Feds should fund corporate IT security: CSIS
It’s a matter of national cyber-security, report suggests
OTTAWA – The federal government should consider subsidizing IT security for businesses across the country in the name of national security, suggests a research paper from Canada’s spy agency.
The paper written for the Canadian Security Intelligence Service in March, but posted online recently, makes the suggestion that to secure the networks running the country’s critical infrastructure, such as electricity grids and transport systems, the government could provide cash to companies to help them harden their defences against cyber-attacks.
Internal Public Safety Canada documents show that some companies may be skimping on cyber-security, finding the cost to protect their systems too high to afford. By doing so, a hacker that breaches computers at a company could gain access to personal information of customers, and piggyback their attacks to other computers.
The CSIS report makes a similar conclusion, noting that some executives take a see-no-evil, hear-no-evil approach to protecting their networks.
Research cited in the CSIS report suggested many executives refuse to meet with IT security staff, fearing that by knowing the vulnerabilities in their systems, they’ll be held liable for breaches. A separate study, conducted in 2011 for an industry association, suggested that a legislative void in Canada about reporting data breaches has led Canadian companies to not invest in IT security. “While the onus for protections against criminal threats falls clearly on the owner/operators themselves as a cost of doing business, national security-related threats have ramifications that extend beyond the private domain and also affect the public interest,” the CSIS study said.
“Accordingly, it would seem appropriate that the costs of protecting critical infrastructure against certain threats to national security be borne in a proportionate manner by all those who benefit: Some assistance from central government revenue to ensure that critical infrastructure owner/ operators take account of lowprobability but high-consequence risks would better safeguard not only the commercial interests of the owner/ operators of critical infrastructure but also benefit the public more broadly and enhance their confidence in government to maintain essential services in times of crisis.”
The government’s cyber-security strategy doesn’t legislate IT security standards for businesses or citizens, nor does it provide cash to businesses that oversee critical infrastructure in Canada. In late October, a high-ranking Tory senator said in a speech that the government wasn’t interested in legislating IT security standards. One day later, a former British cyber-spy chief suggested governments needed to legislate cyber-security standards because market forces weren’t working.
“That said, the government of Canada does provide support to ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada’s national security, public safety and economic prosperity,” Public Safety Canada spokesman Jean Paul Duval said in an email.
The suggestion in the CSIS report is not the first time that government subsidies for cyber-security have been floated around Parliament Hill. Industry Canada has received similar requests from IT security companies for government contracts.
An internal Industry Canada report created in March 2012 and released to Postmedia News under access to information, says the industry asked the Tories to create new “regulatory rules that create demand and procurement procedures” that helped small and medium-sized companies earn government contracts, and compete nationally and internationally.
“The IT security industry in Canada needs no subsidies but it requires partnership with other vendors … and contracts with governments,” the Industry Canada report said. “The industry raised government procurement policies and competition with larger and better branded foreign entities for government contracts as barriers to adoption of Canadian IT security solutions. Some firms believe that the difficulties they face getting reference sales with Canadian governments make it more difficult for them to sell to large organizations internationally.”
Questions to Public Safety Canada and Industry Canada about whether the government would consider funding cybersecurity in the private sector were not answered.