The overall state of Canadian cyber security can be summarized in one word: dismal. Individuals and organizations of all types and sizes continue to suffer security breaches at an alarming rate. Many are undetected, and few are reported to authorities.
The 2015 Royal Canadian Mounted Police (RCMP) Cybercrime Strategy begins, “In 2010, the Government of Canada launched Canada’s Cyber Security Strategy to protect Canadian governments, businesses, critical infrastructure and citizens from cyber threats. The Strategy helped shape Canada’s knowledge of cyber technology and guides Canada’s efforts in securing government and other vital systems, and protecting Canadians online.” Canadians are still waiting for this protection to materialize.
The report explains that “The RCMP takes an intelligence-led approach to policing. Criminal intelligence allows law enforcement to ‘connect the dots’ of information from local to national and international criminal activity. Whether tactical, operational or strategic, criminal intelligence enables the RCMP and other Canadian police forces to set priorities and allocate resources based on the most significant criminal threats to Canada. This concept also applies to cybercrime, especially given its transnational dimension and the inherent need to identify patterns and relationships between cybercrime data and other relevant data sources from multiple jurisdictions.”
An intelligence-led approach makes sense for a federal police force, but at the risk of stating the obvious, reliable collection of information is required to develop that intelligence. According to the report, in 2013 the RCMP “received over 4,400 reported incidents of cybercrime.”
In sharp contrast, a 2016 PricewaterhouseCoopers study found that 28 per cent of Canadian respondents confirmed being affected by cybercrime in the last 24 months, and concluded that “If cybercrime continues increasing at the same rate, this means that almost one in every three businesses is likely to be a victim of cybercrime and will be open to being affected both financially and on a reputational level.”
According to Industry Canada, “as of December 2015, there were 1.17 million employer businesses in Canada.” Even if only ten per cent of businesses were victims of cybercrime each year, it would suggest that the RCMP are seeing less than 3 per cent of the big picture, and that does not take into account cybercrimes against individuals. Merely scratching the surface does not provide the RCMP with useful intelligence.
The unpleasant reality is that Canadians and Canadian businesses do not report the vast majority of cybercrime to the police because there is seldom any benefit in doing so. The time involved in making a report and supporting an investigation (in the unlikely event police choose to investigate), combined with the increased potential for negative media exposure, only increases the loss to the victim.
A paradigm shift is required to combat cybercrime in Canada. Collecting reports and investigating a small percentage of them clearly does not work. Canadians need cybercrime prevention and effective information sharing.
Most Canadian police forces have some sort of crime prevention program, but Canadian law enforcement remains predominantly reactive. Police departments only have the resources to investigate a small percentage of cybercrime, and criminals are well aware of that fact. While cybercrime investigation budgets should be increased, prevention initiatives would be a more effective use of taxpayers’ dollars.
Some Canadian businesses quietly share cybersecurity information within their sector, but most have no mechanism to do so. The not-for-profit Canadian Cyber Threat Exchange showed some promise, but with membership fees ranging from $5,000 to $50,000, few Canadian businesses will join. The federal government has, to date, not participated in any meaningful cybersecurity information sharing initiatives.
To protect Canadians, the federal government must establish effective information sharing with individuals and businesses of all sizes. New frameworks are required to facilitate anonymous reporting within a trusted environment. Public servants have to overcome their propensity to over-classify information, and their inherent distrust of the private sector. Canadians, in turn, must understand that government agencies require accurate, comprehensive information to fully appreciate the magnitude of the cybercrime problem.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…