(OTTAWA) A Commons committee is calling on the government to release a comprehensive annual national cybersecurity threat assessment, and provide more information on how to prevent cyberattacks, particularly from Russia.
“Overall, Russia is of greater concern because it has shown no hesitation in violating recognized international rules,” reads the most recent report from the Standing Committee on Public Safety and National Security.
The report, tabled last week in Parliament, points out that the various agencies and committees that deal with national security in Canada operate in silos and produce a variety of separate reports.
The deputies who are members of this committee suggest the appointment of a person in charge, as in the United States, to bring together these various recommendations and create an annual list of priorities for the government.
They believe this should begin with a review of the various “cybersecurity roles, responsibilities and structures across the federal government” to “maximize consistency, coordination and timely action.” .
The committee heard from witnesses between April and October 2022 who spoke about malware and cyberattacks originating in Russia that affected Canadian businesses. Examples include the “NotPetya malware”, which struck in 2017, and the Russian cyber-espionage campaign that infiltrated the Orion “SolarWinds” platform in 2020, which Global Affairs Canada says compromised more than 100 Canadian entities.
MPs on the committee believe Canada could do more to prevent these attacks on government agencies as well as private businesses, in part by mandating mandatory incident reporting.
They pointed out that there are few obligations for companies to report cybersecurity incidents that do not involve data leakage. Last October, Caroline Xavier, then head of the Communications Security Establishment, testified that “many organizations don’t report it” when they’ve been victims of cyberattacks.
Lax rules
Witnesses also told the committee that “life-saving operators” enjoy lax rules compared to their European and American counterparts. They also said that some areas like port authorities lack clear notification timelines on preventative cybersecurity measures to apply.
The committee is also calling on the government to direct the Communications Security Establishment to expand the range of tools used to educate small and medium-sized enterprises (SMEs) on the need to prevent cyberattacks. The government should also offer tax breaks to SMEs to help them better protect their data.
Witnesses pointed out that hackers tended to focus on larger targets, but smaller businesses lacked protection.
The non-profit organization “Canadian Cyber Threat Exchange” reported in May 2022 that 44% of member SMEs had “no form of cyber defense” and that 60% of these small businesses were uninsured in the event of cyberattacks.
The committee suggests that the government require companies of sufficient importance and size, as well as government agencies, to prepare “to respond to, prevent and report cyber incidents”. These entities should also establish timelines for reporting serious incidents, technical support services, and safeguards for information reported to the Communications Security Establishment.
MPs also noted calls from witnesses for better cooperation with the United States on cyberattacks on critical infrastructure, such as the North American Aerospace Defense Command (NORAD).
Still, the committee did not recommend that Canada emulate Britain in tying federal procurement to cyber protection — for example, requiring companies to have basic hacking protection before they can participate in calls. government offers.
The report also suggests that the government work with experts, internet service providers, social media platforms and international partners “to combat online bots that amplify state-sponsored disinformation.”
The committee also calls for more transparency on Russian disinformation and an acceleration of the modernization of NORAD.