The poor state of cybersecurity of some of Ontario’s school boards, child welfare agencies, municipalities, and hospitals worries the head of the province’s expert panel that just evaluated the condition of the broader public sector.
“Some townships, small municipalities are really struggling,” Robert Wong, former chief information officer (CIO) of Toronto Hydro and currently a member of the board of Ontario’s Independent Electricity System Operator, said in an interview. He is particularly concerned about smaller institutions and their smaller financial and personnel resources.
Usually when an organization reaches what he called “critical mass”, it has “a few dedicated [IT] resources,” he said. “But from what I gathered, there are some that still don’t … They may have one person who is a ‘jack of all trades, and running IT and cyber is ‘Other duties as required.’”
His committee’s report was submitted to the province several months ago, but because of the provincial election over the summer and the appointment of a new Minister of Public and Business Service Delivery, wasn’t publicly released until last month.
Among other things, it concluded there has been a “systemic underinvestment in both legacy technology replacement and cybersecurity’ in the broader public service (BPS).
One of the report’s recommendations is that sectors within Ontario’s BPS be encouraged to move to a shared security services model. An example the report cites is the Canadian Shared Security Operating Centre for universities and colleges across the country.
Some institutions are experimenting with creating Regional Security Operation Centres (RSOCs), the report also notes. Ontario Health has established six Regional Security Operation Center (RSOC) pilots, as well as regional governance mechanisms.
A key recommendation is that the province create a single body to oversee cybersecurity across the entire broader public service, dispensing advice and demanding accountability. It would augment current governance structures responsible for sector-specific cyber security risks.
Wong cites as an example the Ontario Energy Board’s power to compel power utilities to file annual reports stating that they are aware of their cybersecurity risks and have plans to address known gaps. They would also have to file data breach reports to the agency.
Having one body to police a wide range of organizations may seem daunting, but the report also recommends that all BPS organizations in Ontario establish a common cyber security risk operating model for continuous improvement, based on the National Institute of Standards and Technology (NIST) Cyber Security Framework.
Shared resources such as policies, standards, controls and self-assessment tools will promote a common language and understanding of cyber risk across the BPS, the report says.
Ontario should also establish a shared resource or contract vehicle to conduct or independently validate risk and control assessments at regular intervals, as part of the cyber security risk management framework, says the report.
Another recommendation is that the province investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery for BPS organizations.
Asked for comment, last week service delivery minister Kaleed Rasheed said his department is “proud of the expert panel’s work and have accepted recommendations outlined in the final report.” However, no timeline for implementing the recommendations was given. “Work is underway to assess and implement measures that will improve and strengthen the province’s cyber security ecosystem,” the statement said.
At the recently-concluded conference of the Municipal Information Systems Association of Ontario’s annual InfoSec conference, the province’s CISO said the report will help in the creation of Ontario’s four-year strategic cybersecurity plan.
While the panel found a number of problems, to Wong the biggest is the lack of governance — meaning leadership from the top of each organization. It’s one of the reasons why he says merely giving more money to the BPS isn’t the solution. “If it [cybersecurity] is important enough to an organization, you will allocate a reasonable portion of your budget towards it,” he maintained.
While having resources is important, “I think the bigger problem that I tried to highlight in the report is the governance issue,” Wong said. “In a lot of organizations that are further behind, to what extent are the key decision-makers familiar and knowledgeable about cybersecurity risk? Have they done a formal, effective assessment of that risk, and prioritized resources and efforts to manage and control that risk? To me, it’s the key decision makers, whether they are board members, school board trustees, or council members in municipalities. The people who make decisions around funding, around resources, around key initiatives and priorities are the ones that ultimately should be held accountable. Ignorance is not a defence. To me that’s the biggest focus. There are organizations who get it, there are folks at the top who get it. And those who don’t.”
To shift that, the report recommends the province mandate that every organization in the BPS should appoint a senior official responsible for cyber security. “Establishing designated responsible individuals will build clear expectations and foster informed executives,” the report explains.
The province should also maintain a consolidated list of cyber security stakeholders across the BPS, the report says, including an authoritative index of each organization’s senior cyber security official, updated annually. The goal is to help management of key stakeholders and foster relationships amongst the BPS community.
The panel found communication between BPS organizations is extremely limited, hampering their ability to share cyber knowledge. They recommend the province create a simple structure that promotes the active communication of resources and collaboration amongst the BPS and key government stakeholders. It should also create a unified critical information-sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.
The report also urges the government to embed cybersecurity training in curriculum up to Grade 12, following the lead of Saskatchewan. The ministry of education already has a K-12 cyber protection strategy pilot program. In addition, it recommends Ontario develop foundational cybersecurity training and education for all post-secondary students.
Wong hopes the province will create and release an implementation plan for the recommendations soon. “I hope the implementation plan will be well thought-out and it will be well-structured and co-ordinated. That will be a big challenge to do,” he admits.
“What I don’t want organizations to do is wait until the government comes out with a plan. There are things they can do now.”
When an unnamed organization realized one of their leaders was a member of the expert panel, Wong said, they suddenly got “way more support and traction” on cybersecurity than before. “Just having that awareness of the importance and criticality of this issue I think goes a long way in getting organizations out of their rut and doing things.”