Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

As I have been busy writing my next post on the Canadian Armed Force’s Pan-Domain Command and Control Concept Paper, Public Safety Canada finally released the new National Cyber Security Strategy: Securing Canada’s Digital Future. It’s almost as if they read my last post about how we’ve been waiting for a new strategy for years now and rushed to release it, and it honestly feels like it because this document is an absolute mess and feels incomplete.

Before you get your hopes up, this is not a strategy. At best, it is a report card about what the Government of Canada is already doing. Conveniently, it does not include the many failures of the Government to work on cyber security, including Cyber Secure Canada and Bill C-26.

However, this is not to say it is all bad. There is some hope and good that is coming out of this, but it remains startling just how much this is not a strategy and Canada is worse off as a result.

Breaking Down Canada’s National Cyber Security Strategy

Introduction and Challenges

The strategy opens with setting the state of what Canada is facing. This is nothing new if you follow the state of cyber security. Ransomware is on the rise and continues to put pressures on the Government to act while SMEs are amongst the hardest hit. Canada position as a NATO member and support for Ukraine has made Canada a favored target by Russian state hackers. In addition to being targeted by state hackers, patriotic Russian hackers are targeting Canada, which is a common occurrence during geopolitical events. Canada was similarly targeted by patriotic Indian hackers following the start of its dispute regarding Government of India conducting targeting assassinations of civilians in Canada and other Western democracies.

The long story short is that cyberspace is growing more dangerous, Canada is one of the top targets and Canada’s SMEs are amongst the hardest hit and most vulnerable. Canada has had multiple efforts over the past few years, with Cyber Secure Canada being the biggest failure.

A New Approach to National Cyber Security

To usher in Canada’s new approach to national cyber security, it’s being guided by:

1. Whole-of-society engagement

   1. I have zero issues with this. Cyber security must be a whole of society engagement, which means that the Government of Canada must work with everyone from businesses (SMEs and large corporations), all communities across Canada, and leverage national security institutions. Everyone plays a part in cyber security and cyber defence, some more than others. We all must practice cyber hygiene in the same way we expect people to learn to properly use heavy equipment including cars.
      

2. Agile Leadership

   1. Reading that Canada wants to adopt agile leadership for national cyber security gave me a sensible chuckle as the Government’s approach to leading and managing cyber security is anything but agile. Broadly speaking, cyber security policy in the government is broadly managed and coordinated by committees. There is the Deputy Minister Cyber Security Committee that has a mandate to “develop and lead Canada’s cyber security policies and operations in support of the government’s economic and social priorities.” There is also an Assistant Deputy Ministers’ Cyber Security Commiteewhich directly supports the Deputy Ministers’ committee. While both have similar mandates, they each have nuances in their purpose

      1. DM Cyber Security Committee:

         1. “identify policy, legislative and program opportunities to ensure that Canada's 21st-century digital economy is secure by design, and that Canada is recognized internationally for leadership on cyber security issues.”

         2. Oversee the evolution and progress of the implementation of Canada's National Cyber Security Strategy
            

      2. ADM Cyber Security Committee:

         1. guide policy direction and operations for issues related to cyber security; 2. develop cyber security-related priorities for member departments and agencies; 3. monitor progress on the implementation of Canada's National Cyber Security Strategy; 4. consider emerging cyber issues and threats; 5. review and prepare items for DM Cyber Security

Each of these Deputy Ministers and ADMs also have other responsibilities tied to the Ministry or organization they represent. This is not agile leadership. The Government is attempting to use agile procurement language and methods to say that more targeted plans and strategy will occur. However, at this stage I cannot believe that this will ocurr based on how leadership of cyber security currently functions engages with the public, experts, communities regarding cyber security. This will require direction and intervention by cabinet to completely remake how the Government of Canada manages cyber security. More than ever I am increasingly thinking there may be a need for a Minister for Cyber Security.

