Published in the Ottawa Sun, July 3, 2015
Two things can be said about Ottawa’s summer, so far. One is that it has been wet; the other is that it’s been raining cyber attacks on federal government websites.
The most recent have been nuisance attacks on the website of the Canadian Security Intelligence Service, conducted by a little-known group called Aerith. Nothing sensitive was compromised, we were told. In mid-June, the hacker group Anonymous launched a more widespread denial of service attack (get used to the acronym DOS), as a protest against the passage of the new anti-terrorism powers contained in Bill C-51. Anonymous accompanied the cyber attack with a slick propaganda video on YouTube. The attacks temporarily disrupted the websites for the Senate, CSIS, its sister spy agency, the Communications Security Establishment (or CSE) and the Justice department.
To improve the score card for cyber security, we have to recognize that part of the problem is man- or government-made.
A rain of cyber attacks, especially the relatively easy to mount denial of service attacks, may not be anything new, but the temptations of their use for purposes of political protest, which is likely on the rise, and the on-going vulnerability of federal systems, suggests that not all is well with Canada’s cyber security.
The Government’s original cyber security strategy was launched in 2010. It proclaimed three strategic pillars — securing government systems; working cooperatively with other governments at the provincial and territorial level and with the private sector, and helping individual Canadians to be secure online. Five years later it is not clear that any of these pillars are delivering on their promise.
Canada’s Sharpest International Affairs Commentary
Don’t miss future posts on the CIPS Blog. Subscribe to our email newsletter.
Part of the problem is inherent to the cyber world these days — attack has the upper hand over defence — and there is no sign that the equation is likely to change in the near future. We have to calibrate our expectation of cyber security to that reality, which means understanding that there is no such thing as 100% cyber security, getting better overall at defence, and working hard to ensure the security of the most critical information systems, both government owned and private sector owned.
To improve the score card for cyber security, we have to recognize that part of the problem is man- or government-made. It’s not the will, the talent or the resources that are lacking, but it’s the organizational set up. The 2010 Cyber Security Strategy parceled out roles and responsibilities to a wide range of government departments (14 in total), while setting up a Canadian Cyber Incident Response Centre at Public Safety, which has been mostly missing in action in terms of the recent attacks. An adjustment was made in 2011 by re-asserting a lead role for the CSE in cyber defence. But CSE didn’t want the whole, messy pie, just the responsibility for the more “sophisticated” cyber threats, including those mounted by foreign states and state sponsored entities. In itself, this is not a bad delineation, but it leads to the real question that hovers over our government-led efforts at cyber security, which is: Who is in charge?
The answer is no one, really. Having 14 departments in the mix with varying responsibilities, is in itself a recipe for weakness and failure. Having no one in charge only compounds the problem and renders all three of the original strategic pillars fatally weak, including the public education one.
- Daniel Livermore, SIRC: Good People Can’t Save a Bad Institution
- Wesley Wark, Information Gap About Zehaf-Bibeau Threatens Security
The solution? There is a big solution, and a more modest proposal.
The big solution would be to re-engineer the federal government’s org chart and create one, unified, cyber security agency, which would have to be new and stand-alone. It’s worth thinking about at least, but thinking about such things in a strategic way is not something the government is good at these days.
The more modest proposal would be to create a senior official with overall responsibility for cyber security — a cyber security czar, if you like — as a counterpart to the National Security Adviser, but with a legislative mandate and an acknowledged public role. At least there would be someone in charge.
In the meantime, keep an eye on your own cyber security. It’s a self-help world.