Opinion February 5, 2024

Spy business: Why CSIS and corporate Canada must join forces in the war against cyberattacks

Goldy Hyder – President and Chief Executive Officer, Business Council of Canada

Digital Economy and Cybersecurity Industry and innovation Regulation

Spies don’t often speak publicly. So, when they do, it’s important to listen.

It’s even more important when they are leaders of the ‘Five Eyes’ intelligence partnership, who gathered for their first-ever public meeting to share a common message.

That’s why I travelled — at the invitation of the Canadian Security Intelligence Service — to Stanford University last October to learn from what the chiefs of the Five Eyes’ domestic security agencies had to say.

Their message was as clear as it was unprecedented: to protect our countries from growing security threats, businesses and security agencies must work closer than ever before to strengthen the resiliency of our economies.

Canada’s business community couldn’t agree more. And it appears that the government of Canada may agree too.

In an era of growing geopolitical conflict, in which supply chains, infrastructure networks, and technological innovation increasingly determine strategic advantage, government is no longer the only — even the primary — target of our foreign adversaries.

In virtually every sector and region of our country, Canadian businesses now regularly find themselves in the crosshairs of malicious state actors seeking to advance their national interests in ways that can, and do, undermine Canada’s national security.

This should concern all Canadians.

The threats aren’t abstract, nor do they exist in a vacuum. Attacks target the infrastructure needed to heat and power our homes. They target supply chains that provide our families with low-cost food and medicine. They target commercially valuable information that creates good jobs and helps pay our bills. In short, economic security threats put Canadians’ very safety, security, and prosperity at risk.

To be sure, businesses and governments invest billions each year to keep Canadians safe from these and related attacks. But, if we want to be truly effective in countering increasingly sophisticated and pervasive threats to our way of life, then we must replace our independent efforts with collective action.

As the security chiefs made clear in October, leaders from business and government must commit to moving forward in true collaboration, contributing increased resources, attention, and expertise to the challenge.

Christopher Wray, Director of the Federal Bureau of Investigation, spoke of the FBI being “in the midst of a paradigm shift” in the way in which his agency “engages with the private sector.”

The FBI has an entire office dedicated to working with the private sector, with an assistant director who meets daily with Director Wray.

Every FBI field office — all 56 of them — have a private sector co-ordinator who interacts with businesses scattered across the U.S.

Perhaps the most telling sign of the FBI’s transformative approach to partnership is the agency’s cyber squads. They aren’t just working with businesses to harden their infrastructure, but also conducting joint operations to disrupt adversaries before they strike.

CSIS Director David Vigneault has publicly advocated for this level of collaboration in Canada. But right now, he lacks the necessary powers.

Unlike the domestic security agencies of Canada’s Five Eyes partners, which possess modern authorities allowing them to engage in meaningful, two-way communication with their business communities, CSIS’s nearly 40-year-old governing legislation prohibits the agency from sharing all but the most generalized information with the private sector.

Without being able to engage in a dialogue with businesses, CSIS is effectively prevented from fostering the partnerships needed to protect Canadians.

For this reason, the business community was encouraged when the government launched consultations late last year contemplating the granting of new information sharing authorities to CSIS.

With the consultations closing this past Friday, business leaders urge the government to move quickly to grant CSIS the same powers that other Five Eyes security agencies possess to improve businesses’ awareness and resiliency against malicious attacks.

With new authorities, CSIS could communicate more specific and tangible information with companies. This would give business leaders a clearer understanding of the threat and the protective measures that could be taken to better safeguard their employees, customers, as well as the communities in which they operate.

The use of these new authorities would also benefit the government by helping CSIS build greater trust with the private sector. This would encourage business leaders to share more with Ottawa about the threats they’re seeing, which would better inform policy as well as improve CSIS’s ability to investigate, analyze and respond to threats.

Of course, the granting of new information sharing powers must be consistent with the values we share in our democracy, including respect for a free and fair marketplace as well as the protection of individuals’ rights and freedoms.

Here again, Canada can look to the examples set by our Five Eyes allies who have sought to respond to an increasingly hostile world in a fashion that best reflects what democracies stand for.

Canada’s business community is ready to step up and partner with CSIS to protect Canadians. We hope the government seizes this opportunity by giving CSIS the legislatives powers to reciprocate. As Director Vigneault noted in October: “We’re all partners in this work. Our future security and prosperity are directly affected by the actions that we’re going to take together.”