Three Pillars of the National Cyber Security Strategy

I have little to say about these pillars. By themselves they are very strong and I think these are the pillars that the Government of Canada should be focusing on for a cyber security strategy.

1. Pillar 1: With ransomware so prevalent, businesses, especially SMEs, are some of the hardest hit. One ransomware attack can mean the death of a business. More must be done to engage with Canadians and businesses to improve cyber security.

2. Pillar 2: Canada has really struggled to position itself as a leader in cyber security. It comes with the territory of not being taken seriously in defence broadly. However, Canada’s cyber security industry is top notch and competes globally. This has been accomplished largely due to industry and the Government’s impact with supportive programs and investments can be debated. While they have certainly helped, the programs that the government has listed have contributed to Canada’s cyber security industry but have not been at all responsible for making the industry a world leader.

3. Pillar 3: This is my bread and butter and what I normally write all about. Canada does and needs to continue building its capacities to disrupt cyber threat actors. A common term used is “impose cost,” referring to the need for cost impositions on threat actors to increase the risks for threat actors to conduct their activities against Canada and our allies.

The Empty Space

While it is not uncommon to have pages left intentionally blank like this, especially when these are meant to be printed out and look nice, but this strategy feels like it has a lot more empty space than usual.

A Big Win

One of the biggest and maybe most important things announced in the strategy is the creation of the Canadian Cyber Defence Collective (CCDC). The CCDC is something that’s been stressed is needed for a while now. The United States has created something similar that has had considerable success in recent years.

Communication and engagement between the government and private sector, including academia, is terrible. CCDC should hopefully be a massive step forward to better engaging the government with industry and experts.

Nothing New

Here begins a lot of what the Government of Canada has already done and working on. This is not to say that this is anything bad, but it’s hard to view this as a strategy when it is simply listing what the Government of Canada is already doing with no indication that it’s being improved or changed. Which begs the question, what’s the point?

Taking Credit for Canadian Cyber Industry Leadership

This next section is all about making Canada’s cyber security industry a world leader, but is also filled with nothing new. This is not to say any of what the government has listed is bad by any means, but they are not making the impact they think it is and the Government risks alienating itself from industry if it starts to act like it had a large hand in building up the cyber security industry.

Do they understand what they are writing?

The next section is all about making Canada a trusted innovator that prioritizes cyber security, but this is the opposite of what the Government of Canada has traditionally done and how they talk about doing this does not provide any assurances.

This screenshot is a perfect example. They cite the “Canadian Cyber Security Certification program.” Except, there is no such thing as the Canadian Cyber Security Certification program. What they mean to refer to is the Canadian Program for Cyber Security Certification (CPCSC). This is not a major mistake, as someone with ADHD I make such mistakes all the time. But I am not publishing government documents that are meant to project a strategy of entire federal government to improve cyber security.

What’s not mentioned is that there was supposed to be a soft launch of the CPCSC last month, but I have now heard it’s been delayed to February. Industry is really in the dark about what is going on with it and concerns are growing that it may not actually come to fruition. There are already concerns that the Government of Canada really isn’t equipped to do handle standards and accreditation systems after they fumbled CyberSecure Canada.

What this and subsequent sections show is that this strategy is not even up to date about what is happening in cyber security in Canada.

Detect and Disrupt Cyber Threat Actors vs Identify, Deter, and Defend

The section of the strategy is dedicated to lots of buzz words from the cyber defence space. To really highlight how not up to date this document is, it does discuss that the Communications Security Establishment and Canadian Armed Forces (CAF) work together to defend Canada against cyber threats, there is not one mention of CAFCYBERCOM. CAFCYBERCOM is a major development and is a significant benefit to the CAF’s force posture and ability to protect the CAF and Canada in cyberspace. Yet, it is not mentioned as part of the strategy to detect and disrupt cyber threats?

A lot of old, but some new

Despite a lot of simply reporting what the Government is already doing, there are a couple new things (at least for me).The first is that the CRTC is working on regulations to block botnets by internet service providers in Canada, which would great to see and a major contribution to cyber security.

