Better Late Than Never: An updated cyber security strategy for Canada

Although its gestation was excessively long, the government of Canada has finally released an updated National Cyber Security Strategy (the first and last such strategy dates back to 2010).

After all these years of preparation and consultation, one might have expected a more thorough and detailed plan as to how the government intends to deal with the burgeoning threats in cyberspace. These have ranged from data breaches involving multi-millions of accounts to sophisticated state conducted cyber penetration operations, such as the 2014 compromise of Government of Canada systems for which China was blamed. Given the magnitude of the threat, it is disappointing that the strategy comes across as a fragmented statement characterized more by expressions of broad intention rather than specific objectives.

Released June 12 by the ministers of public safety, national defence, and innovation, science and economic development, the strategy, subtitled “Canada’s Vision for Security and Prosperity in the Digital Age,” is rather thin on vision and thinner yet on how the goals identified are to be implemented. The three core “themes” — Security and Resilience, Cyber Innovation and Leadership and Collaboration — are described in a broad brush manner (e.g. “we will better protect Canadians from cyber crime”; “the federal government will position Canada as a global leader in cyber security”) that lack tangible expression. Replicating the flawed approach of the 2010 document, “action plans” for realizing the strategy are to come at some future time, with a promise of “clear performance metrics” and reporting on results. Such “action plans” for the 2010 strategy, which were geared to improving the security of the federal government’s own systems and promoting public education, did not appear until 2013 and were never subjected to meaningful evaluation.

Despite the current strategy’s boast that “We will be an example to the world of what can be achieved through a cohesive and coherent National Cyber Security Strategy,” the Canadian product pales in comparison with earlier strategies issued by peer states such as Australia and the United Kingdom. The UK’s National Cyber Security Strategy 2016-2021 is not only a superior policy document in terms of analysis and the specificity of its commitments, but also contains an extensive “Implementation Plan” setting out key objectives and how progress on them is to be measured.

While the strategy claims it will align with other cyber-related initiatives of the government, such as the Canadian military’s use of cyber, a cyber foreign policy, the defence of electoral processes from cyber threats and the 2017 Innovation and Skills Plan, one wonders why it wasn’t possible to integrate these key cyber issues areas into the new “national” strategy. As it is these other initiatives have taken place on a separate track or are still outstanding. For instance, the outcome of last summer’s Defence Policy Review contained major new departures for the Canadian Forces in the cyber security realm, and yet the elusive cyber foreign policy (first promised in 2010) has yet to see the light of day. This partial articulation of policy in a highly-interdependent field hardly reinforces the “coherence” claim being made for the strategy. 

On the international front — a vital dimension of cyber security — the strategy only manages the lame goal that the government “will work with its international partners to advance Canadian interests.” Contrast that with the sophisticated “International Action” chapter of the UK strategy, or the even fuller treatment of Australia’s International Cyber Engagement Strategy of last fall, and I can only hope that my former colleagues at Global Affairs Canada are able to expedite the production of a cyber foreign policy document worthy of the name. 

The Canadian government’s pledge to invest $508 million over five years to support its updated strategy is welcome news, although probably still insufficient given the magnitude of both cyber threats and opportunities (the UK strategy comes with a five-year, £1.9 billion funding level).

A necessary practical measure taken by the government is the creation of a Canadian Centre for Cyber Security in order to provide “one clear and trusted national authority” to interface with the public and private sectors on cyber security matters. The centre is meant to unite staff from existing federal cyber security operations at Public Safety, Shared Services and the Communications Security Establishment. To be effective, this centre will have to be housed in a new, publicly accessible facility, which is slated to open in the summer of 2019 (the UK established its National Cyber Security Centre in October 2016). It is not clear why the RCMP’s new “National Cybercrime Coordination Unit,” also announced in the strategy, could not have been integrated into the envisaged centre, in keeping with the interest of having a single government focal point for cyber security matters. 

In the strategy’s forward it is stated that “the renewal of the existing Cyber Security Strategy has been undertaken with an emphasis on the enormous potential of Canada’s increased leadership in this field.” If this leadership is ever to be more than potential, Canada’s National Cyber Security Strategy will require a more comprehensive policy stance and a measurable implementation plan.