Cyber-security is government’s job: expert
Ex U.K. spy chief calls for more rules, rather than fewer
OTTAWA — One day after a top Tory senator suggested the government and Canadians didn’t want more regulations on how we use cyberspace, a former British spy chief said that thinking needed to be deleted.
Governments need to possibly create more red tape to force companies and individuals to think about cybersecurity because too few are doing enough to protect themselves and others, Sir David Pepper told a security conference Wednesday.
“Governments have to be ready to intervene certainly more than they want to,” said Pepper, former head of the Government Communications Headquarters, the British agency charged with monitoring and protecting the U.K. government from cyber-threats.
“Regulations may well be necessary.”
Pepper suggested that governments consider making cyber-security part of regulatory approval for critical infrastructure industries such as transportation and utilities. In Canada, that could also mean the CRTC requires telecommunications providers to show they are changing passwords and keeping their cyber-security protocols up to date before receiving a CRTC licence.
“We know there’s a vulnerability there,” Pepper said after his speech. ”I don’t know what the practicalities are. One of the problems you’ve got here is how do you actually write down the standards that you would put in the licence? There’s nobody talking vacuously about standards.”
On Tuesday, a high-profile Tory senator told the Secure-Tech conference that government and Canadians weren’t interested in more red tape and regulations in cyberspace.
Sen. Pamela Wallin instead suggested that Canadians needed to take personal responsibility for their actions online. Too few people take appropriate steps to protect themselves from malware and hackers, Wallin said, with young Canadians being naïve about their safety online. Canadians that weren’t taking basic steps to be cyber-secure were leaving other online users, and the federal government, open to attack, she said.
Pepper agreed that too few were taking cyber-security seriously, but governments shouldn’t hope that businesses and individuals on their own will change how they behave online.
The CEO of software maker OpenText, Mark Barrenechea, said a debate or movement toward more government policies and interventions is badly needed. If such policies had been around years ago, companies such as Nortel may still be around, he said, rather than having fallen victim to a campaign of cyber-based economic espionage believed to have originated in China.
He said he expected more state-sponsored-cyber-espionage in the coming months and years, and hackers will gain access to systems. Governments, he said, must be public about their response policies should they too fall victim to a cyber-attack.
“What is the Canadian policy if attacked?” Barrenechea said in answer to an audience question. “I don’t know what the response is as a citizen.”
Protecting critical infrastructure, such as roads, the power grid and water systems, from cyber-attacks has become an increasing focus for governments as the number of targeted hacks on systems continues to grow. In the United States, the Government Accountability Office found that cyber-based threats to critical infrastructure and federal systems increased by nearly 680 per cent in the last six years alone. Attacks have targeted the energy and nuclear industries, and banks.
The auditor general’s of- fice was unable to find similar numbers from the federal government during its review of cyber-security practices.
The government did say in response to the auditor general’s report that it would refocus efforts to have businesses share information on threats and breaches through industry groups. Last week, the government announced it would also share information on cyber-threats with the U.S. Department of Homeland Security.
“There are plenty of things that neighbours can do, and ought to do, and the more collaboration of that sort that goes on the greater the collective defence,” Pepper said, adding that some state secrets likely wouldn’t be passed along.