An Overview of Canada’s First Enterprise Cyber Security Strategy
The Government of Canada now has an Enterprise Cyber Security Strategy. Let's take a look.
In the May Monthly Rewire, I noted that the Government of Canada has released an Enterprise Cyber Security Strategy. Many media outlets overlook the “enterprise” part of the strategy. As a result, let’s look closer to see what the Strategy will address.
What is the Enterprise Cyber Security Strategy?
Whereas the National Cyber Security Strategy addresses Canada's overall whole-of-government approach and direction on cyber security and cyber defence, the Enterprise Cyber Security Strategy is much more specific to the government’s internal cyber security operations.
The strategy lays out multiple reasons for this new strategy, but the bottom line is the “increasing sophistication and frequency of cyber attacks,” which necessitates that the Government of Canada needs to improve its governmental cyber security operations. While we can all support greater efficiency in government operations, they are that much more important when dealing with government operations due to the sensitivity of the work. Be it Global Affairs Canada, which has been hit with multiple attacks over the last few years, or Employment and Social Development Canada, attacks can affect the national security of Canada and the personal security of individual Canadians. This creates a greater responsibility for the Government of Canada to ensure its cyber security operations are comprehensive, as effective as possible, and using established best practices.
The Enterprise Cyber Security Strategy is meant to unify these processes across the Government of Canada.
Purpose and Scope
The strategy lays out the purpose quite coherently:
“define the vision and strategic objectives for the GC that will keep pace with the evolving cyber security risk landscape, improve cyber security maturity and optimize GC cyber security investments
"develop a future state for the cyber security of government operations with supporting governance, oversight, and clear roles and responsibilities
identify initiatives and requisite investments to support the implementation of the Strategy.”
What Informs the Strategy?
While this might be the first enterprise security strategy, the Government of Canada has been focusing significantly on developing its e-government services and delivery. Its services have been bolstered by a wide set of policies and plans, which have been slowly accumulating and updated over the same period, but the overall strategic policy framework regarding security operations has generally lagged behind the delivery of services. The result is a layered but ad hoc approach where direction is divided across multiple policies and directives. The introduction of an Enterprise Cyber Security Strategy may be one step towards better aligning these policies. While I may be missing some, listed below are some of the policies, directives, and plans which govern the Government of Canada’s cyber security activities
. This includes:
The National Cyber Security Strategy, last released in 2018, and its companion Action Plan also apply, but they will soon be replaced. A new National Cyber Security Strategy is supposed to be released this year, which we have been anxiously waiting for since December 2021.
There is likely some that I am missing, but the overall point is that the Government of Canada’s policy and directives covering its cyber security operations is complex and multi-layered.
If all of these weren’t reasons enough to develop an enterprise cyber security strategy to unify security operations, there are many drivers outside the government that are putting greater pressure on the Government of Canada’s operations. These include the growing demand for the delivery of digital services, a recognition that the future of work involves more remote and digital work and an overall commitment to technology modernization.
In addition, it is interesting to see the government frame its commitment to improving security as reducing the carbon footprint of cyber attacks and breaches, which “result in significant energy consumption.” Logically, this makes sense, and monitoring energy consumption is an important metric that may indicate an attack, but I am unaware of any research that looks specifically at this. This is stated alongside the government's social responsibility to protect its operations for the same reasons mentioned above.
Where is the Government Right Now?
What I find odd in this strategy is that the government attempts to frame efforts that go back years as “progress to date” on the Enterprise Cyber Security Strategy. This creates a false impression that these efforts are part of a coherent plan rather than sporadic developments. This is not to say anything that the government has done is bad, far from it, as the Canadian Cyber Security Centre and other developments the government mentions are great, but they are attempting to paint that the Government of Canada has a coherent, informed engagement with cyber security.
Instead, the Government of Canada’s approach to cyber security has largely been ad hoc, and often the result of pressure external to the government, be it cyber attacks or ongoing criticism, both domestic and international.
Gaps
Nevertheless, we can take the progress to date as establishing where the good is, which helps to establish the eight gaps that the strategy identifies and aims to address:
Varying levels of cyber maturity
Lack of comprehensive awareness of the cyber security risk environment
Disparate approach es to and a lack of coordinate investment in various security capabilities can lead to inconsistencies, inefficincies, and blind spots in the government’s overall security posture
ICAM, Security Monitoring, and Common Services are all subpoints
Traditional security architecture models are less effective as users and applications now exist outisde the traditional network perimeter
Zero trust! This is essentially an acknowledgement that the government needs to adopt zero trust. I would have hope for more here, but this is great nonetheless.
