Editor’s Note: Personal responsibility is a necessary but not sufficient condition for cybersecurity.

From: Vancouver Sun

By Jordan Press

OTTAWA — Canadians and the federal government don’t want more regulations  over how we use our mobile and Internet-connected devices all in the name of  cyber-security, a high-profile Tory senator says.

Sen. Pamela  Wallin, who chairs the Senate’s defence committee, told a room full of  security experts Tuesday it was up to businesses to be honest with their  customers about cyber-security breaches, and an older generation of Canadians to  educate a younger generation who are naïve about their safety from hackers about  how to stay safe from cyber-criminals.

And with it easier and cheaper to inflict damage from cyberspace than through  conventional arms, it won’t take long for cyber-terrorism to overtake  cyber-espionage as a major threat online, she said.

“That’s a whole new paradigm,” Wallin told a security conference Tuesday. “This, as they say, is war.”

In a 30-minute session with attendees to the conference, Wallin said American  warnings of a “cyber Pearl Harbor” should be heeded. Hackers were able to take  down the government of Estonia’s system five years ago in a two-week long  campaign that Wallin called “just a taste of what could happen.”

It was time for Canadians to take some personal responsibility, she said,  because too many people don’t follow basic security measures that leave other  Canadians vulnerable to hackers.

“This world that we all know and love and use presents unpredictable  opportunities for the bad guys,” she said.

Dealing with that threat environment is a challenge for the federal  government, with officials telling the auditor general’s office they worried  that threats were evolving too quick for the government to keep up. Wallin  said every politician and senior bureaucrat tries to keep up with evolving  threats, but constant personnel changes within department bureaucracies make it  hard for managers to stay on top of departmental cyber-security efforts, she  said.

Earlier this year, hackers took down the parliamentary website, and last year  hackers using Chinese-based servers infiltrated Treasury Board and Department of  Finance servers, although experts suggest they hack was only caught last year  and may have been going on for weeks or months. It took more than a week for the  latter to be reported to the government’s central cyber-incident monitoring  agency.

And when a series of online attacks took down the websites of Quebec  government ministries, some departments were so spooked that they pulled the  plug on their networks because they were at a loss to defend themselves, said  Ray George Chehata, president of Quebec-based cyber-security firm Above  Security.

Last week, the auditor general found flaws in the government’s cyber-security  strategy, notably that information wasn’t being shared across departments and  with the central agency created to evaluate threats and then warn the public and  businesses, the Canadian Cyber Incident Reporting Centre. Auditors were  also unable to track the majority of the almost $1 billion in one-time and  ongoing spending the government approved for cyber-security, only identifying  $20.9 million that went to cyber-security.

The incident reporting centre will be open 15 hours a day starting next  month, up from the banker’s hours it keeps now. A staffer will still be on call  outside business hours, although the auditor general’s report suggested the  centre remain open 24 hours a day.

Public Safety Minister Vic Toews defended the government’s actions on  cyber-security again on Tuesday, telling the same conference he felt the  government had made “exceptional progress in the midst of a rapidly evolving  threat environment.”

Canadians should have a better idea of the threat of cyber-crime by the  spring. A British-based, independent cyber-security organization announced it  was launching a four-month study to put detailed numbers on the scope, nature  and price of cyber-crime in Canada.

For the study to be accurate, it will require about 500 businesses across the  country and industries to give up information about security efforts and  breaches. Many businesses are leery of handing out the information especially to  the government, worried that it will be used to turn them into cyber-crime  victims.

E-commerce is big business in Canada, with $15 billion in sales happening  online. That means cyber-crime is big business too: Canadian banks lose about $2  billion annually to cyber-criminals.

Most large businesses — those that have more than $4 million in revenue — should be able to cover the costs associated with cyber-security, but the same  can’t be said of small businesses that are trying to shave costs during a tough  economic time and are acting on a “wing and a prayer,” said John Lyon, CEO of the International Cyber Security Protection Alliance, which will  conduct the study. Spending on cyber-security, he said, should be about five to  eight per cent of IT budget.

For governments, there needs to be one cabinet minister responsible for  cyber-security, he said, eliminating “too many people with fingers in the  pie.”

“Because technology spreads right across government, and because the threat  spreads right across government, and right across our society and our  businesses, in my view you need one person who carries the can and has overall  responsibility — some great cyber-czar who really has the muscle and prime  minister’s backing to take control,” Lyon said.

“It is a mammoth coordination task, but it needs to be done.”