Cyberattacks on Canadian businesses are increasing in volume and sophistication. Thankfully, Canada’s approach to fighting such threats is also becoming more sophisticated — and, importantly, more co-ordinated.
The Canadian Centre for Cyber Security, unveiled by the federal government late last year, has assumed a leadership role in the fight against cybercrime, collaborating with various levels of government and owners of critical infrastructure (such as energy and telecommunications companies). It has also increased its engagement with Canadian business, entering into an information-sharing pact with the Canadian Cyber Threat Exchange, Canada’s first private sector hub for the exchange and analysis of cybersecurity threat information.
The CCCS-CCTX pact highlights an important principle of cyber-defence that too few Canadian businesses have embraced to date: that companies often face the same threats — from the same threat actors, using the same tools and techniques — and that they stand a much better chance of avoiding and recovering from attacks if they share threat information.
Thankfully, a number of vehicles designed to facilitate varying kinds of co-operation and sharing exist. Here are a few:
Canadian Cyber Threat Exchange: This non-profit provides an exchange platform for members — including some of Canada’s biggest companies, such as RBC, CN and Manulife — to anonymously share raw data from cyberattacks. Pooling member data with commercial data feeds and data from the CCCS, the CCTX is able to analyze threat information and identify attack indicators and patterns.
The end product is actionable threat intelligence that helps CCTX subscribers quickly identify threats and implement measures to protect against them. While there are sector-specific cross-border exchanges offering similar services, the CCTX’s data comes exclusively from Canadian sources, ensuring threat data is relevant to Canadian entities. A fee structure based on organization size makes CCTX membership accessible to even relatively small businesses.
Sectoral Information Sharing and Analysis Centers: Similar to the CCTX in its structure and offerings, a number of international ISACs exist to provide industry-specific threat data exchange and analysis for particular sectors of the global economy. These include the automotive industry, financial services, retail and hospitality and health care.
Conference Board of Canada’s Cyber Security Centre: This arm of the Conference Board provides members access to the Board’s latest research reports and brings together executives from a cross-section of government, critical infrastructure and major corporations in a confidential forum to discuss emerging issues in cybersecurity and to compare notes on current approaches and best practices for combatting cyber-threats.
SERENE-RISC: Funded by the federal Networks of Centres of Excellence, this network brings cybersecurity academics from across the country together with private companies, government and non-profit organizations. Working to bridge the gap between cybersecurity theory and practice, SERENE-RISC gives businesses access to cutting-edge research and the opportunity to share knowledge across industry sectors and academic disciplines.
It is worth bearing in mind that a collaborative approach to cybersecurity is not only good practice but may some day be the law. A settlement proposal tabled for court approval in a recent United States derivative action following a massive consumer data breach required, as one of its terms, that the company join at least one ISAC.
As Canadian case law in the data breach arena matures, we may well see that membership in organizations sharing threat intelligence and best practices in cybersecurity forms part of the expected standard of care for companies doing business in Canada.
However you choose to stay informed, there’s no question that when it comes to protecting your company from advanced cyber-threats, knowledge is power.
Brent J. Arnold is a partner in Gowling WLG’s advocacy department, specializing in commercial litigation, arbitration and cybersecurity.