“The human species is capable of defeating security technology,” said Jennifer Stoddart, Privacy Commissioner of Canada. “Often it’s not through malice but carelessness.”
Privacy issues have shifted significantly from two decades ago, around the same time Canada’s first privacy legislation, the Privacy Act, came into effect. In those days, tax forms tumbling off trucks near Parliament Hill were the privacy commissioner of the day’s biggest concern, said Stoddart, who Tuesday gave a keynote address to technology professionals attending the Infosecurity conference here. Now, the commissioner’s office is dealing with cases like thermal fax rolls being sold to the Crown for access disposal.
“Back then the threat posed by carelessness could be contained,” said Stoddart.
Stoddart’s annual report on the Privacy Act was tabled in Parliament a couple of hours before she spoke to Infosecurity attendees. In it, Stoddart outlined the need for more protection of information shared between Canada and U.S. border officials under the Privacy Act, which hasn’t been amended since it came into effect in 1983 despite efforts by previous privacy commissioners.
Earlier this month, the commissioner tabled a report with the Standing Committee on Access to Information, Privacy and Ethics on her proposed reforms to the Act. In it, she called for government entities that currently aren’t governed by the Privacy Act, which governs how federal departments and agencies handle Canadians’ personal information, or PIPEDA, to be subject to these pieces of legislation. She also suggested that the Federal Court should have the power to not only review denial of access to personal information claims but also improper collection, use and disclosure of personal information.
“Too much information is shared verbally between the Canadian and U.S. border,” said Stoddart, who upon her appointment in December 2003 began voicing her concerns on the transborder flow of information. In her 2005-2006 annual report on the Privacy Act, Stoddart presented findings from an audit of the Canada Border Services Agency (CBSA) that was recently completed. The commissioner made 19 recommendations to the CBSA, which include the need for a method to identify and track all flows of transborder data and more transparent data sharing activities cross-border.
Stoddard added that the recent terrorist-related arrests in Ontario point to the need to step up the fight against new and emerging threats.
“The alleged terrorist plots underscore the importance of addressing security concerns,” she said. “We must also remind ourselves that even the best intentions can go awry.”
Humans aside, the commissioner said privacy is often seen as “throwing a wrench” into technology.
“Privacy must be considered in the development of these technologies,” said Stoddart, pointing to technologies such as RFID, which her office recently completed a study on that appeared in her annual PIPEDA review.
But no matter how much security technology businesses acquire, the first thing they have to consider when developing a business continuity plan is what they represent, said Patrick Gray, senior security strategist, advanced technologies, Cisco Systems Inc.
“No matter how good the technology is (hackers) are always going to circumvent it,” said Gray, who gave the morning keynote at the Infosecurity conference. “Businesses have to ask themselves, ‘What is our posture to the world?’”
Similar to Gray, Patrick Naoum, vice-president of technology and professional services, ESI Information Technologies Inc., a security consulting firm with offices in Montreal, Toronto and Quebec City, said the first question ESI asks its customers is: what are their assets and what are their value?
“Once they do that, we come up with a plan how to protect their assets,” said Naoum.
Gray is a former FBI agent who has done everything from buying heroin on the streets of Baltimore as an undercover officer to identifying Soviet intelligence officers and trying to persuade them to work for the U.S. government to more recently fighting cyber crime in his last role at Internet Security Systems. He began working for Cisco in December 2005 after meeting with the company’s president and CEO John Chambers, who recruited him for his current role.
Gray went on to say that many businesses have business continuity plans but don’t put them into action.
“When’s the last time you practised that plan?” he asked. “Do you have time to go out of business because you didn’t?”
Kaare Myrland, education program manager, ISC2 Inc., which offers the Certified Information Security Systems Professional (CISSP) accreditation, said education is one of the first things to be cut from a company’s budget.
“North America looks for next-quarter reporting,” said Myrland, adding that many businesses have the attitude that “it can’t happen to me.”
While Gray realizes that for many businesses, especially those that fall into the small and medium-sized category, security tools aren’t cheap and hiring specialists can be difficult, the best strategy is to protect what you’ve got.
“Businesses have to ask themselves, ‘What is core to our business and how do we protect that core?’” said Gray.
Gray also emphasized the need for collaboration across the IT industry through organizations, but pointed out that the hacker communities around the globe are doing a better job of it right now with conferences like The Fifth Hope and Defcon.
Infosecurity wraps up on Wednesday.