OTTAWA ??Canadian companies may be skimping on IT security, leaving themselves and Canadians vulnerable to attacks from hackers, newly released records suggest.
The documents from Public Safety Canada show that the scale of cyber-security threats ?is significant? and many companies don?t invest the required money or time in good IT security.
How to solve this problem is something the Harper government has been investigating, according to records released to Postmedia News under access to information laws. They included a meeting with a cyber-security expert at an American conservative think-tank who has argued against any form of government intervention in IT security.
The government?s cyber-security strategy doesn?t legislate IT security standards for businesses or citizens. In October, the Conservative senator who chairs the Senate defence committee told a security conference the government wasn?t interested in legislating cyber-security standards.
Some experts argue the answer is to have the government legislate minimum standards for IT security in Canada. Others argue the government should take the lead and raise its expectations for IT security, forcing hardware and software developers to raise their security on the products they put to market.
?I don?t know if it?s an avenue the government will go down,? said John Adams, the former chief of Canada?s cyber spy agency, and now a fellow at Queen?s University.
?It?s a heck of a challenge and the companies would go bonkers if you went after them.?
?The scale of the problem is significant. The cost of maintaining a highly secure network is high for each company, and they may not be willing to make that investment. ? With many thousands of companies in the same situation.?
- Secret briefing paper for Public Safety Canada, July 2012
A discussion paper prepared for Public Safety Canada and released internally in July 2012 suggests there are ?resource limitations? and ?software dependencies? that affect how the private sector in Canada protects itself from ?sophisticated cyber intrusions.? The paper is titled: ?Defending Canadian private sector from sophisticated cyber intrusions.?
?The current situation is that there are an increasing number of new software vulnerabilities that can be exploited to gain access to companies? networks,? reads the heavily redacted paper, labelled secret.
?The scale of the problem is significant. The cost of maintaining a highly secure network is high for each company, and they may not be willing to make that investment ? With many thousands of companies in the same situation.?
The cases of malicious code and software affecting businesses and government alike is growing. From April to June of 2012, the Canadian Cyber Incident Response Centre saw a 45-per-cent increase in the number of reported IT security breaches, according to an unclassified report the centre gave to the government and clients after the second quarter of the year.
CCIRC found there was a ?clear trend? in ?malicious individuals? targeting Canadians ?by impersonating financial institutions through phishing campaigns.? There was also an increase in cases of ZeuS malware, which steals banking information by logging keystrokes and taking screen captures of an infected computer.
?Most experts argued that given the nature of the threat, minimal standards in cyber security should be legislated.?
- Briefing note for chief of defence staff, July 2012
Government was not immune to malicious code being embedded into websites. CCIRC issued almost 2,000 ?victim notifications? to alert businesses, schools and government agencies that they were ?hosting malicious content, website forgeries, and personal information.?
At an event on cyber-security organized by the American Enterprise Institute July 9, 2012, which a Department of National Defence employee attended, one expert argued that 80 per cent of attacks could be prevented by better ?cyber hygiene,? according to a briefing note prepared for the chief of defence staff.
?Most experts argued that given the nature of the threat, minimal standards in cyber security should be legislated,? the briefing note reads.
Adams said legislation could focus on forcing users to be more vigilant online, but would likely be better targeted at software developers to ensure products aren?t rushed to market before security flaws are patched. Legislating standards for average Canadians would be helpful in preventing hackers from using one unsecured device to breach others, he said. But regulating that would be difficult with the number of devices already in use and require vast resources, Adams said.
Enforcing regulations could also be difficult if provinces decide to assert their powers over companies falling under their jurisdiction, setting up a territorial battle with federal legislators, said Bill Munson, vice-president of policy at the Information Technology Association of Canada. Munson said companies would likely take the government to court, setting up years of legal wrangling over any new law.
Rather than legislate, the government should lead by example and raise its standards for IT security purchases to force companies to raise standards for their own products, he said.
?Government has enormous clout ? They don?t have to pass a law, but can say we will not buy your stuff if you don?t have it really high (standards),? Munson said. ?I don?t get the sense the governments are demanding the same high standards as other places do.?
Tom Kellermann, a vice-president at cyber-security firm Trend Micro, said legislation should be considered to force companies to focus on the threats they face. Some industries, such as banks and health care, invest in IT security, he said, but the government should have the ability to force companies to secure their networks, likening it to a fire code for cyberspace.
In the United States, a bipartisan group of industry and national security experts recommended last year the government impose security regulations for critical infrastructure and public-private partnership agreements. Kellermann said approving similar regulations north of the border would make companies more transparent about breaches that affect customers and force a shift in how the private sector views IT security.
?You change the dynamics when you modernize existing regulations, when you modernize penalties,? he said.
According to IT security firm Symantec, almost 8.3 million Canadians online were victims of cyber-crime in the past year. Overall, the cost of cyber-crime in Canada is estimated at $1.4 billion,?according to the firm?s annual report on cyber-crime released in September.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.