Security and Prosperity in the Digital Age: Consulting on Canada's Approach to Cyber Security

This consultation is now closed. It took place from August 16 to October 15, 2016 as part of the Government of Canada's commitment to review measures to protect critical infrastructure and Canadians from cyber threats.

Security and Prosperity in the Digital Age: Consulting on Canada's Approach to Cyber Security PDF Version (3 Mb)
Table of contents

Introduction

The Government of Canada is reviewing its measures to protect critical infrastructure and Canadians from cyber threats. This document provides an overview of the cyber security environment in Canada, and poses questions on current trends and potential future initiatives.

What is cyber security?

Cyber security is the protection of digital information and the infrastructure on which it resides. Cyber security addresses the challenges and threats of cyberspace in order to secure the benefits and opportunities of digital life.

Why were we seeking your views?

The Canadian cyber security environment is evolving. Rapid changes to digital technology can have far-reaching security, economic and social impacts. Recognizing that digital technology plays a central role in the everyday lives of Canadians, the Government of Canada wanted to hear your views on this issue.

Trend 1: Evolution of the Cyber Threat

The growth of the internet, digital networks and use of mobile devices by individuals, governments and businesses has been matched by the growth of threats in cyberspace. Cyber capabilities that were once rare and expensive have become commonplace and affordable. As a result, a growing number of nation-states are attempting to establish their presence in the cyber domain. Non-state actors are also developing cyber capabilities, and while they often lack the sophistication and resources of nation-states, they can nevertheless be effective in conducting malicious cyber operations and in committing cybercrimes. To complicate matters further, unlike in the physical world, it is challenging to identify the origin and purpose of cyber attacks. These factors contribute to a growing cyber threat facing Canada.

Theme Addressing Cybercrime

Cybercrime poses a serious risk to the safety and economic well-being of Canadians. Cybercrime falls into two categories. The first is traditional criminal activities, like fraud, harassment and sexual exploitation, which are now being committed or facilitated through the use of computers and networks—the technology is a tool that has fundamentally changed how criminals operate. The second category of cybercrime targets technology itself, where criminals are trying to hack into computers and networks and compromise how these computer systems function. Both types of cybercrime have become more sophisticated and can even be used at the same time. Ransomware fraud schemes, for example, now include the threat of extortion, denial of service attacks or data loss if ransom demands are not met. With the growth of online criminal marketplaces, malicious cybercrime tools and services are also more available. Furthermore, cybercrime is transnational and requires significant cooperation across borders to disrupt criminal activities. Investigating cybercrimes is technically complex and can be more resource-intensive than traditional investigations. Police services are challenged to keep up with the accelerating pace of incidents, the complexity of technology, and the increasing need to obtain intelligible digital evidence.

Q: How can law enforcement better address the growing challenge posed by cybercrime (for example, through training and capacity-building, equipment, partnerships, innovative initiatives)?

Q: How can public and private sector organizations help protect themselves from cybercrime, such as threat of ransomware attack, fraud and identity theft, and what tools do they need to do so?

Q: Are there barriers to reporting cybercrimes (or suspected cybercrime) to law enforcement agencies? If so, what are they?

Theme Policing in Cyberspace

Police in Canada are mandated to investigate criminal activity in both the online and physical worlds. Yet expectations for policing in cyberspace are not as well understood and agreed upon by Canadians as their expectations for policing in the physical world.

For example, citizens rightly expect cybercrime investigations to be effective in identifying and disrupting criminal activities online, and holding criminals to account. However, the growth of new technologies and new ways to commit cybercrime are challenging the effectiveness of existing police tools and authorities for cybercrime.

As Canadians integrate technological advancements into their lives, they are grappling with questions of privacy, anonymity, and accountability both for themselves and for the broader community they live in. Technological advancements, changes in law, court decisions, and the current threat environment are also shaping Canadians’ expectations of how police should operate in an online world. For example, encryption technologies help Canadians to secure their personal information. At the same time, these technologies can also limit the ability of law enforcement to investigate crimes.

The Government is committed to public safety through effective policing and protecting the individual rights of Canadians, including privacy rights. Your views will help the Government and police balance their responsibilities and respond to the challenges of policing in cyberspace.

Q: What are your expectations for policing in cyberspace? Are they different from policing in the physical world?

Q: In a digital age, security and privacy go hand in hand. How can cybercrime be addressed in a manner that respects Canadians’ privacy rights and protects public safety?

Theme Protecting Against Advanced Cyber Threats

Public institutions – such as the Government of Canada– as well as Canadian companies are the targets of persistent, well-funded and sophisticated cyber attacks. Countries use these attacks for espionage, trying to obtain sensitive information such as strategies for international negotiations or military plans. Some states are also pursuing corporate espionage, and steal Canadian intellectual property (e.g. research and development ideas) or confidential business strategies to give their own economies a competitive advantage. When successful, advanced cyber operations compromise our economic prosperity and sovereignty.

