Canada on Wednesday released its first-ever cybersecurity strategy for federal departments and agencies, aiming to address challenges posed by remote working, cloud computing, aging infrastructure and recruitment.
The strategy, released by Treasury Board chair Anita Anand, concluded that as of the end of fiscal year 2023, government departments and agencies generally lacked a “repeatable” process for identifying and responding to emerging cyber threats.
So far in 2024, the Canadian Centre for Financial Transactions and Reports Analysis, the Royal Canadian Mounted Police, and the Canadian Department of Foreign Affairs have responded to cyber incidents.
“It's not just other governments and private companies in our country that have to ensure we have strong defenses against cyber threats and cyber attacks, it's the Canadian government itself that has to ensure that our systems are protected,” Anand said in an interview with Bloomberg.
“This will therefore protect the personal information of citizens and ensure the delivery of services.”
The strategy is expected to cost CAD11 million (US$8 million) over five years.
During the pandemic, many government employees switched to remote work, using their home networks as well as government systems. Now, with many continuing to work in a hybrid fashion, the strategy aims to make working from home more secure through the expansion of multi-factor authentication and the introduction of always-on protection against malware and viruses.
Governments are also increasingly using mobile devices, cloud-based services, and third-party software. Many of these systems are operated at the department or agency level, which can lead to inconsistencies.
“The speed of technological change means that once-effective security measures can quickly become outdated, highlighting the need for a proactive, adaptive approach to cybersecurity,” the strategy states.
The government plans to set up security operation centers to monitor on-site, cloud and other network-connected devices of each ministry and agency. Some ministries and agencies will also have specialized operation centers. The strategy also calls for the establishment of Purple Teams, a team of teams that will simulate cyber attacks and evaluate defenses to identify gaps in the government's cybersecurity.
Aging infrastructure also creates vulnerabilities: “To minimize cybersecurity incidents and privacy violations, we cannot tolerate weak information management practices, nor can we tolerate outdated IT tools that fail to adequately protect information,” Anand said.
Cyber threats are of increasing concern and can come from nation-state and non-state actors regardless of geographic boundaries. Anand said some dates in 2022 pose a particularly high risk of a cyber incident, such as Feb. 24, the day Russia invaded Ukraine.
The government is also struggling to recruit cybersecurity experts, and the new strategy plans to build partnerships with universities, speed hiring through automation, and train staff from other departments to work in the field.
The strategy sets a timeline for delivering results within two to five years, and the government expects that cybersecurity incidents will still occur, but that they will be able to be responded to quickly and minimize the impact.
Photo: Anita Anand, chair of the Treasury Board of Canada. Photo by David Kawai/Bloomberg
Copyright 2024 Bloomberg.
topic
Cyber Insurtech Canada
interested in cyber-?
Get automated alerts on this topic.
