More than most countries, Canada is critically reliant on its transportation and communications infrastructure.
If The Bad Guys, or even Mother Nature, were to shut down a few key railway lines, or cancel all the flights between Alberta and Ontario, or poison the Toronto subway system, we'd be in very serious trouble. If a few key computer systems became infected with a worm or virus, highly confidential information could be spewed all over the Internet.
If things go bad, who are we gonna call? Ghostbusters?
The federal government believes it has a better idea. It already operates a Norad-like 24/7 operations centre that monitors incidents and "provides strategic level co-ordination and direction on behalf of the government of Canada."
It says it's ready for anything from another ice storm to a co-ordinated cyberattack on government computers. But there's a problem. Much of Canada's critical infrastructure is in the hands of the private sector. The phone companies. The airlines. The gas pipelines.
So Public Safety and Emergency Preparedness Canada (PSEPC) has been given the mandate to create a national emergency response system that would tie together all levels of government, as well as key private-sector players.
"It's in operation right now," says Julie Spallin, acting director of PSEPC's new Canadian Cyber Incident Response Centre (CCIRC) "but in terms of an actual mature system, we're probably about six months away."
It all starts with realizing that there's a problem, according to Barry McLean, director of the Alberta/Northwest Territories/Nunavut office of PSEPC. McLean recently presented a talk to the Security Professionals Information Exchange Society (SPIE), a Calgary-based group of computer security professionals. He listed nine critical infrastructure areas, among them transportation, communications and information technology, health care, finance, and energy and utilities.
Of course the primary responsibility for each of these areas rests with a different federal government department, so part of PSEPC's job is to bring about some co-ordination. As 9/11 taught the U.S., communication is vital in times of disaster. So PSEPC's plans call for a national alerting system. And, as everyone knows, computers will play a "make-it-or-break-it" role.Hence the beefed-up efforts to protect Canada's computers, both public and private. "We have a clear mandate within the federal government," says PSEPC's Spallin. "We deal directly with the provinces and we've started to do some work with critical infrastructure sectors, primarily telecommunications, because if they're not functioning, the impact is very widespread."
And while she can basically order a government computer user to co-operate, the carrot must replace the stick when dealing with the private sector. "That's a real challenge for us between the private and the public sector, sharing that information," she says, They ought to co-operate, she notes, but if they don't, it's their problem.
"You have to look at those companies, like Bell and Telus," she says. "They're ultimately responsible for the security of their infrastructure to their shareholders."
Spallin's challenge is to make it worthwhile for private players to co-operate with the government, especially in Western Canada, where many see "we're from the government and we're here to help you" as a cruel joke.
Spallin points to a recent information-sharing agreement with Microsoft as a positive step forward. "I think they got tired of me calling them up saying: 'C'mon you've got to give us more information,'" she jokes.
So the Canadian government recently became the first signatory to Microsoft's security co-operation program. Chile, Norway and the State of Delaware have followed suit. Spallin explains that this formal agreement, which carries no fee, gives her staff 24/7 access to Microsoft's top experts. They'll receive timely warnings of new threats and can alert those in Canada with a need to know.
It works both ways, so the feds will also share information with Microsoft.
Is this getting a little too cozy with one vendor? "We have to look at the risk environment," Spallin says. "We figured they were a good partner to start with and they were quite keen. But there are lots of companies that we'll have to address. I think that companies that deal with routers and that type of infrastructure are going to be key to us also."
As for how CCIRC will actually snap into action in a cybercrisis, the announcement says it will include "a cyber triage unit that can assess the information it receives and co-ordinate the appropriate response.”
That unit will be staffed by representatives from PSEPC, the Royal Canadian Mounted Police and the Canadian Security Intelligence Service.
They also hope to raise awareness of security issues across Canada. Suki Wong, acting director of critical infrastructure policy at PSEPC, says they hope to "enhance public awareness of IT security, not just in business but also in home users."
This is not the first time a centralized approach to cybersecurity has been tried. Carnegie Mellon University in Pittsburgh started the Computer Emergency Response Team (CERT/CC) in 1988 after the infamous Morris Worm infected about 2,500 computers. Of course, that was at a time when the whole Internet consisted of approximately 60,000 computers. Today's cybersecurity problems are bigger, uglier and harder to fix.
CERT/CC is still operating with 35 employees. The Canadian version, CanCERT, is run by Electronic Warfare Associates-Canada Ltd., a private company.
Are all these cyber do-gooders duplicating efforts? Spallin says no. "The more CERTs in Canada, the better. The real key challenge is: How do we take all these capacities that we have, to have a co-ordinated response to events?" I guess we'll have to wait for the next really big emergency to find out how well they do. The bad news is that we probably won't have too long to wait.
Web watch:
www.psepc.gc.ca/ccirc
www.spie.ca
www.cancert.ca
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