Beyond espionage, some states are developing advanced cyber tools to threaten the computer systems that run critical infrastructure, which can disrupt essential services and cause significant damage. More non-state actors are demonstrating an interest in attacking critical infrastructure. Canada needs to ensure that essential services for Canadians are protected and resilient from these advanced cyber threats.

Q: What do public and private sector organizations need to protect themselves from advanced cyber threats (for example, tools, capacity, information)?

Q: What are the constraints to information sharing on advanced cyber threats and associated vulnerabilities?

Theme Increasing Public Engagement

Canadians need to know how to protect themselves from cyber threats. Public awareness campaigns are an important first step, but may not be sufficient to confront the cyber security issues of modern life.

Deeper engagement in cyber security is needed from all parts of society: small and medium enterprises, large industry players, educators, media, police services, and others.

Q: How can individuals be better informed about how to recognize and react to a cybercrime (like spear phishing) or a cyber security vulnerability (for example, security of networked cars or connected health devices like pacemakers)?

Q: How can public and private sector organizations work together to build Canadians’ awareness of cyber security issues ( for example, joint online training initiatives)?

Trend 2 Increasing Economic Significance of Cyber Security

Digital technologies and the internet are increasingly important enablers of innovation and economic growth.

At the same time, cyber security can improve Canada’s competitiveness, economic stability, and long-term prosperity. There is an opportunity for Canada to carve out a competitive advantage in cyber security and create a robust, secure, leading-edge digital economy.

Theme Strengthening Consumer Confidence in E-Commerce

Canadians need to be able to trust the security of transactions online. Cyber incidents can erode that trust, based on fears of the theft of personal information, financial loss and the compromise of individual privacy. Consumer confidence is especially important for small and medium enterprises (SMEs), which drive a significant portion of the economy.

Many of these firms do not realize that they could be targeted by cyber criminals. As a result, they may not have regimes in place to protect themselves, detect attacks and recover from cyber incidents. Even firms that recognize the importance of securing their information may find it hard to identify affordable and effective solutions. Businesses also have a key role to play in ensuring the security of their online platforms and the outsourced services they use, and in securing the financial and personal information of their customers. Strengthening the cyber security capacity of all Canadian businesses, including SMEs, is crucial for safeguarding consumer confidence and continued engagement in the e-marketplace.

Q: How can Canadian businesses be encouraged to adopt better cyber security regimes – particularly small and medium enterprises?

Q: What factors do you think are important to consider before sharing your personal and financial information with businesses online (for example websites displaying a Secure logo, web addresses beginning with https)?

Theme Embracing New Cyber-Secure Technologies

Canadians continue to embrace intelligent networked devices (including internet-of-things devices, like connected baby monitors and networked sensors for municipal services). These technologies use and protect information in a variety of ways, with many differences among devices. There are currently no clear standards to secure these devices and ensure the privacy of the data they collect. At the same time, the development of industry standards could also make it harder for Canadian companies to bring out new products, or delay the introduction of products to Canadian consumers. The importance of these technologies will only grow as new products based on emerging areas like nanotechnology and artificial intelligence enter the market.

Q: What steps should be taken to ensure that networked and emerging technologies (like internet-ofthings and apps) are cyber secure?

Theme Protecting Critical Infrastructure

Owners and operators of Canadian critical infrastructure are adopting digital technologies and networked systems to streamline business, save money, and deliver better services. These are key improvements that make services more efficient and cost effective for citizens. However, other countries can exploit this connectedness for cyber espionage, theft, and – potentially – sabotage. Terrorist groups are also interested in acquiring advanced cyber tools to target critical infrastructure.

Most of Canada’s critical infrastructure is owned by the private sector. Canada will need to find ways to bring together governments at all levels as well as owners and operators of critical infrastructure to truly address cyber threats to essential services.

Q: What are the barriers to strengthening cyber systems in critical infrastructure (within and across sectors)?

Q: What are the constraints to information sharing and engagement related to protecting cyber systems of Canada’s critical infrastructure?

Trend 3 Expanding Frontiers of Cyber Security

Since Canada’s Cyber Security Strategy launched in 2010, emerging technologies have played a significant role in changing the digital landscape. In this new reality, cyber security must evolve at the same rate as new technologies.

Canada must be positioned to maintain an agile and adaptive cyber security posture as it pursues new opportunities and develops and adopts key technologies and capabilities.

Theme Building a 21st Century Knowledge Base

Canada needs better information on cyber security issues. Generating reliable and relevant data and metrics on cyber security issues (for example, through a survey of Canadians) and systematically analyzing these data will provide a more accurate view of cyber security issues. Information can be used by academics and researchers, as well as policy-makers, to understand trends and to drive the development of new services, like cyber risk insurance. This could include information on cybercrime and cyber security vulnerabilities – their types, their rate of occurrence, their magnitude, and the impacts that they are having on Canadian citizens, businesses, and society. It could also include information on adoption rates for smartphones and networked devices, internet use, and of economic growth tied to the digital economy.

