extended public sector. With more limited media coverage and a general reluctance to admit exposure, less is known about digital readiness and cyber-security within provincial, territorial, and municipal governments, as well as First Naton’s authorities.
A 2023 snapshot of select Nova Scotia examples is ominously suggestive: a major cyber-breach of Provincial systems affecting thousands of public servants and citizens alike; a similar though proportionally smaller incident within the County of Kings resulting in the theft of ‘sensitive’ personal information of employees and Councillors; and a critical report from Halifax Auditor General on growing municipal vulnerabilities and the disconcerting ambivalence of the City’s elected officials.
Such incidents and findings are increasingly commonplace across the country – and if the CCCS assessment is correct, they are surely to become more so. To effectively meet the intensifying cyber-security imperative, then, two broad and inter-related governance dimensions of public sector readiness and response must be addressed.
Mindset & Political Leadership:
As highlighted by the Halifax Auditor General, cyber-security is under appreciated by a political class largely unaware or disinterested. At the federal level, even as the CCCS report underscores the need for wider national actions, the absence of a senior political or professional Office fixated on cyber-security is a stark and worrisome contrast to Canada’s closest allies, notably the US and Australia.
South of the border, President Biden issued an Executive Order on cyber-security in May 2021 which states: ‘The Federal Government must bring to bear the full scope of its authority and resources to protect and secure its computer systems.’ As the Order further observes: ‘In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and the consequences we will incur if that trust is misplaced.’
As a result, Congress formalized the Office to the National Cyber Director to advise the President and oversee the creation and implementation of the National Cyber Security Strategy released this year. This elevation of cyber-security has also galvanized more systemic openness through an expansion and strengthening of open-source principles, new workforce and skills initiatives, and heightened collaboration with industry.
In Australia, there is a federal Cabinet Minister directly responsible for cyber-security (and the crafting of a new ten-year plan). In June of this year, the Australian Prime Minister appointed the inaugural National Cyber Security Coordinator. This Australian model is particularly important in seeking to better align federalism and ‘national’ leadership. To this end, there are published Cyber Incident Management Arrangements which outline ‘the inter-jurisdictional coordination arrangements, roles and responsibilities, and principles for Australian government’ cooperation in response to national cyber incidents.’ The Office for Cyber-security has also established regional centres to deepen collaboration with state and local governments.
To quote from the Australian Minister, the country’s ‘approach to cyber security recognizes that everyone has a role to play when it comes to securing our digital future – from all levels of governments, businesses, and everyday Australians.’ More importantly, such rhetoric is underpinning concrete action.
A strong domestic mindset also enables international cooperation. The so-called ‘Quad Leaders’ Summit of May 2023 (bringing together leaders of the US, Australia, India, and Japan) focused directly on shared challenges and priorities: a set of Joint Principles for Cyber-Security and Critical Infrastructure was adopted, along with new research and policy partnerships amongst the four countries to enhance readiness and shared response capabilities.
Mechanisms: Collaboration, Skills & Shared Learning
The Government of Canada has not been without action, a point underscored by the creation and contributions of CCCS. As the first ever National Cyber Security Strategy from 2018 observes: ‘The federal government, in close collaboration with provinces, territories, and the private sector, will take a leadership role to advance cyber security in Canada and will, in coordination with allies, work to shape the international cyber security environment in Canada’s favour.’
Yet the absence of an explicit leadership architecture devoted to cyber-security is a major constraint. The Government of Canada seemingly, if indirectly, concurs. Last year’s findings of its own internal review of the (now very much dated) 2018 Strategy found significant shortcomings. The evaluation notes that various federal actors with cyber-security responsibilities remain disjointed while externally, the forging of collaborative governance mechanisms has been underwhelming.
The Government’s review rightly concludes that ‘a strong and secure digital environment will depend on enhanced collaboration across federal organizations, as well as with a broad range of stakeholders nationally and internationally….A whole-of-society approach to cyber security must include all implicated federal organizations and a number of different components of national organisation.’
And so – laudingly reflective of the Australian Ministerial sentiment above, but without meaningful leadership and governance. The emergence of a new Minister for Citizens’ Services suggests a sharpened emphasis on digitization, but there is little mention of cyber-security within the mandate, at least initially. Meanwhile, the newly appointed Minister of Public Safety continues to grapple with a myriad of pressing priorities – likely to extend the cyber drift and diffusion exposed by the Government’s own review.
Upon formalizing and resourcing leadership, the Government of Canada must also double down on workforce development in the cyber-realm. Senior leaders of Canada’s security agencies, along with former Minister Mendicino deserve credit for drawing more attention to the urgency of this issue. The federal CIO Branch has also established a new office devoted to Digital Talent and Leadership.
More must be done, particularly with a security-minded focus. In the UK, a Cyber Security Council (multi-sector in formation and funding) is centred on a three-fold mission: i) ‘to enhance and expand the nation’s cyber skills, knowledge and profession at every level; ii) to be the self-regulatory body for, and voice of, the cyber security profession; and iii) to develop, promote and provide stewardship of the highest possible standards of expertise, excellence, professional conduct and practice in the profession, for the benefit of the public.’
In addition to nurturing a cyber-security profession nationally (an especially urgent notion for a country with A.I. aspirations), a Canadian equivalent could begin to address the dearth of skills across subnational government levels, thereby laying some of the groundwork needed for more collaborative defences and shared solutions.
Finally, political literacy across all branches and levels of government levels must be strengthened. Even as the work of relatively new oversight bodies (including a Parliamentary Committee devoted to national security) matters greatly, their focus is mainly on past and existing operations with limited anticipatory capacities – especially in the digital realm. Beyond the federal purview, moreover, and in keeping with the federal government’s own stated aims, a new and overtly political equivalent of the Joint Councils can begin to enjoin elected officials and the public in an open dialogue, and collectively forge the makings of a holistic cyber-security framework for the entire public sector.
In sum, only through a combination of formalized and resourced leadership, agile and outward governance mechanisms, and wider political and societal engagement, can a much higher level of cyber readiness and resilience be achieved. As CCCS has demonstrated, bolder actions and reforms are urgently required.