In addition, it appears that the Government of Canada is looking at cyber insurance policies as a way to make ransomware less profitable. There are only a few ways I can imagine addressing cyber insurance policies to make ransomware less profitable. This paired with discouraging people to pay makes me think they are looking into banning cyber insurance payments for ransomware or capping how much can be paid.

Beyond this, their statements that the Government of Canada is conducting operations against ransomware groups is nothing new, this is probably the most definitive statement about it yet.

This critical infrastructure section is missing something…

The final section before the conclusion is all about critical systems, which is quite sparse. Once again all it does is read what the government is already doing with vague promises to continue to do more.

It’s quite clear they were waiting on Bill C-26 at the very least to fill out this section, but the prorogation of parliament means that’s gone and the Government of Canada does not have have the tools that it needs to properly regulate and manage critical infrastructure.

What does this all mean?

This strategy is not a strategy at all. Researchers commonly joke about the reality that the Government of Canada does not produce strategy documents and the new Canada National Cyber Security Strategy is one of the best examples of a non-strategy. At best, it can be described as a report card, but it’s a convenient report card that does not list all the failures in cyber security by the government. It does not mention the abandoning of CyberSecure Canada, the Canada Digital Adoption Program, and more. Even some successes, like CAF Cyber Command, are not mentioned.

Even with all the good mentioned, it’s all surface level information that simply lists what the Government of Canada has done and potentially wants to do. There is no strategy and no plan.

If this is a report card, at best, the Government of Canada gets a D. The only reason it does not get an F is because the Canadian Cyber Defence Collective is a legitimate good thing that I hope the Government of Canada succeeds in creating.

I very much get the impression that this was released because Trudeau will soon be replaced and we are likely to head to a general election. However, if that is the case, if this is what was produced after over 3 years? I am taken aback that this would be produced and published as a National Cyber Security Strategy. It is easy to see just how little care went into this strategy by comparing it with the strategy in 2018.

We are unlikely to see a new strategy for another year at the earliest assuming that Canada is headed to a federal election. At this point, we can only hope that the Government follows through on its plan for agile leadership and reforms how it manages cyber security.

The Good, Bad, Ugly:

• Good

  • Canadian Cyber Defence Collective (CCDC)

    • The CCDC is planned as a national multi-stakeholder engagement body “to advance Canada’s cyber resilience through direct public-private partnerships at the national-level cyber security challenges, policy priorities, and defence efforts.”

    • This is something that’s been wanted and requested for years now and something that the United States has had a lot of success with in their own efforts.
      

  • The Strategy’s Pillars are sound

    • Pillar 1: Work with partners to protect Canadians and Canadian businesses from Cyber Threats:

      • Canadian businesses, especially SMEs, are the hardest hit, so there is a need to support the private sector after the Government of Canada has failed multiple times to improve broader cyber security conditions

    • Pillar 2: Make Canada a Global Cyber Security Industry Leader

      • Canada has failed in developing leadership in cyber security policy, so it makes a lot more sense to help Canada’s cyber security industry become industry leaders. This is already slowly occurring as Canada has a very strong and active cyber security and information security community.

    • Pillar 3: Detect and Disrupt Cyber Threat Actors

      • This is a basic activity of the government and encompasses a range of activities conducted by the Royal Canadian Mounted Police, Communications Security Establishment, and Canadian Armed Forces and others.
        
        A common concept in cyber defence is that of cost imposition, usually referred to simply as “impose cost.” This refers to the belief that the only way to stop cyber criminals and cyber threat actors
        

• Bad

  • This is not a strategy, it is best described as a report card on the activities of the Government of Canada has done or is already planning to do
    

  • There is very little new in this strategy. Which again asks why is this called a strategy.
    

• Ugly

  • There is no funding attached to this strategy so far. This really isn’t saying much since the strategy is barely trying to do anything.
    

  • The things that are new or has the Government of Canada trying to do something, there is little to no details about implementation.