Although its gestation was excessively long, the government of Canada has finally released an updated National Cyber Security Strategy (the first and last such strategy dates back to 2010).
After all these years of preparation and consultation, one might have expected a more thorough and detailed plan as to how the government intends to deal with the burgeoning threats in cyberspace. These have ranged from data breaches involving multi-millions of accounts to sophisticated state conducted cyber penetration operations, such as the 2014 compromise of Government of Canada systems for which China was blamed. Given the magnitude of the threat, it is disappointing that the strategy comes across as a fragmented statement characterized more by expressions of broad intention rather than specific objectives.
Released June 12 by the ministers of public safety, national defence, and innovation, science and economic development, the strategy, subtitled “Canada’s Vision for Security and Prosperity in the Digital Age,” is rather thin on vision and thinner yet on how the goals identified are to be implemented. The three core “themes” — Security and Resilience, Cyber Innovation and Leadership and Collaboration — are described in a broad brush manner (e.g. “we will better protect Canadians from cyber crime”; “the federal government will position Canada as a global leader in cyber security”) that lack tangible expression. Replicating the flawed approach of the 2010 document, “action plans” for realizing the strategy are to come at some future time, with a promise of “clear performance metrics” and reporting on results. Such “action plans” for the 2010 strategy, which were geared to improving the security of the federal government’s own systems and promoting public education, did not appear until 2013 and were never subjected to meaningful evaluation.
Despite the current strategy’s boast that “We will be an example to the world of what can be achieved through a cohesive and coherent National Cyber Security Strategy,” the Canadian product pales in comparison with earlier strategies issued by peer states such as Australia and the United Kingdom. The UK’s National Cyber Security Strategy 2016-2021 is not only a superior policy document in terms of analysis and the specificity of its commitments, but also contains an extensive “Implementation Plan” setting out key objectives and how progress on them is to be measured.
While the strategy claims it will align with other cyber-related initiatives of the government, such as the Canadian military’s use of cyber, a cyber foreign policy, the defence of electoral processes from cyber threats and the 2017 Innovation and Skills Plan, one wonders why it wasn’t possible to integrate these key cyber issues areas into the new “national” strategy. As it is these other initiatives have taken place on a separate track or are still outstanding. For instance, the outcome of last summer’s Defence Policy Review contained major new departures for the Canadian Forces in the cyber security realm, and yet the elusive cyber foreign policy (first promised in 2010) has yet to see the light of day. This partial articulation of policy in a highly-interdependent field hardly reinforces the “coherence” claim being made for the strategy.