Vadim Gouterman is a partner and managing director, Keith Halliday is director, Katharine Lake Berz is an adviser and Kristin Wheatley is a principal at the Boston Consulting Group's Centre for Canada's Future.
Last week, the Winter Olympics were taken offline by a cyberattack. This week, hackers breached the German government's computer network. Every day, the volume and velocity of cyberattacks are increasing. From threats to our democratic processes to theft of credit-card information, managing cyberrisk is a necessary priority for all public and private organizations.
The CyberCanada Senior Leadership Summit, held this week in Toronto, brought together leading thinkers in cybersecurity to assess Canada's evolving cyberthreat and share ideas on how to protect our core economic assets, businesses and individuals. Summit participants overwhelmingly agreed that bolstering cybersecurity requires new ways of collaborating across industries, between industries and governments, and internationally between states.
But what does collaboration actually mean? What are the critical national assets and enterprises that we must defend by all means? Do we have the technology firms and experts that we need to prepare for more prevalent and innovative attacks? And, what will it take to change the way we work together?
A military leader at the summit described the change that cybersecurity represents for business-government co-operation.
In the past, he recounted, if a company headquarters were bombed, the military would be called to investigate and protect citizens from the attacker striking again.
Today, if a company is cyberattacked, executives often do not want to publicize it; and if corporations do report attacks, they do not necessarily want the government meddling in their corporate data. One public-company executive stated that he thought it should be the military's job to protect Canadians from cyberattack.
But yet another said that there is "no way the government should get access to corporate data."
So how do Canadian leaders navigate this challenging environment and prepare a strong defence in the face of continuing cyberrisks? Our summit discussions suggested three priorities:
Collaborate in new ways: Cyberthreats require us to work across sectors and geographies as never before. The Group of Seven and other international organizations have a collective interest in sharing information and strategies on cybersecurity. The World Economic Forum has launched a global platform for multistakeholder coalitions to collaborate on digital security. And some industries such as the financial-services sector are collaborating with traditional competitors to protect their sector's security. But what should we be doing within Canada? Do we need a new, permanent multistakeholder working group to address cyberthreats? How do we better communicate and problem solve across the public sector, with industry, with academia and with consumers? How do we get key actors in government, technology and industry together to build relationships and discuss approaches before a crisis hits?
Develop national strategies to mitigate risk: Cyberexperts emphasize that we can only protect against cyberattacks if we anticipate and prepare scenarios to respond to threats.
This will require identifying and outlining defence strategies for Canada's critical national assets (such as the military, research institutes and hospitals) and enterprises (such as oil and gas suppliers, food supply chains and financial services operations). Individual organizations also need to identify cyberattacks as not just an IT risk, but an operations risk, and give them the contingency plans and attention from senior leaders that operations risks require.
Strategies to mitigate cyberrisk need to change attitudes from repairing damage to preventing damage. Britain is making headway in this arena with its National Cyber Security Centre, which hosts a program to protect organizations, large and small, against cyberattacks. The centre also houses a lab to test whether new technologies meet cybersecurity standards. These are tools that Canada should consider; and we could go further. Could we institute a product-recall strategy for poorly designed technologies? Could we foster business and consumer reports on security technologies and issues? Could we establish formal and informal "hot-line" relationships between businesses and law enforcers?
Canada is already a leader in much of the artificial-intelligence research that enables cybersecurity. Back when few others were paying attention to artificial intelligence, Canada's Natural Sciences and Engineering Research Council made deep investments that now provide a worldwide basis for reinforcement learning. Ryerson University has launched a growing cybercentre of excellence. And, many of our cyberstartup companies have been very successful. How do we continue to encourage and foster innovation in the cybersector? How do we enable existing cyberfirms to achieve global scale?
Foster the technology talent to build and sustain cyberresilience: Co-operation and strategies alone will not reduce cyberrisk; we need the technology talent to execute cyberresilience plans. As one of our participants noted: "Employees are the biggest cause of cyberproblems … Attacks work because individuals do not know how to protect their systems."
Summit participants agreed that Canada needs more technology talent nationally to increase cyberresilience. One of our cybersecurity-company panelists shared that he searches for talent in Russia, Slovakia, India and elsewhere around the globe. And while cyberleaders applaud bringing new talent to Canada, they also had ideas on how to bolster Canada's development and retention of its own talent. These ideas included working with school boards to inspire more girls to pursue science, tailoring university and college curriculums to provide students with practical experience, creating appealing career paths for cyberemployees and developing cyberleadership training programs for senior leaders. Technology talent is a pressing opportunity for Canadian leaders and one that could benefit from a national strategy with collaboration between governments, businesses and educational institutions.
No individual, business or government can completely prevent cyberattacks. But we can be cyberready. Let us get started working together to protect our national assets, our businesses and ourselves in this ever more challenging digital world.