CIFFA’s Input Towards Canada’s National Cyber Security Strategy
The Government of Canada launched the National Cyber Security Strategy Consultation this summer, requesting feedback to the changing digital landscape and the exposure to cyber threats and cybercrime.
An eight-week public consultation ran until August 19, 2022, with contribution from a broad range of Canadians.
Canada’s National Cyber Security Strategy was initially launched in 2018. Since that time new technologies and international events have impacted how we use the internet, and increased potential risks. The COVID-19 pandemic and the significant increase in ransomware are just two examples of events that have changed considerations around cyber security since the Strategy’s release.
Input received will be compiled and analyzed to identify key themes, ideas and suggestions to help inform and guide the Renewal of the National Cyber Security Strategy. Results may be used to inform policy and may be shared within the Government of Canada. Public Safety Canada will retain completed online survey and email submissions in order to develop a summary of findings and to develop a high-level public report.
Goal 1: Secure and Resilient Canadian Systems:
The threats we face in cyberspace are complex and rapidly evolving. Governments, businesses, organizations, and Canadians are vulnerable. With more of our economy and essential services moving online every year, the stakes could not be higher.
In terms of concerns related to cyber security, cybercrime, etc., and how the Government of Canada could help to better protect individuals and organizations, CIFFA indicated that :
“ Our members are struggling with assessing the risks that they face and the level of investment those risks justify in Cybersecurity and/or Cyber insurance premiums. It would be helpful to have a risk calculator developed by the Government of Canada that would allow them to establish appropriate budgets.
Our members are also concerned about risks (unintentional or otherwise) from with their firms. Clear guidance on what they can and cannot do with respect to monitoring the use of company IT would be helpful. This is especially true in Work from Home situations.”
Goal 2: An Innovative and Adaptive Cyber Ecosystem
In terms of Cyber Security Awareness, and initiatives needed to help increase cyber security awareness for all, CIFFA indicated that:
“We would like to see the Government of Canada advertising the resources that have been made available (www.getcybersafe.gc.ca). The advertising should be broadcast across as many channels as possible and specifically address securing Work from Home environments.
We would like the Government of Canada to partner with Associations like ours to get the message out to Members. The Government should provide a quarterly bulletin that we can incorporate into our regular Member communications. We would like access to more up-to-date information. In many cases the information provided by the Government of Canada is 10 years old.”
Agile and Adaptive Cyber Security Capabilities
What steps should be taken to secure networks, emerging technologies, and to better protect Intellectual Property and consumer products (like Internet-of-Things and apps)?
CIFFA responded that it would like to see the Government of Canada certify any device that attaches to the network as meeting Cybersecurity standards.
“We would also like to see the introduction of penalties for firms that deploy apps and/or hardware that collect and disseminate information for which they do not have appropriate permission. “We would like to see clearer guidelines for reporting Cybersecurity incidents. We would also like to see the process clarified and simplified. When do members contact police, privacy commissioner, etc.?”
Cyber Skills and Talent Pipeline
What can be done to increase Canada’s cyber security workforce capacity and create job-ready workers? (For example, is there a mismatch between the in-demand skills and the skills of post-secondary graduates, is there a misalignment between job descriptions and the experience of candidates, is there a need for standardized curricula and outcomes, access to work-integrated learning opportunities, and short-cycle training and upskilling for workers and graduates, etc.?)
CIFFA noted that “we believe that there are unique cybersecurity concerns in the supply chain for which skills are not being developed. We recommend, in cooperation with the Government of Canada, the development of a short cycle training program that is made available to our members to ensure their staff have the appropriate skills for dealing with these unique challenges.”
Goal 3: Effective Leadership, Governance and Collaboration
What is needed to strengthen collaboration and engagement on common interests between the provinces, territories, Indigenous communities and Municipal governments, regulators, private sector, academia, not-for profits, labour organizations and the Government of Canada?
CIFFA would like to see cooperation between the Government of Canada and providers of cybersecurity insurance so that a common understanding of the risks and ways to mitigate the risks in the most cost effective manner can be developed and shared with our members.
What can the Government of Canada do to help shape the international cyber security environment in Canada’s favour and advance Canada’s international cybersecurity interests?
Finally, CIFFA indicated it would like to see the Government’s support and/or participation in the global initiatives to enhance cybersecurity in the supply chain. This includes topics as diverse as smart sensors (IOT) and Blockchain.