Alarm raised over IT security
Canadian companies may be skimping on IT security, leaving themselves and Canadians vulnerable to attacks from hackers, newly released records suggest.
The documents from Public Safety Canada show that the scale of cybersecurity threats “is significant” and many companies don’t invest the required money or time in good IT security.
How to solve this problem is something the Harper government has been investigating, according to records released to Postmedia News under access to information laws. They included a meeting with a cybersecurity expert at an American conservative think-tank who has argued against any form of government intervention in IT security.
The government’s cybersecurity strategy doesn’t legislate IT security standards for businesses or citizens. In October, the Conservative senator who chairs the Senate defence committee told a security conference the government wasn’t interested in legislating cybersecurity standards.
Some experts argue the answer is to have the government legislate minimum standards for IT security in Canada. Others argue the government should take the lead and raise its expectations for IT security, forcing hardware and software developers to raise their security on the products they put to market.
“I don’t know if it’s an avenue the government will go down,” said John Adams, the former chief of Canada’s cyber spy agency, and now a fellow at Queen’s University.
“It’s a heck of a challenge and the companies would go bonkers if you went after them.”
A discussion paper prepared for Public Safety Canada and released internally in July 2012 suggests there are “resource limitations” and “software dependencies” that affect how the private sector in Canada protects itself from “sophisticated cyber intrusions.” The paper is titled: Defending Canadian private sector from sophisticated cyber intrusions.
“The current situation is that there are an increasing number of new software vulnerabilities that can be exploited to gain access to companies’ networks,” reads the heavily redacted paper, labelled secret.
“The scale of the problem is significant. The cost of maintaining a highly secure network is high for each company, and they may not be willing to make that investment … With many thousands of companies in the same situation.”
The cases of malicious code and software affecting businesses and government alike is growing.