Cyber security month continues in Canada with the release of the Auditor General's Fall 2012 Report. Chapter 3 evaluates the federal government's progress on protecting Canadian critical infrastructure against cyber threats. As the Auditor General noted, the federal government is uniquely positioned to protect Canadians because of its access to foreign intelligence and other information sources that are not available to other stakeholders.
What is the Auditor General's assessment? The federal government has been stating its commitment to address cyber security threats to critical infrastructure since 2001. However, "[d]espite several past strategies and funding, [...] progress in achieving these commitments has been slow." It appears that that the government's focus has been on policy development (and, perhaps, redevelopment) rather than monitoring threats and building sectoral partnerships.
For example, the federal government announced the creation of the Canadian Cyber Incident Response Centre (CCIRC) in 2005 to serve as a national readiness and response team for cyber threats. The CCIRC still does not operate 24 hours a day, 7 days a week and there are no plans for it to do so. Instead, it operates Monday to Friday, from 8 a.m. to 4 p.m. Eastern Time. The government plans to extend the operational hours, but not provide 24/7 coverage. Cyber threats or attacks outside of those hours are reported to the Government Operations Centre, which then pages an employee at CCIRC.
There are concerns that the CCIRC is not included early enough when incidents do occur. In part, this is because it is not the initial point of contact for sectoral incidents; however, there also appears to be interdepartmental confusion. For example, CCIRC was not notified of an attack on government systems until more than a week after the intrusion was discovered.
Given that critical infrastructure is owned by the private sector or managed through provincial, territorial or municipal governments, partnerships with the federal government on national cyber security is critical. However, with the exception of the energy and utilities sector network managed by National Resources Canada, partnerships with within other sectors are only now starting to be developed and are not in complete coverage.
Public Safety Canada has, for the most part, agreed with the Auditor General's recommendations.
For more information, visit our Data Governance Law blog at www.datagovernancelaw.com
About Fraser Milner Casgrain LLP (FMC)
FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