Misalignment between traditional approaches for security assessments and agile delivery methodologies
Weak information management practices
This is someone that I have been stressing about the Department of National Defence and Canadian Armed Forces. The reality is its a major problem across the Government of Canada. Poor information management practices can and has led to a host of problems including extremely slow access to information processes and government departments hiding information, which increases the likelihood of corruption.
Immature cyber security event management practices
Challenges related to people and culture of security
I love that this was included. There is a general ignorance that almost amounts to hubris related to cyber security and security in general in the government. It is often treated as a tertiary activity instead of a central responsibility of everyone in government.
Insider threats are specifically identified as a concern, which improved information management practices can help to deter.
Importantly, they recognize that individual cyber security training is lacking, which presents a need to upskill personnel on cyber security. In particular, it notes the need for leadership and knowledge in cyber security.
Stakeholders
With the gaps identified, who will be addressing all of this? There are four stakeholders, which are the big players you would expect:
Treasury Board of Canada Secretariat: They’re the ones putting out this strategy. They are responsible for the overall policy and direction of cyber security and cyber defence, and for Government of Canada cyber security event management.
Communication Security Establishment (CSE) and Canadian Centre for Cyber Security (CCCS): These are the cyber defence experts on the frontline of identifying threats and informing the government and public.
Shared Services Canada (SSC): They’re the ones that will predominantly be responsible for rolling this strategy out with the individual departments and agencies. SSC is in charge of the overall enterprise IT infrastructure and management of security services.
Departments and agencies: Although the above organizations are in charge of the big picture of security operations, individual departments and agencies are responsible for their individual day-to-day management of cyber security. Their services will be on the front line, with SSC and CSE/CCCS overlooking the entire enterprise of Government of Canada cyber security and cyber defence.
Objectives
Four overarching strategic objectives are established to address the gaps identified in enterprise cyber security operations. Each strategic objectives have key actions that the government will take, which they expect to fulfill the objectives. Importantly, they provide performance indicators for each of these actions. This shows the depth of their approach to enterprise security, principally not just from a technical approach. There are major policy and cultural changes that the government needs to address.
My one concern is that based on discussions I have had with those in government, top management and politicians are the most uneducated and resistant. The strategy specifically notes a need to upskill management, but I am wary of just how much this will be effective in making the dramatic country-level changes we need. This will be shown in the upcoming National Cyber Security Strategy.
Logic Model
Rather than provide specific timelines, a “logic model” is developed to outline the expected outcomes in relation to how long they expect it to take. This begins to show just how comprehensive this plan is and how far out they are thinking here. This is a major positive step, which I hope they maintain.
Takeaways
We could likely nitpick at the strategy regarding its approach to enterprise cyber security, but it's a good thing they developed one and implemented it in the first place.
This is not a replacement for the National Cyber Security Strategy. It can best be thought of as one small point that the National Cyber Security Strategy would cover. If anything, it stresses the greater need for a National Cyber Security Strategy.
The strategy does have a supporting implementation fund of $11.1 million over 5 years from Budget 2024. Despite this being a positive, this may matter little when individual departments are in charge of implementing the strategy through improving its cyber security operations. Any major funding for enterprise security would come from individual departments budget to adhere to their new strategy.
As a policy analyst and social scientist, I am thrilled to see attention to the need for greater education and engagement with cyber security and cyber defence as a social issue. While everyone can understand and agree cyber security is important, to understand how to effectively develop policy to address cyber security and cyber defence taking into account the social and technical complexities is difficult. We have policy analysts specializing in defence, human resources, terrorism, but the Government of Canada has lagged in recognizing this massive gap in its governmental expertise.
I cannot say enough how much of a major step forward this is for the Government of Canada and particularly the Treasury Board. There is a need for serious engagement with information security and cyber policies, specifically concerning National Defence. This is largely about enabling a policy and bureaucratic environment to support the innovation needed by the Canadian Armed Forces. However, I fear saying this is like hoping for procurement reform.