This year’s string of high-profile cyberattacks on critical infrastructure — involving, among other targets, a water treatment plant in Oldsmar, Florida, in February; Colonial Pipeline and JBS Foods in May; and a flood of ransomware to more than 1,000 businesses in 17 countries via tech company Kaseya’s hacked software, in July — demonstrate that these incidents are increasing in number, sophistication and the potential for damage.
Policy makers must move to combat these threats effectively, now. There is no time to waste.
More than a business issue, cyberthreats have become an international security issue, with countries weaponizing cyberattacks against their enemies. According to World Economic Forum data, such attacks can be classified as a significant global risk, given their capacity for destruction. Cybersecurity Ventures’ researchers estimate that cybercrime will cost the world $10.5 trillion annually by 2025 — a figure significantly greater than the cost of damage inflicted by natural disasters each year.
Canadians may take for granted that the attacks detailed behind these news headlines originate in the United States or abroad, but in fact the threat of a cyberattack domestically is growing. In a recent assessment, experts from the Canadian Centre for Cyber Security acknowledged that “state-sponsored cyber threat actors continue to conduct cyber espionage against Canadian businesses and critical infrastructure to advance their national strategic objectives.”
Just as the number of attacks is growing, the potential impacts of a breach are also increasing, with both short-term and long-term catalysts at play. Meanwhile, Canada is in the process of shifting from a tangible to an intangible economy. Whereas our value creation used to focus on natural resources — it’s hard to hack a mine to steal gold — the value we create today as a national economy is in the form of intellectual property — biotech secrets, artificial intelligence algorithms, aerospace designs — all of which can be digitally copied, damaged or held for ransom from anywhere in the world.
More than a business issue, cyberthreats have become an international security issue, with countries weaponizing cyberattacks against their enemies. According to World Economic Forum data, such attacks can be classified as a significant global risk, given their capacity for destruction.
The COVID-19 pandemic is another catalyst, where we’ve seen a massive shift to remote work, increasing the “attack surface” through which threat actors are able to gain access to the value created in our knowledge-based industries. It’s as easy as getting a worker to click on a link that they shouldn’t in a well-crafted phishing email.
But Canada is not defenceless.
The Canadian government and the private sector can take this opportunity to lead, acknowledge the growing level of cyberthreats, and feel empowered to be proactive in deterring and fighting back against these attacks.
Canada must begin building greater capacity in domestic cybersecurity to manage the challenges of today and tomorrow. This will take investment, intentionality and effort, but it is possible, and it is crucial.
One initiative that seeks to address this growing problem is the CyberSecure Canada certification program, developed by the Innovation, Science and Economic Development and Communications Security Establishment agencies. This program, which arose from stakeholder strategy sessions with the CIO Strategy Council, provides small and medium-sized enterprises with a curriculum that enhances their cybersecurity processes and seeks to standardize cybersecurity best practices.
This program is a crucial step because it lays out the tools and processes businesses need to increase their cyber resilience, thereby reducing the risk of a breach and helping with things like qualifying for cyber insurance. Further, the CIO Strategy Council is creating a series of cybersecurity standards for both the private and the public sector.
The challenge now is to implement. Unfortunately, the world at large is suffering from a shortage of skilled cyber workers, with Cybersecurity Ventures citing the statistic that in 2020 there were 3.5 million cybersecurity jobs unfilled, up from one million in 2014. This presents an opportunity for job creation and building prosperity in Canada.
We currently pay employers to hire summer students — where are the cybersecurity jobs grants? We currently incentivize companies to invest in innovation via the Scientific Research and Experimental Development Tax Incentive Program — where are the tax credits to ensure those innovations are kept safe and not stolen? Where are the programs to match cyberwarfare reservists who have existing domain expertise to defend military systems with commercial companies, executing the same mission that protects our commercial systems in banks, power plants and other critical infrastructure?
In combination, the catalysts presented by our move to an intangible, knowledge-based economy and the sudden shift to remote work present an existential risk to our nation. But, under the direction of the right leaders, these developments can become an opportunity for greater prosperity in Canada.
Canada has the tools, technology and resources to make significant gains in securing our organizational and individual devices and systems against attack. But there must be a collective will and push from all levels of the government and private sector to transform that vision into reality.