Ottawa releases first-ever Enterprise Cyber Security Strategy

The federal government has released its first-ever Enterprise Cyber Security Strategy, detailing how it plans to improve cyber security across government departments and agencies.

“In a world where going digital is more and more our reality, we must ensure that our systems remain secure from cyber threats and deliver the highest quality of programs and services to Canadians,” said Anita Anand, president of the Treasury Board.

“To achieve this, we are announcing the first of its kind GC Enterprise Cyber Security Strategy to help us manage risk, prevent cyber attacks, strengthen our resilience, and cultivate a strong cyber security culture. Together, with our partners we will work to support a robust and modern digital infrastructure while ensuring our workforce has the talent and knowledge to foster cyber security.”

Ottawa’s Budget 2024’s is setting aside $11.1 million over 5 years for the strategy.

Recently, Ontario proposed legislation to strengthen the cybersecurity capabilities of the public sector.

What is the Canadian cyber security strategy?

Under the Enterprise Cyber Security Strategy, Ottawa will establish a federated security operations centre (SOC) architecture that is “commensurate with the operational needs of departments and agencies”.

This includes:

• A centralized or command SOC at the Cyber Centre that monitors the overarching GC security infrastructure (including on-premise networks, cloud environments and other endpoints) where departments benefit from the cyber defence ecosystem and gain access to their data via a security analytics platform.
• A multi-function infrastructure security and network operations centre (ISNOC) at SSC to enable effective network monitoring for the well-being of core departments and agencies under SSC’s mandate, along with the cyber security of common solutions provided by SSC, as well as to support the Cyber Centre and departmental security teams.
• Specialized local SOCs for select departments and agencies that demonstrate sufficient maturity and that require additional visibility and nuanced metrics as a result of their unique mandates or business needs, which require enhanced monitoring to support the cyber security of program and service delivery.
• Managed SOC services for departments and agencies that do not have sufficient maturity related to monitoring capabilities or resources, and that require hands-on coordination support.

Recently, the personal data of employees were compromised in a London Drugs cyberattack. Within the public sector, the Financial Transactions and Reports Analysis Centre of Canada, the Royal Canadian Mounted Police (RCMP) and Global Affairs Canada have all dealt with cyber incidents this year so far, according to Bloomberg.

The first phase of implementation of the Canadian cyber security strategy will begin immediately and support:

• establishing a centralized evaluation system with independent assessments and thorough reviews of departments' cybersecurity to identify and prioritize risks
• creating a federated integrated risk management platform to enable prioritization and data-driven reporting as a key part of a broader enterprise portfolio management system
• creating a government-wide vulnerability management program for a coordinated vulnerability disclosure process and will focus on people, processes, policies, and technology
• forming a new Purple Team that will emulate techniques used by malicious threat actors against government systems to proactively test and audit any security gaps.

Hiring for cybersecurity

The strategy also plans to create partnerships with colleges and universities, accelerate hiring through automation and train employees in other departments to work in the field, according to the Bloomberg report.

The global cybersecurity workforce grew 8.7% to 5.5 million people between 2022 and 2023, but that does not completely address the technology skills gap, according to a previous report from Mercer. This shortage causes a lot of concern for employers, especially when it comes to cybersecurity.

The strategy sets a timeline for results of within two to five years. While the federal government expects there will still be some cybersecurity incidents, it expects it will be able to quickly respond to them and minimize the impacts.

“It’s not only other governments in our country and private enterprises that must ensure they have strong protections against cyber threats and cyberattacks, but the very government of Canada itself must ensure that our systems are protected,” Anand said in the Bloomberg report.

“Therefore, individual citizens’ information is protected and therefore we can better ensure the delivery of services.”