With more of our post-pandemic lives migrating online, Canada needs an upgraded cyberstrategy to avert a whole new kind of catastrophe.

 

Neil Desai

July 23, 2020

As the COVID19 outbreak quickly became a global pandemic, Canadians were shocked to learn that our national stockpiles of personal protective equipment (PPE) covered only a fraction of what was required to weather the unfolding crisis.

In the days following this revelation, the federal government, provinces and businesses scrambled to secure stock to maintain some degree of essential services. Prices began to rise as other national and sub-national jurisdictions competed for the limited supply of PPE in global circulation, largely provided through suppliers in China. As a result, governments in Canada have sought to diversify supply chains including by encouraging domestic manufacturers to develop PPE.

The pandemic has also exposed the growing cyber-risks to society given the acceleration of the adoption of digital technologies to maintain essential services such as payments from government, education, commerce and the justice system. Those risks have been especially borne by vulnerable populations, including seniors and children.

The Canadian Anti-Fraud Centre highlighted 100 new types of online and phone scams in less than a month after the pandemic was officially declared. The Royal Canadian Mounted Police (RCMP) report that online child sexual exploitation has soared through COVID-19 as abusers take advantage of the fact that kids are spending much more time online, both for their education and to socialize.

Cyber-breaches are also an emerging geopolitical threat. Non-government entities such as businesses and research organizations are the targets of foreign governments. For example, the US, UK and Canadian governments recently alleged that Russian hackers, linked to their government’s intelligence agency, have targeted research institutions working on COVID-19 vaccines with cyberattacks.

Such attacks are not new. Canada’s National Research Council — the federal organization responsible for over $1 billion annually of research and development delivered through government labs, universities and Canadian companies — was targeted by a Chinese state-sponsored cyberattack in 2014 that hacked intellectual property valued in the “hundreds of millions of dollars”.

Canada is in a precarious position in upholding its digital security. Our greatest geopolitical asset in countering cyberthreats is our Five Eyes (FVEY) intelligence-sharing alliance with the United States, United Kingdom, New Zealand and Australia. All of our partners have now banned Chinese telecom hardware provider Huawei from their 5G digital infrastructure. The government of Canada has yet to even set a timeline for its decision.

Canada’s FVEY partners have suggested we could be left out of critical intelligence sharing should we choose not to ban or restrict Huawei. Beyond the intelligence considerations, Canadians also have a right to question Huawei’s presence in Canada’s digital infrastructure given the allegations that the company engaged in corporate espionage that may have led to the demise of Canadian telecom giant Nortel. Exacerbating the situation, Huawei has research partnerships with 13 publicly funded Canadian universities related to 6G and artificial intelligence technologies. Despite calls from experts, the government does not have an explicit policy on intellectual property extraction from such research partnerships, even if they have national security concerns.

Mitigating the risk by limiting the supply chain alone is not a winning strategy. Unlike PPE, an industry creating critical cybersecurity tools can’t be stood up in weeks when a crisis emerges.

The other FVEY governments have and will continue to question other critical technologies, especially cybersecurity tools, that are used by their security agencies and critical public and private sectors including health care, education, finance, energy and infrastructure — especially those originating with geopolitical rivals such as China and Russia. For example, the US government banned its own use of tools developed by Russian cybersecurity provider Kaspersky Labs and imposed targeted sanctions on Chinese cyberforensics firm Meiya Pico.

Mitigating the risk by limiting the supply chain alone is not a winning strategy. Unlike PPE, an industry creating critical cybersecurity tools can’t be stood up in weeks when a crisis emerges. Canada does have a nascent cybersecurity sector, research capacity at universities and some capability and talent within its government. The Canadian Armed Forces has realized that such highly technical talent cannot be acquired and maintained within its general ranks at scale to deal with the magnitude of this existential threat. Identifying this talent in the private sector and research community and operationalizing it quickly are strategic assets. In 2018, the CAF announced a pilot program to achieve this end called the Cyber Mission Task Pilot Project.

The government has signaled its willingness to invest substantial funds to address the challenges related to security in the digital age. It created the Innovation for Defence Excellence and Security (IDEaS) program and provided $1.6 billion in funding over 20 years.  It also created the Canadian Centre for Cyber Security, which is to be Canada’s national authority on cybersecurity and threat responses.

In 2018, the Government of Canada released an updated national cyber security strategy.  The goals of the strategy were laudable, including “protecting the safety and security of Canadians and our critical infrastructure.” However, the scope was limited to the government of Canada’s digital infrastructure.

What’s missing in the strategy is an approach that spans our broader public sector, including provinces and municipalities, through to the private sector that makes up essential services. Such a strategy must create the space for these actors to identify potential vulnerabilities in a classified environment. Further, it must create the mechanisms that allow them to leverage our domestic innovators, universities and their talent to address potential holes in our cyberdefence. Where Canada doesn’t have such capabilities, the government should look to address them through strategic investments domestically and through our geopolitical alliances.

One important lesson from COVID-19 is that the government must be better at anticipating threats to our security and have mitigation approaches in hand to anticipate problems before they become crises. The cyberthreats to Canadians are real and growing, both in terms of numbers and damage. It’s the new security frontier for both geopolitical conflict and criminal activity. The question is, will the hard lessons we’ve absorbed on the lack of pandemic preparedness be applied to the existential threats to our cybersecurity?

Neil Desai is an executive with Magnet Forensics, a Canadian cybersecurity company. He serves as a senior fellow with the Centre for International Governance Innovation and the Munk School of Global Affairs and Public Policy at the University of Toronto. He formerly held senior roles in the government of Canada.