Letter to The Honourable Marco E. L. Mendicino, Minister of Public Safety, responding to the consultation on Canada’s renewed National Cyber Security Strategy

Dear Minister Mendicino:

I am pleased to share with you the Business Council of Canada’s submission on the Government of Canada’s renewed National Cyber Security Strategy.

In the four years since the release of the Government’s last Strategy, the frequency and severity of cyberattacks directed at this country have increased exponentially.

For this reason, we welcome the renewal of the Government’s Strategy, which offers the Government an opportunity to meaningfully engage business leaders on what is needed to secure Canada.

In our view, the Government’s renewed Strategy should focus on three priorities:

  1. Fostering more meaningful public-private collaboration;
  2. Increasing the cyber-resiliency of the Canadian economy; and
  3. Developing and attracting cyber talent.

By no means are these the only measures that will be required to shield Canadians. However, they offer the greatest immediate potential in addressing Canada’s cybersecurity challenges.

Fostering more meaningful public-private collaboration

No single organization can keep pace with the evolving threat posed by cyberattacks. Closer and more meaningful collaboration between governments and business is essential.

Recommendations:

  1. Authorize the Canadian Security Intelligence Service (CSIS) to proactively share threat intelligence and advice with businesses on the frontlines. Companies are an attractive target for cyber actors who seek to disrupt Canada’s economy. Yet legislation severely limits CSIS from working with companies targeted by attacks to strengthen Canada’s resiliency.
    To enhance our shared capacity to detect and respond to growing national security threats, the Government should amend the Canadian Security Intelligence Service Act to enable CSIS to proactively share threat intelligence and advice with businesses where it is in the public interest and subject to all necessary safeguards and oversight.
    Most of Canada’s Five Eyes partners have a legal framework allowing their security agencies to work with the private sector to build greater resilience against national security threats. In fact, Canadian companies with operations in these countries often receive greater access to intelligence and guidance from foreign governments than from Canada.
  2. Enhance Canada’s trusted cybersecurity collaboration network. The Canadian Cyber Threat Exchange (CCTX) is Canada’s only cross-sectoral cybersecurity collaboration hub for public and private sector organizations of all sizes. A not-for-profit organization, CCTX increases the security posture of its membership through proactive planning, preparation, and information-sharing. When CCTX was first envisioned, the Government was meant to be a partner. This did not happen. To increase both the depth and breadth of collaboration going forward, the Government should:
    1. Provide CCTX with the financial and technical support needed to expand its membership and service offerings;
    2. Amend public sector procurement and granting processes to incent vendors and organizations that are part of critical supply chains to join and actively participate in CCTX; and
    3. Require government departments, agencies, and Crown corporations to share relevant cybersecurity knowledge and experience with CCTX.

Increasing the cyber-resiliency of the Canadian economy

If Canada is to remain a secure, reliable, and attractive place to do business, then we must continuously increase our economy’s cyber-resiliency in response to constantly evolving cyber threats.

Recommendations:

  1. Better support critical infrastructure providers. Cyberattacks directed at critical infrastructure pose a costly threat to owners and operators and can jeopardize national and economic security. The Government should establish a centre of excellence within the Canadian Centre for Cyber Security to help critical infrastructure providers enhance their cyber-resiliency. This should include:
    1. Identifying security gaps within designated sectors and working in partnership with industry to mitigate them;
    2. Offering onsite incident response services to critical infrastructure providers that require immediate assistance;
    3. Providing targeted financial incentives to critical infrastructure providers to defray the high costs associated with increasing the resiliency of their assets; and
    4. Convening and supporting regular tabletop and threat hunting exercises where critical infrastructure providers and government stakeholders work through simulated events to improve their collective responses to major cyber incidents.
  2. Strengthen Canada’s cybersecurity industry. A strong and competitive cybersecurity industry increases Canada’s capacity to prevent, detect, and respond to cyberattacks. It also fuels economic growth and creates good, well-paying jobs. To strengthen Canada’s cybersecurity industry, the Government should:
    1. Modernize research and development programs to reward Canadian companies that undertake high-risk cybersecurity research in fields where anticipated near-term returns on investment are low or non-existent;
    2. Establish and fund a commercialization program to bridge the gap between Canadian cybersecurity research and product development in high-impact areas; and
    3. Create opportunities for government agencies, such as the Communications Security Establishment (CSE), to work with private sector innovators to co-develop emerging security solutions.

Developing and attracting cyber talent

Recognizing the vital role that skilled individuals play in bolstering Canada’s cyber defenses, the government should strengthen the country’s ability to develop and attract cyber talent.

Recommendations:

  1. Address the cybersecurity talent shortage. Canada faces a severe shortage of skilled cybersecurity professionals, putting Canada’s critical cyber systems at increased risk. To address Canada’s talent shortage, the Government should:
    1. Incent post-secondary institutions with leading cybersecurity programs, such as the University of New Brunswick and Durham College,to increase cybersecurity enrollment rates and offer students more experiential learning opportunities;
    2. Provide support to organizations with a proven track record of advancing the recruitment and training of underrepresented groups in cybersecurity;
    3. Leverage Canada’s economic-class immigration programs, such as the Global Talent Stream, to attract and retain more skilled cybersecurity professionals; and
    4. Create greater opportunities for personnel exchanges between industry and government agencies, such as CSE, to increase Canada’s ability to attract and retain top-tier talent.

Minister, on behalf of business leaders in all sectors and regions of the country, thank you for this opportunity to contribute to the development of Canada’s next National Cyber Security Strategy. As always, we look forward to working with you and your colleagues to help protect Canadians, now and in the future.

Sincerely,

Goldy Hyder

c.c.

The Honourable Chrystia Freeland, P.C., M.P.
Deputy Prime Minister and Minister of Finance

The Honourable François-Philippe Champagne, P.C., M.P.
Minister of Innovation, Science and Industry

The Honourable Anita Anand, P.C., M.P.
Minister of National Defence

The Honourable Mélanie Joly, P.C., M.P.
Minister of Foreign Affairs