Canada Considers Mandatory Reporting Of Cyber Attacks

Canada’s Public Safety Minister Marco Mendicino has said recently that the federal government is looking into requiring Canadian businesses and companies to report cyber attacks. “We are considering very carefully, this is an option,” Mendicino told members of the Public Security and National Security Council.

Mendicino also warns of increased risk of cyber attacks from Russia and others amid a global threat environment that continues to shake the foundations of the post-second World War international order. 

Canada’s public safety minister says the federal government is weighing introducing mandatory incident reporting for cyber crimes to better understand their prevalence domestically and how to prevent them going forward. Speaking to the House of Commons Public Safety and National Security committee about Canada’s security posture in relation to Russia, Mendicino said the government is on “high alert” for cybercrime activity.

“I cannot emphasise enough how important it is that in the current geopolitical environment within which we find ourselves that we are very much on high alert for potential attacks from hostile state actors like Russia, which could manifest through cyber attacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure,” he said.

Asked by NDP MP Alistair MacGregor whether Ottawa is considering making it mandatory for all sectors, the minister said “I absolutely think it's something that we need to be considering, for sure, yeah, it's an option that we're considering very carefully.” MacGregor said the committee has heard from some witnesses who have called for mandatory incident reporting. "Sometimes businesses are loath to report that they have been held hostage by ransomware," MacGregor told Mendicino. "They find it's easier to pay off the person, not report it. Also, there can be a threat for further damages if they do in fact report to the authorities.

Mendicino warned MPs on the committee that the current international situation has increased the threat of cyber attacks on Canadian businesses, organisations and diverse levels of government.

"I cannot emphasise enough how important it is that in the current geopolitical environment ... we are very much on high alert for potential attacks from hostile state actors, like Russia," he said. The minister said those attacks "could manifest through cyber attacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure, but equally to subnational targets, different orders of government and other sectors of the economy."

Since the government created the Canadian Centre for Cyber Security, (CCCS) it has been sharing cyber threat information with owners and operators of Canadian critical infrastructure. The federal government also has created a special unit within the RCMP to coordinate police operations against cyber criminals. 

The CCCS has issued a number of bulletins warning Canadians of the potential for cyber attacks by Russian state-backed actors who may try to assault critical infrastructure, such as electricity systems.

In its National Threat Assessment 2020 report, which laid out its predictions for the next two years, the centre said the number of bad actors is rising and they're getting more sophisticated. It warned of a potential increase across Canada in cybercrime, ransomware attacks and commercial espionage, particularly against Canadian businesses, academic institutions and governments that may have proprietary information.

"Canadian organisations of all sizes, such as small and medium-sized enterprises, municipalities, universities and critical infrastructure providers, face a growing number of cyber threats," the centre wrote in its report. "These organisations control a range of assets that are of interest to cyber threat actors, including intellectual property, financial information and payment systems, data about customers, partners and suppliers and industrial plants and machinery." 

The value of ransomware payments is also on the rise, the CCCS warned. "Ransomware researchers estimate that the average ransom demand increased by 33 per cent since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations... At the more extreme end of the spectrum are multi-million dollar ransom events, which have become increasingly common," said the report.

Groups like the Canadian Federation of Independent Business (CFIB) say the government should focus on providing information and improving police services to victims, instead of making reporting mandatory. "Forcing them to do it will not result in fewer attacks, it will mean more work and red tape for businesses. Some of them don't want to report cyberattacks, fearing their additional consequences." commented Jasmin Guénette, vice-president of national affairs for the CFIB.

In contrast, at least one Canadian cyber security expert thinks that Canadian organisations should report cyber incident breaches to a federal authority to develop nation-wide threat intelligence. “Canada absolutely needs mandatory full incident reporting,” said Brett Callow, a threat analyst for Emsisoft.

CBC:     ICLG:      CTV:    Global News:      IT World Canada:     ProIQRA

You Might Also Read: 

The Cyber Security Top Ten Power List:

 

« Channel 4 TV Launches New Cyber Thriller
Cyber Security Training For Employees & Employers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Infosecurity Europe

Infosecurity Europe

Infosecurity Europe is Europe’s number one information security conference and exhibition.

Indium Software

Indium Software

Indium Software is an Independent Software Testing Company offering software testing services (including security testing) and offshore Quality Assurance solutions.

aeCERT

aeCERT

aeCERT is the national Computer Emergency Response Team for the United Arab Emirates.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

Axcient

Axcient

Axcient offers MSPs the most secure backup and disaster recovery technology stack with a proven Business Availability suite.

eCosCentric

eCosCentric

eCosCentric provides software development solutions for the IoT, M2M & embedded systems market.

Plexal

Plexal

Plexal is East London's innovation centre and co-working space. We offer startups flexible memberships, giving them access to office space plus all the benefits and support they need to scale.

Right-Hand Cybersecurity

Right-Hand Cybersecurity

Right-Hand Cybersecurity empowers businesses to monitor, measure and mitigate employee induced cyber risks in real-time.

Jump Capital

Jump Capital

Jump provides series A and B capital to data-driven tech companies within the FinTech, IT & Data Infrastructure, B2B SaaS and Media sectors.

Valence Security

Valence Security

Valence manages and secures your Business Application Mesh by delivering visibility, reducing unauthorized access and preventing data loss.

NVISIONx

NVISIONx

NVISIONx data risk governance platform enables companies to gain control of their enterprise data to reduce data risks, compliance scopes and storage costs.

Getronics

Getronics

Getronics guides customers through their own transformation journeys, leveraging an integrated and secure-by-design IT portfolio.

Barclay Simpson

Barclay Simpson

Barclay Simpson is proud to have a long history of delivering cyber security, technology and governance recruitment services.

OutKept

OutKept

OutKept offers the highest quality phishing simulation campaigns, supported by a community of ethical phishers, to build awareness, and maintain alertness.

Concertium

Concertium

Concertium is a complete cybersecurity partner equipped with the expertise and services to deliver end-to-end visibility and protection from evolving cyber threats.