OTTAWA — A committee of MPs is calling on the federal government to issue an overarching annual national-security threat assessment and provide more information on how to prevent cyber attacks, particularly from Russia.
"Concern about Russia is heightened because it has shown a willingness to cross internationally recognized red lines," reads a report from the House of Commons committee on public safety.
The report, tabled in Parliament last week, argues that the various agencies and committees handing national security issues operate in silos, and a patchwork of reports come from different sources.
The MPs want someone in government to gather those recommendations and create an annual priority list. They say this should start with a review of the various "cyber roles, responsibilities, and structures that exist across the federal government" in order to "maximize coherence, co-ordination, and timely action."
The committee heard about malware and cyber attacks originating from Russia that have affected Canadian firms, such as the NotPetya attack in 2017 and the 2020 SolarWinds Orion hack, which Global Affairs Canada said compromised more than a hundred Canadian entities.
The MPs feel Canada could do more to prevent these attacks on government agencies as well as private companies, in part by compelling mandatory reporting.
They noted there are few obligations for firms to report cybersecurity incidents that don't involve a data leak. Last October, the then-head of the Communications Security Establishment, Caroline Xavier, testified that "many organizations don’t report it" when they get hacked.
Witnesses also said that critical infrastructure operators have lax rules compared with European and American counterparts. They also said some fields like port operators lack clear reporting timelines on preventive cybersecurity measures.
The committee wants the CSE to better inform smaller businesses about how to prevent cyber attacks and to provide tax breaks for companies to better protect their data.
Witnesses noted that hackers tend to focus on larger targets, but smaller firms lack protection.
The non-profit Canadian Cyber Threat Exchange reported in May 2022 that 44 per cent of small- and medium-sized enterprises that are members of the organization lacked "any form of cyber-defence" and 60 per cent of these smaller firms had no insurance for cyber attacks.
The committee suggested the government should compel companies of enough importance and size, as well as government bodies, "to prepare for, prevent and report serious cyber incidents" with clear timelines and a lessons-learned exercise after a hack.
MPs also noted calls from witnesses for better co-operation with the U.S. on cyber attacks to critical infrastructure, similar to the binational North American Aerospace Defence Command, or Norad.
Yet the committee did not recommend Canada follow Britain in tying procurement with cyber protection, such as requiring firms to have basic protection against hacking in order to compete for government contracts.
The report also proposes the government work with internet service providers and social-media platforms "to counteract online bots that are amplifying state-sponsored disinformation."
The committee is also calling for more transparency on Russian disinformation, and to speed up the modernization of Norad.
This report by The Canadian Press was first published March 13, 2023.
Dylan Robertson, The Canadian Press