Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/235053
C Cyber security Ben Sabbath is a Nova Scotia-based defence and security expert. Cyber resilience and the role of the CIRC T here are two types of companies: those that have been and recovery from cyber events," and has probably dealt with any compromised by a cyber incident and those that are not malware that the Canadian private sector might encounter. yet aware that they have been compromised. The centre is intended as a resource for industry to assist with It was an important message for delegates to the third annual cyber-related challenges, but many in the private sector feel there Security Technology Conference (SecurTech 2013) in Ottawa are disincentives to sharing information with government. As one this fall, a reminder that cyber threats are ubiquitous and many speaker asked: "What do they get in return?" There is also concompanies and individuals are not yet taking enough measures to cern that privileged information affecting competitiveness may be mitigate them. inadvertently leaked to rival interests if cyber incidents are shared. As Tim Page, president of the Canadian Back to that reality check: Chances are your Association for Defence and Security Induscompany has already been compromised, CIRC has acknowledged whether you know it or not. So the value of tries, noted in his opening remarks, "serious risks to public safety, threats to our eco sys- industry concerns about CIRC staff, who have been cleared to top setems, traditional way of life and national sesensitive commercial cret, is their ability to share cyber-related incurity challenges abound and are growing in formation and insight with those companies complexity, impact and cost. Governments, information and strived that share incidents with the centre. emergency responders, security agencies, CIRC has acknowledged industry conto ensure that only industry and ordinary citizens are mutually cerns about sensitive commercial informainformation about cyber tion and strived to ensure that only informaexposed to these challenges and therefore threats that does not tion about cyber threats that does not impact mutually dependent to find a way forward in these turbulent times." impact the competitive the competitive positions of clients is shared. The conference's fourth and final panel foStill, as a government official acknowledged, positions of clients cused on critical infrastructure (CI) and cythe centre only receives notice about oneber resilience, zeroing in on one of the more tenth of incidents that occur in Canada busiis shared. unanticipated vulnerabilities in today's CI, ness each year. industrial control systems. The conference was conducted under Several speakers noted that without mandatory reporting, there the Chatham House Rule, so speakers and their affiliations cannot would always be "a tendency to hide the problem." But one prebe identified. senter urged industry to "stop looking at (cyber) security as a Cyber attacks on industrial control systems (ICS) have increased cost, but rather as a business enabler." And another assured delsignificantly. These systems, used extensively in the utilities sector egates that what had once been under the radar and "something for services such as electrical, water, oil and gas and in data industo catch up" with, was now "a board level risk discussion." tries, constitute a major exposure. ICS were never intended to One success story that some sectors might consider emulating connected to the Internet; they were supposed to be air-gapped, is the financial industry, which not only shares information with a precaution that has been effectively neutralized by digital netCIRC but has also developed its own incident response centre. working. A cyber system without security is like a car without brakes and And they have become even more susceptible to attack as more lights, attendees were told – it would not be permitted on the employees ask for data to be uploaded to the Internet to allow road. As with simple brake and electrical repairs, 80 to 85 percent them to work on their personal devices. This BYOD (bring your of cyber attacks can be prevented by applying patches for the sysown device) approach to business may appear to reduce hardware tems and office suites on which critical infrastructure and induscosts, but it has introduced new threats as employees seek access to trial control systems rely, but the responsibility of this rests with data through their smart phones and iPADs, opening the door to industry, not government. Maintaining system updates, upgrades the more than one million pieces of malware currently in operation. and patches, and limiting the number of people with administraPublic Safety Canada's Cyber Incident Response Centre tor rights, remain the most effective and least expensive measures (CIRC) is the guard and guardian against cyber attacks on govavailable. ernment and industrial information and data systems. Its webThese are all important steps. But industry also needs to be insite notes that it is "Canada's national coordination centre for volved with the CIRC for the system to work properly. Partnerthe prevention and mitigation of, preparedness for, response to, ship is the glue behind corporate cyber security. 20 DECEMBER 2013/JANUARY 2014 www.vanguardcanada.com