The third sectors processing power in cybersecurity policy
Rattling off data of cybersecurity attacks on Canadians seems an all too repetitive task. Daily, publicly available information is published on the staggering economic and human costs of cybersecurity attacks on our country, whether on small business, municipalities, individuals, or the critical infrastructure that keeps the lights on and food on the shelves. The massive demand for thousands of cyber workers that can be easily viewed by scrolling any job site or the millions of dollars lost to ransomware attacks supports the need to strengthen public policy in cybersecurity.
Canada is no stranger to cyber attacks. A decade ago, the federal government reported an attack requiring our Department of Finance and Treasury Board to disconnect from the Internet. It was ultimately disclosed that sensitive information was stolen and that it took over six months to recover (Hackers stole secret Canadian government data | CBC News). In May of 2020, the Canadian Security Intelligence Service (CSIS) and the Canadian Security Establishment (CSE) issued a rare joint statement highlighting the elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the COVID-19 pandemic. The report highlighted that CSIS saw an “increased risk of foreign interference and espionage due to the extraordinary effort of our businesses and research centres,” to confront the Pandemic with evidence-based science. The tip of the iceberg.
Cyber attacks are frequently targeting all sectors to steal Intellectual Property, state and trade secrets. Thieving seagulls hover over the innovations driving our efforts to reduce climate change, develop new medicines and treatments, and produce technological advances that strengthen prosperity and improve lives.
The drum has been beaten, and the bells have been rung.
Yet, the public policy ecosystem in Canada remains uncertain and misaligned on the path forward. Unlike our allies and adversaries, Canada remains without a comprehensive cyber policy. As Gold, Parsons, Poetranto highlight, the approach remains “ad hoc, spasmodic.” It’s easy to point fingers at governments for the crawling nature of cyber public policy development. With technology developing at lightning speed along with tactics and methods, keeping up with bad actors is a challenging task for policymakers and our elected leaders. Democracies are not intended to move forward without debate and deliberation. Checks and balances are the point.
Add a series of minority governments in Ottawa where passing even important legislation is a challenge, and it is no wonder a comprehensive and transparent policy approach has not been enabled. Provincial and municipal governments are underfunded and lacking a full understanding of the extent to which data resiliency extends. The very definition of cybersecurity is confusing and ever-expanding, with some interpreting the term as privacy rights or cyberbullying and rightfully so. For others, it is the protection of our factories, ports, and critical infrastructure. Policy development in cybersecurity is cumbersome because of the confusion over the term and breadth of which this policy domain extends. Pointing fingers at Canadian public policy for cyber, is in tune to poking a stick at the fog.
The path to maximizing our civil resources is utilizing the collective effort of Canadian society through meaningful coordination of assets. Every day whether in government, the private sector, or civil society, well-intentioned Canadians are working 24/7 to prevent and mitigate attacks.
Skrzeszewski and Cubberley capture the concept well in describing how the Internet has enhanced the social convergence of three societal sectors. Previously, public policy was often based on two clearly defined sectors – the for-profit or private sector and the government or public sector.  The Internet has prompted a re-emergence of the third sector, the non-profit or sometimes described as the civil society sector. The third sector has emerged with a critical role of acting as a coordinating field for the three-sector approach to social, economic, and cultural goals. Not associated directly with the government, civil society organizations may play multiple roles and frequently serve as an alternative for delivering services, where gaps exist in a traditional private-public arrangement. There is a blurring but positive role between sectors that civil society has the perspective to coordinate.
It’s that coordination by arms-length organizations that are producing the effectiveness in mitigating attacks. Whether within the thriving cyber ecosystems of San Antonio or Israel, it is the collaboration of the three sectors delivering success. Civil society is engaging through the Paris Call, the Charter of Trust and other international forums calling for trust and security in cyberspace. Domestic expertise residing outside of government is a necessary component of a comprehensive cybersecurity strategy. Canada can debug and strengthen its cyber policies by opening the door to a thorough engagement with civil society.
As Megan Stifel of the Global Cyber Alliance has pointed out, many of cyber best policy practices were developed by civil society through multi-stakeholder processes.
Collectively, we can have a measurable impact on mitigating and preventing cyberattacks on Canadians. In a world where trust is critical, sharing and collaborating is not a simple task. It is, however, the only way and the Canadian way.
Author: Jeremy Depow | Director, Policy and Stakeholder Relations
 Shackelford & Bohm, Securing North American Critical Infrastructure: A Comparative Case Study in Cybersecurity Regulation, 40 Can.-U.S. L.J. 61, 2016
 Canada’s Scattered and Uncoordinated Cyber Foreign Policy: A Call for Clarity (justsecurity.org)