The federal government is taking steps to protect Canada’s critical infrastructure with dual announcements Wednesday of the Canadian Cyber Incident Response Centre (CCIRC) and a partnership program with Microsoft.
which now has a physical location, will act as a focal point for dealing with cyber security threats, said Julie Spallin, manager of the newly formed centre. It goes beyond the steps taken under the former Office of Critical Infrastructure Protection and Emergency Preparedness in that it is more operational, she said.
“We need one spot in an emergency where all the information comes in, all the tasking goes out and everything is co-ordinated so . . . it has been given a much more central role in operations as opposed to being a division in a department,” said Spallin.
The centre has been operational for a couple of months.
“We have been focusing on information exchange,” Spallin said. “That really is the lifeblood of the centre — how do we exchange information with the private sector and other levels of government, the nuts and bolts operational information, such as incident reports and summary information from various jurisdictions in terms of what they’re seeing in terms of threats, as well as information from vendors in terms of what they’re seeing.”
What the government is mostly seeing, she explained, are viruses.
“The viruses dominate; they’re the noisiest,” she said. “What we’ve seen over the last months and from talking to other partners is there seems to be a trend from the big denial of service viruses that cause services to come down — the slammers, the blasters. It’s now viruses that contain back doors and bots that allow for more intrusion and that type of threat.”
To keep government users and citizens informed of the latest threats and the best ways to respond to them, CCIRC will have a Web site people can visit. As well, said Spallin, it will use a combination of a push and pull approach. It will push information out daily to specific sectors and to those on various lists, and will work with the provinces to co-ordinate information flow as well.
Microsoft also announced today its global security co-operation program, a no-fee program designed to help governments better protect themselves against the threats posed by viruses and hackers by exchanging information about publicly known vulnerabilities Microsoft is investigating, upcoming and released software updates, security incident metrics and Microsoft product security data.
So far, Canada’s PSEP, Chile’s Ministry of the Interior, Norway’s National Security Authority and the State of Delaware’s Department of Technology and Information are signed on as participants in the program.
John Weigelt, chief security advisor for Microsoft Canada, said the plan is to start off with a small number of participants of varying sizes and locations and expand to other interested and eligible nations. But, he added, “In the process by which we let people know what the program entails there is a great deal of confidentiality that is required as we move along.”
Weigelt said governments have recognized the need for the private sector to play a role in critical infrastructure (CI) protection.
“Governments recognize cybersecurity as a key element of (CI protection) and they’re looking at private industry and the role they play, and Microsoft is looking at the role we play with respect to the CI and at how we can engage more effectively with governments, so it’s something that has evolved over time,” he explains. “The security co-operation program provides us a structured program.”
According to Suki Wong, director of critical infrastructure policy in PSEP, the formation of the CCIRC is not related to a report commissioned by the department last year on the state of Canada’s critical infrastructure. The report, which was written by a lawyer at a Toronto legal firm, said a major meltdown of the country’s critical infrastructure was not just possible, it was probable within five years, largely due to faulty IT products and premature software releases.
“This is a direct commitment; it’s a deliverable on Canada’s national security policy announced in April 2004, in that one of the commitments was to enhance public safety and cyber security is an important element of public safety,” said Wong. “This initiative is about partnering with the private sector. From our perspective private sector engagement is key to public safety, so Microsoft is just one of the stakeholders we plan to engage to enhance public safety.”
Wong said the report was done to provoke discussion but it is not government policy.
Mary P. Kirwan, security consultant and CEO of Headfry Inc., said that Microsoft’s involvement may be an attempt to stem the tide of governments that are giving open source more than a passing glance.
“They’re (Microsoft) accepting the global reality that to head off the threat of things like open source they’re having to be more open in terms of what they share,” she said. “Suggestions are they’ve had to do it with the Chinese, they’ve been forced to do it with the European Commission, and they’re prepared to do it on a case by case basis to maintain their dominance. They’re doing it around the world to keep these contracts alive.”
At the same time, though, added Kirwan, while it’s a “prudent PR initiative” for Microsoft, it’s equally prudent for the government to take advantage of the huge resources the private sector has to offer.
Most of a country’s critical infrastructure is in private hands, making it difficult for any government to protect it on its own, she notes. And few governments have an accurate inventory of their critical infrastructure to begin with, making it that much more difficult to protect it.