Canada Considers Mandatory Reporting Of Cyber Attacks

Canada’s Public Safety Minister Marco Mendicino has said recently that the federal government is looking into requiring Canadian businesses and companies to report cyber attacks. “We are considering very carefully, this is an option,” Mendicino told members of the Public Security and National Security Council.

Mendicino also warns of increased risk of cyber attacks from Russia and others amid a global threat environment that continues to shake the foundations of the post-second World War international order. 

Canada’s public safety minister says the federal government is weighing introducing mandatory incident reporting for cyber crimes to better understand their prevalence domestically and how to prevent them going forward. Speaking to the House of Commons Public Safety and National Security committee about Canada’s security posture in relation to Russia, Mendicino said the government is on “high alert” for cybercrime activity.

“I cannot emphasise enough how important it is that in the current geopolitical environment within which we find ourselves that we are very much on high alert for potential attacks from hostile state actors like Russia, which could manifest through cyber attacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure,” he said.

Asked by NDP MP Alistair MacGregor whether Ottawa is considering making it mandatory for all sectors, the minister said “I absolutely think it's something that we need to be considering, for sure, yeah, it's an option that we're considering very carefully.” MacGregor said the committee has heard from some witnesses who have called for mandatory incident reporting. "Sometimes businesses are loath to report that they have been held hostage by ransomware," MacGregor told Mendicino. "They find it's easier to pay off the person, not report it. Also, there can be a threat for further damages if they do in fact report to the authorities.

Mendicino warned MPs on the committee that the current international situation has increased the threat of cyber attacks on Canadian businesses, organisations and diverse levels of government.

"I cannot emphasise enough how important it is that in the current geopolitical environment ... we are very much on high alert for potential attacks from hostile state actors, like Russia," he said. The minister said those attacks "could manifest through cyber attacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure, but equally to subnational targets, different orders of government and other sectors of the economy."

Since the government created the Canadian Centre for Cyber Security, (CCCS) it has been sharing cyber threat information with owners and operators of Canadian critical infrastructure. The federal government also has created a special unit within the RCMP to coordinate police operations against cyber criminals. 

The CCCS has issued a number of bulletins warning Canadians of the potential for cyber attacks by Russian state-backed actors who may try to assault critical infrastructure, such as electricity systems.

In its National Threat Assessment 2020 report, which laid out its predictions for the next two years, the centre said the number of bad actors is rising and they're getting more sophisticated. It warned of a potential increase across Canada in cybercrime, ransomware attacks and commercial espionage, particularly against Canadian businesses, academic institutions and governments that may have proprietary information.

"Canadian organisations of all sizes, such as small and medium-sized enterprises, municipalities, universities and critical infrastructure providers, face a growing number of cyber threats," the centre wrote in its report. "These organisations control a range of assets that are of interest to cyber threat actors, including intellectual property, financial information and payment systems, data about customers, partners and suppliers and industrial plants and machinery." 

The value of ransomware payments is also on the rise, the CCCS warned. "Ransomware researchers estimate that the average ransom demand increased by 33 per cent since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations... At the more extreme end of the spectrum are multi-million dollar ransom events, which have become increasingly common," said the report.

Groups like the Canadian Federation of Independent Business (CFIB) say the government should focus on providing information and improving police services to victims, instead of making reporting mandatory. "Forcing them to do it will not result in fewer attacks, it will mean more work and red tape for businesses. Some of them don't want to report cyberattacks, fearing their additional consequences." commented Jasmin Guénette, vice-president of national affairs for the CFIB.

In contrast, at least one Canadian cyber security expert thinks that Canadian organisations should report cyber incident breaches to a federal authority to develop nation-wide threat intelligence. “Canada absolutely needs mandatory full incident reporting,” said Brett Callow, a threat analyst for Emsisoft.

CBC:     ICLG:      CTV:    Global News:      IT World Canada:     ProIQRA

You Might Also Read: 

The Cyber Security Top Ten Power List:

 

« Channel 4 TV Launches New Cyber Thriller
Cyber Security Training For Employees & Employers »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Foundation for Strategic Research (FRS)

Foundation for Strategic Research (FRS)

The Foundation for Strategic Research is France's main independent think tank on strategic, defense and security issues. Cyber security is covered as part of the study areas.

Darktrace

Darktrace

Darktrace’s Enterprise Immune System is capable of detecting and responding to emerging cyber-threats, from within the network.

WhiteCanyon Software

WhiteCanyon Software

WhiteCanyon Software, Inc. is a leading provider of security software employing permanent deletion technology to prevent identity theft.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

XLabs Security

XLabs Security

XLabs Security is a leader in web application security in Latin America.

EMnify

EMnify

EMnify is a Software-as-a-Service (SaaS) company, revolutionizing cellular Internet of Things (IoT).

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

BIO-key

BIO-key

BIO-key is a pioneer and innovator, we are recognized as a leading developer of fingerprint biometric authentication and security solutions.

FirstWave Cloud Technology

FirstWave Cloud Technology

FirstWave Cloud Technology is a global cyber security company which has been delivering Cybersecurity-as-a-service solutions to the market since 2004.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

Bugbank

Bugbank

Bugbank (aka Vulnerability Bank) is a leading SaaS platform for internet security services in China.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Quantum eMotion

Quantum eMotion

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.