In 2010 the Government of Canada "launched a national effort to defend against [cyber security] threats with Canada's first Cyber Security Strategy": National Cyber Security Strategy (the National Strategy). This outlines three themes: (1) security and resilience; (2) cyber innovation; and (3) leadership and collaboration and involves the government's commitment to1:
- Protect the safety and security of Canadians and our critical infrastructure
- Promote and protect rights and freedoms online
- Encourage cybersecurity for business, economic growth, and prosperity
- Collaborate and support coordination across jurisdictions and sectors to strengthen Canada's cyber resilience
- Proactively adapt to changes in the cybersecurity landscape and the emergence of new technology
The National Cyber Security Strategy builds upon efforts to protect the systems of the Government of Canada to forge partnerships to secure cyber systems outside the federal government and to help Canadians to be secure online2.
In 2018 the Canadian federal government created the Canadian Centre for Cyber Security (CCCS) to provide leadership in the implementation of cybersecurity in Canada3. The CCCS published a National Cyber Threat Assessment that same year which set out seven key judgments:
- Cybercrime is the cyber threat most likely to affect Canadians and Canadian businesses in 2019. Cybercrime is evolving as cybercriminals take advantage of growing online markets for illicit goods and services in order to maximize their profits. Cybercriminals tend to be opportunistic when looking for targets, exploiting both technical vulnerabilities and human error.
- Cyber threat actors — of all sophistication levels — will increase the scale of their activities to steal large amounts of personal and commercial data. Data, such as intellectual property and Canadians' personal information, are used for theft and resale, fraud, extortion, or espionage.
- Canadians are very likely to encounter malicious online influence activity in 2019. In the coming year, we anticipate state-sponsored cyber threat actors will attempt to advance their national strategic objectives by targeting Canadians' opinions through malicious online influence activity.
- State-sponsored cyber threat actors will continue to conduct cyber espionage against Canadian businesses and critical infrastructure to advance their national strategic objectives. More nationstates are developing cyber tools designed to conduct cyber espionage.
- It is very unlikely that, absent international hostilities, state-sponsored cyber threat actors would intentionally disrupt Canadian critical infrastructure. However, we also assess that as all manners of critical infrastructure providers connect more devices to the Internet, they become increasingly susceptible to less-sophisticated cyber threat actors, such as cybercriminals.
- Sophisticated cyber threat actors will likely continue to exploit the trusted relationships between businesses and their suppliers and service providers for espionage and cybercrime purposes.
- Cyber threat actors are adopting more advanced methods, such as compromising hardware and software supply chains, making detection and attribution more difficult.
Recognizing that many of the cybersecurity resources and strategies available are beyond the means of SMEs, the CCCS published a guide aimed at small or medium enterprises (SMEs) with less than 500 employees (although larger organizations may also draw on its recommendations and access the tools): The Baseline Cyber Security Controls For Small And Medium Organizations (the "CCCS Guide"). The CCCS Guide sets out thirteen "Baseline Controls" for SMEs to implement and maintain, which deserve discussion at length:
- Develop an Incident Response Plan. The plan should involve specifying who is to respond to a cyber incident and their responsibilities and a plan for engaging and dealing with outside vendors and considers insurance.
- Automatically patch operating systems and applications. Organizations should enable automatic hardware and software updates or consider replacing those products which do not allow for that option.
- Enable security software.
- Securely configure devices. This should involve ensuring the change of administrative passwords on all devices and reviewing device settings to disable all unnecessary functions and enable security features.
- Use stronger user authentication. Balancing security with usability, organizations should consider employing two-factor authentication, changing passwords only when there is suspicion or evidence of a security issue, developing possibilities on password characteristics and the employment of password managers.
- Provide employees with
awareness training concerning4:
- Use of effective password policies;
- Identification of malicious emails and links;
- Use of approved software;
- Appropriate usage of the Internet; and
- Safe use of social media.
- Back up and encrypt data, to a secure external location and develop procedures for restoration from back-up and regular verification that back-up and restoration mechanisms are functioning correctly.
- Secure mobility. The governing principle for secure devices is the separation of work and personal data on mobile devices. Organizations should require that personnel only download apps from trusted sources. Users should be instructed to disable automatic connections to open or unknown Wi-Fi networks, limit the use of Bluetooth for the exchange of sensitive data and to use corporate Wi-Fi or cellular data networks.
- Establish basic perimeter defences by using firewalls and configuring a Domain Name System firewall solution, which prevents connection to malicious web domains and filters for spam or email with malicious attachments. Organizations should ensure the use of secure connectivity for all online organizational IT services. Internal Wi-Fi networks should use at least the WPA2 wireless security protocol and, where feasible, the WPA2-Enterprise protocol. Wi-Fi services for customers or guests should never connect to the organization's internal networks.
- Secure cloud and
outsourced IT services. It is recommended that
organizations should require all cloud providers to share an AICPA
SSAE 18 SOC 3 report. Vendors should be required to
- Privacy and data-handling policies;
- Notification processes when private data is accessed without prior authorization;
- Destruction processes for data at the end of the outsourcing contract;
- Physical location and security of outsourced data centres; and
- Physical location of outsourced administrators.
- Secure websites. Organizations should follow the Level 1 Guidelines of the Open Web Application Security Project (OWASP) Application Verification Standard (ASVS).
- Implement Access Control and Authorization, following the principle of least privilege, allowing users only the minimal functionality necessary for their tasks, with more restrictions for administrative accounts.
- Secure portable data, such as hard drives, USB sticks and secure digital (SD) cards.
Finally, the Government of Canada has created a voluntary cybersecurity program to assist SMEs to develop baseline cybersecurity, the CyberSecure Canada program. SMEs which demonstrate compliance with the baseline controls set out in the CCCS Guide will be certified. Certification allows them to use the CyberSecurity Canada logo. Organizations will have to apply to one of several certification bodies, some of which charge fees or are processed at no charge if the organization uses the certification body's products or services. Applicants should retain legal advice to implement the baseline controls in compliance with applicable laws and implement a legal privilege strategy to ensure that legal privilege applies to some communications and documents employed in the certification process.
1. Ibid. at p. 4
2. Ibid. at p. 6
3. B.A. Arnold, Finding a co-ordinated approach to cyber-threats, 30 April 2019, Canadian Lawyer, https://canadianlawyermag.com/author/brent-j-arnold/finding-a-co-ordinated-approach-to-cyber-threats-17184/. The CCCS website: https://www.cyber.gc.ca/en/cyber-incidents
4. Ibid. at p. 9
5. Ibid. at p. 12
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.