These metrics will be needed if Canada is to confront threats and identify opportunities related to cyber security, particularly as new technologies introduce new vulnerabilities and new avenues for cyber attack into the day-to-day lives of Canadians.

What information (e.g. data, metrics) would contribute to a better understanding of cyber security issues in Canada? Please explain your response. Q

Theme Encouraging Growth and Innovation

Strong cyber security enables success in the digital world by protecting information, ideas, and discoveries. Encouraging growth and innovation in cyber security is crucial so that Canada can continue to reap the benefits of the digital global economy.

To do so, Canada will need to foster a robust cyber security workforce, as well as centres for leading-edge cyber security technology.

Q: What measures could be taken to improve the availability, relevance, and quality of cyber security training?

Q: What is needed to improve Canadian innovation in cyber security?

Canada’s Way Forward on Cyber Security

The digital revolution has fundamentally changed Canada’s social, economic, and cultural fabric. Canada’s participation in digital life has generated immense prosperity and benefits, and has opened a new gateway to the world. At the same time, it has continued to bring the world to us in new and challenging ways, and introduced threats that could undercut the many benefits of the digital age. Canada’s renewed approach to cyber security must respond to this set of complex, integrated issues.

A Renewed Approach

The fundamental goal of Canada’s plan for cyber security is to maximize the benefits of digital life for Canadian citizens and businesses. As the cyber security environment has matured, it has become clear that an effective plan to achieve this goal must be based on principles that can endure the pace of change in cyberspace. Canada’s renewed approach will be guided by five principles.

Five Principles for a Renewed Cyber Security Approach

These principles will guide Canada’s response to an array of trends, challenges and opportunities in cyber security Canada’s Way Forward on Cyber Security

Key Action Areas

Canada will be guided by its principles for cyber security in three action areas, outlined below. Examples of prospective initiatives for national action on cyber security are outlined under each action area. Resilience

This area would focus on the essential elements of cyber resilience. This includes the prevention, mitigation, and response to advanced cyber attacks targeting Canadian systems and institutions, and increasing public engagement on cyber security issues.

For example:

Cooperation and Capability

This area would focus on working together to develop the skills, resources, and tools needed for effective cyber security in Canada.

For example:

Cyber Innovation

This area would focus on initiatives that will allow Canadian governments, businesses, and citizens to anticipate trends, adapt to a changing environment, and remain on the leading edge of innovation in cyber security.

For example:

Workbook Glossary

App
An application, especially as downloaded by a user to a mobile device (for example, fitness tracking app).
Artificial Intelligence
Interdisciplinary field usually regarded as a branch of computer science, dealing with models and systems for the performance of functions generally associated with human intelligence, such as reasoning and learning.
Critical infrastructure
Processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects and significant harm to public confidence.
Cyber attack
An attack that involves the unauthorized use, manipulation, interruption or destruction of, or access to, via electronic means, electronic information or the electronic devices or computer systems and networks used to process, transmit or store that information.
Cyber incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.
Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.
Cyber threat
A threat actor, using the internet, that takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries.
Cybercrime
A crime committed with the aid of, or directly involving, a data processing system or computer network. The computer or its data may be the target of the crime or the computer may be the tool with which the crime is committed.
Cyberspace
The electronic world created by interconnected networks of information technology and the information on those networks. It is a global commons where more than 3 billion people are linked together to exchange ideas, services and friendship.
Denial of Service Attacks
A type of cyber attack aimed at overwhelming or otherwise disrupting the ability of the target system to receive information and interact with any other system.
E-Commerce
The buying and selling of information, products and services via the internet.
Encryption
Cryptology is discipline that embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use. The conversion of the information into this new protected form is referred to as encryption. The conversion of information back to its original form is decryption.
Intellectual Property (IP)
According to the World Intellectual Property Organization, intellectual property (IP) is a creation of the mind. IP includes inventions, literary and artistic works, designs and symbols, and names and images used in business.
Internet-of-things
The interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data.
Nanotechnology
Any technology related to features of nanometric scale: thin films, fine particles, chemical synthesis, advanced microlithography, and so forth.
Non-State Actor
A non-governmental individual, group or organization that plays a role in political, economic, or social life. Non-state actors may include any of the following types of groups and organizations: multinational corporations, terrorist organizations, criminal organizations, diaspora.
Ransomware
Software that denies you access to your files until you pay a ransom.
Spear Phishing
The use of spook emails to persuade people within an organization to reveal their usernames or passwords. Unlike phishing, which involves mass mailing, spear phishing is small-scale and well targeted.
Date modified: