does canada need
Federal guidelines Should Canada adopt cyber security policies developed by its southern neighbor, or should they be home grown? Danny Bradbury investigates.
NIST? DOES CANADA NEED
OUR EXPERTS: Framework Juliana Belisario, policy and legal analyst at the UN’s International Multilateral Partnership Against Cyber Threats Kevvie Fowler, partner in forensic advisory services, KMPG Canada Paul Henninger, global product director at BAE Systems Applied Intelligence Michael Legary, head of Seccuris Avner Levin, associate professor and chair of the law and business department at Ryerson University’s Ted Rogers School of Management Greg Thompson, vice president of enterprise security services at Scotiabank; board member at (ISC)2
C1 SC • May 2014 • www.scmagazine.com
I
n a world where organizations are alert to the possibility of cyber attack, cyber security guideline documents can sometimes seem more numerous than the threats themselves. The National Institute for Science and Technology (NIST) has stepped in with yet another one, this time aimed at protecting critical infrastructure cyber security.
This concept – that otherwise friendly states will begin to harden against collaboration with the US following the Snowden revelations – boils down to a question of trust. But it shouldn’t concern those simply considering whether to share basic security guidelines or information, says Paul Henninger, global product director at BAE Systems Applied Intelligence, a physical and cyber Released in February, the Framework or should they be home grown? What security consulting firm. for Improving Critical Infrastructure factors influence that argument? “The thing that hasn’t been eroded is Cybersecurity focuses on protecting We must consider cyber the will and the focus on financial, energy, health care and security policies within sharing information and other systems crucial to the effective the context of broader technologies and capabilioperation of a country – and Kevvie doctrines, warns Avner ties that focus on the bad Fowler thinks that the guidance should Levin, associate professor guys,” he says. “At the end be adopted north of the border, too. and chair of the law and of the day, I don’t think Fowler is a partner in forensic business department anyone will get in trouble advisory services at KMPG Canada. at Ryerson University’s for sharing information He argues that we shouldn’t re-invent Ted Rogers School of on a new cyber signature the wheel in Canada, but should Management. that popped up yesterday. instead focus on using well-formed best “I’m not sure that the The only person’s practices from our close neighbour. policy interests driving privacy that you will be Kevvie Fowler, partner in forensic “There’s nothing that locks it down the US should be the same advisory services, KMPG Canada protecting by not sharing just to US organizations, or to critical as those driving Canada,” that is the criminal trying national infrastructure organizations,” says Levin, who is also the director of to break into a bank.” Fowler says. “It’s the Privacy and Cybercrime There are other reasons not to focusing on cyber, and Institute at Ryerson. He apply US cyber security guidelines in we have cyber assets points to last year’s Edward Canada, though, say some experts – and in Canada, and other Snowden revelations as a they’re economic, rather than political. countries do. Those prime example. Certainly, the creation of guidelines by same standards can How you view the NIST may save Canadian policymakers be applied in other world defines how you a lot of hard work. But they’re more countries without defend yourself, he warns. appropriate for American companies, needing other countries “If you’re on the attack says Michael Legary. to go through that time and trying to collect Legary is head of Seccuris, a and hardship.” information and exploit 15-year-old Winnipeg, Manitoba-based This begs the flaws and other weaknesses, security consulting firm which actively Avner Levin, associate professor, question: Should then your cyber security courts business in the US. He points to Ryerson University Canada – or any strategy in terms of defense the relative sizes of the two countries as sovereign nation – adopt cyber security is the mirror of that, because you think a key factor to consider when sharing policies developed by another country, that this is what others will do to you.” policies and guidelines.
www.scmagazine.com • May 2014 • SC C2
Federal guidelines Canada is slowly waking up... they have to get better at this.”
He worked for the Canadian government in the area of tax and finance in the 1990s, and recalls getting lots of guidelines from the US – Greg Thompson, VP, enterprise security, Scotiabank in those areas. “We couldn’t afford to hire enough staff to go through the processes and approaches that they messaging on issues of common interest. will be no exception, he says. suggested. It’s a smaller country,” The agency didn’t mention the Where these security guidelines he says. “We need a different set of budget that it had set aside for cyber emerge, it’s likely to be from the private controls to achieve our own goals in a security, which was set at $90m in 2010, sector, often in collaboration with unique way.” and was later boosted by $155m over NGOs, says Juliana Belisario, a policy Is there any reason why Canada five years, earmarked and legal analyst at the doesn’t just create its own set of for securing federal Centre for Policy and guidelines? Public Safety Canada computing infrastructure. International Cooperation, declined to be interview, but reminded It could be doing far which is part of the us in a statement that it created a more, say critics. Greg International Multilateral Cybersecurity Strategy in 2010, along Thompson is a board Partnership Against Cyber with a National Strategy focusing on member at (ISC)2. He is Threats (IMPACT). broader critical national infrastructure also the vice president “They have to be security, which was later updated of enterprise security multi-stakeholder talks Public Safety Canada told services at Torontobecause private sector SC that it views the NIST documents based Scotiabank, one organizations have as a “domestic US process,” and will of Canada’s big five the resources that the Greg Thompson, VP of enterprise monitor it for implications north of banks which provide government does not,” security services, Scotiabank the border. But the agency has leaned financial services to the says Belisario, expressing increasingly towards US partnerships in lion’s share of Canada’s population. If her own opinion, rather than speaking recent years. anyone is among those responsible for officially for IMPACT. “Most of the The agency called securing a component of time, the departments are not as out the Canada-United Canada’s critical national developed in the private sector because States Beyond the Border infrastructure, it’s him. the private sector do have the money to Action Plan as a key area The federal cyber hire highly qualified people.” of cooperation with the security budget is woefully Nonprofits are an important part of US on security issues. inadequate to keep up the picture here, says Thompson, who One of the four areas with today’s challenges, points to organizations such as the of cooperation under he says. “That is actually Information Security Forum (ISF). this agreement was the less than what a bank “What I really like about the ISF is improvement of critical would pay for cyber that its material is driven by members,” infrastructure resilience security. That’s $30m a he says. “People in the field who are and cyber security. Michael Legary, head of Seccuris year. Individual banks earnestly trying to solve the problems In 2012, Public are already spending that they’re facing. Safety Canada signed a Cyber Security amount on cyber security today. Canada It may not matter where a strategy Action Plan with the US Department is slowly waking up to the fact that they comes from, then, so much as how of Homeland Security, under the have to get better at this.” well-resourced and connected to the Beyond the Border Action initiative. While it wakes up, many important private sector economy are its authors This included, among other measures, companies in the private sector are and implementers. The Canadian aligning and standardizing cyber taking care of it, Thompson says. government isn’t immediately going to incident management processes and “Waiting for the government to provide adopt this new set of guidelines from its escalation procedures, exchanging guidance is interesting, but the banks southern neighbour – but some private and collaborating on the development have it covered.” Every time a new sector companies will take it into of briefing materials for the private framework comes out, Scotiabank consideration, along with many other sector, jointly conducting private sector produces a gap analysis between the policies developed by non-governmenbriefings, and sharing and coordinating framework and its own systems. NIST tal players. n
C3 SC • May 2014 • www.scmagazine.com
June 17 & 18, 2014 Metro Toronto Convention Center www.sccongress.com/toronto
T RONTO REGISTER
NOW!
June 17 & 18, 2014 Subscribers:
FREE Keynote Plus Pass Includes access to one session of your choice, keynotes and the expo hall; does not include meals and breaks
To register, visit www.sccongress.com/toronto
Use code SCCKPP for your complimentary Keynote Plus Pass!
#SCCAN
NIST? DOES CANADA NEED
OUR EXPERTS: Framework Juliana Belisario, policy and legal analyst at the UN’s International Multilateral Partnership Against Cyber Threats Kevvie Fowler, partner in forensic advisory services, KMPG Canada Paul Henninger, global product director at BAE Systems Applied Intelligence Michael Legary, head of Seccuris Avner Levin, associate professor and chair of the law and business department at Ryerson University’s Ted Rogers School of Management Greg Thompson, vice president of enterprise security services at Scotiabank; board member at (ISC)2
C1 SC • May 2014 • www.scmagazine.com
I
n a world where organizations are alert to the possibility of cyber attack, cyber security guideline documents can sometimes seem more numerous than the threats themselves. The National Institute for Science and Technology (NIST) has stepped in with yet another one, this time aimed at protecting critical infrastructure cyber security.
This concept – that otherwise friendly states will begin to harden against collaboration with the US following the Snowden revelations – boils down to a question of trust. But it shouldn’t concern those simply considering whether to share basic security guidelines or information, says Paul Henninger, global product director at BAE Systems Applied Intelligence, a physical and cyber Released in February, the Framework or should they be home grown? What security consulting firm. for Improving Critical Infrastructure factors influence that argument? “The thing that hasn’t been eroded is Cybersecurity focuses on protecting We must consider cyber the will and the focus on financial, energy, health care and security policies within sharing information and other systems crucial to the effective the context of broader technologies and capabilioperation of a country – and Kevvie doctrines, warns Avner ties that focus on the bad Fowler thinks that the guidance should Levin, associate professor guys,” he says. “At the end be adopted north of the border, too. and chair of the law and of the day, I don’t think Fowler is a partner in forensic business department anyone will get in trouble advisory services at KMPG Canada. at Ryerson University’s for sharing information He argues that we shouldn’t re-invent Ted Rogers School of on a new cyber signature the wheel in Canada, but should Management. that popped up yesterday. instead focus on using well-formed best “I’m not sure that the The only person’s practices from our close neighbour. policy interests driving privacy that you will be Kevvie Fowler, partner in forensic “There’s nothing that locks it down the US should be the same advisory services, KMPG Canada protecting by not sharing just to US organizations, or to critical as those driving Canada,” that is the criminal trying national infrastructure organizations,” says Levin, who is also the director of to break into a bank.” Fowler says. “It’s the Privacy and Cybercrime There are other reasons not to focusing on cyber, and Institute at Ryerson. He apply US cyber security guidelines in we have cyber assets points to last year’s Edward Canada, though, say some experts – and in Canada, and other Snowden revelations as a they’re economic, rather than political. countries do. Those prime example. Certainly, the creation of guidelines by same standards can How you view the NIST may save Canadian policymakers be applied in other world defines how you a lot of hard work. But they’re more countries without defend yourself, he warns. appropriate for American companies, needing other countries “If you’re on the attack says Michael Legary. to go through that time and trying to collect Legary is head of Seccuris, a and hardship.” information and exploit 15-year-old Winnipeg, Manitoba-based This begs the flaws and other weaknesses, security consulting firm which actively Avner Levin, associate professor, question: Should then your cyber security courts business in the US. He points to Ryerson University Canada – or any strategy in terms of defense the relative sizes of the two countries as sovereign nation – adopt cyber security is the mirror of that, because you think a key factor to consider when sharing policies developed by another country, that this is what others will do to you.” policies and guidelines.
www.scmagazine.com • May 2014 • SC C2
Federal guidelines Canada is slowly waking up... they have to get better at this.”
He worked for the Canadian government in the area of tax and finance in the 1990s, and recalls getting lots of guidelines from the US – Greg Thompson, VP, enterprise security, Scotiabank in those areas. “We couldn’t afford to hire enough staff to go through the processes and approaches that they messaging on issues of common interest. will be no exception, he says. suggested. It’s a smaller country,” The agency didn’t mention the Where these security guidelines he says. “We need a different set of budget that it had set aside for cyber emerge, it’s likely to be from the private controls to achieve our own goals in a security, which was set at $90m in 2010, sector, often in collaboration with unique way.” and was later boosted by $155m over NGOs, says Juliana Belisario, a policy Is there any reason why Canada five years, earmarked and legal analyst at the doesn’t just create its own set of for securing federal Centre for Policy and guidelines? Public Safety Canada computing infrastructure. International Cooperation, declined to be interview, but reminded It could be doing far which is part of the us in a statement that it created a more, say critics. Greg International Multilateral Cybersecurity Strategy in 2010, along Thompson is a board Partnership Against Cyber with a National Strategy focusing on member at (ISC)2. He is Threats (IMPACT). broader critical national infrastructure also the vice president “They have to be security, which was later updated of enterprise security multi-stakeholder talks Public Safety Canada told services at Torontobecause private sector SC that it views the NIST documents based Scotiabank, one organizations have as a “domestic US process,” and will of Canada’s big five the resources that the Greg Thompson, VP of enterprise monitor it for implications north of banks which provide government does not,” security services, Scotiabank the border. But the agency has leaned financial services to the says Belisario, expressing increasingly towards US partnerships in lion’s share of Canada’s population. If her own opinion, rather than speaking recent years. anyone is among those responsible for officially for IMPACT. “Most of the The agency called securing a component of time, the departments are not as out the Canada-United Canada’s critical national developed in the private sector because States Beyond the Border infrastructure, it’s him. the private sector do have the money to Action Plan as a key area The federal cyber hire highly qualified people.” of cooperation with the security budget is woefully Nonprofits are an important part of US on security issues. inadequate to keep up the picture here, says Thompson, who One of the four areas with today’s challenges, points to organizations such as the of cooperation under he says. “That is actually Information Security Forum (ISF). this agreement was the less than what a bank “What I really like about the ISF is improvement of critical would pay for cyber that its material is driven by members,” infrastructure resilience security. That’s $30m a he says. “People in the field who are and cyber security. Michael Legary, head of Seccuris year. Individual banks earnestly trying to solve the problems In 2012, Public are already spending that they’re facing. Safety Canada signed a Cyber Security amount on cyber security today. Canada It may not matter where a strategy Action Plan with the US Department is slowly waking up to the fact that they comes from, then, so much as how of Homeland Security, under the have to get better at this.” well-resourced and connected to the Beyond the Border Action initiative. While it wakes up, many important private sector economy are its authors This included, among other measures, companies in the private sector are and implementers. The Canadian aligning and standardizing cyber taking care of it, Thompson says. government isn’t immediately going to incident management processes and “Waiting for the government to provide adopt this new set of guidelines from its escalation procedures, exchanging guidance is interesting, but the banks southern neighbour – but some private and collaborating on the development have it covered.” Every time a new sector companies will take it into of briefing materials for the private framework comes out, Scotiabank consideration, along with many other sector, jointly conducting private sector produces a gap analysis between the policies developed by non-governmenbriefings, and sharing and coordinating framework and its own systems. NIST tal players. n
C3 SC • May 2014 • www.scmagazine.com
June 17 & 18, 2014 Metro Toronto Convention Center www.sccongress.com/toronto
T RONTO REGISTER
NOW!
June 17 & 18, 2014 Subscribers:
FREE Keynote Plus Pass Includes access to one session of your choice, keynotes and the expo hall; does not include meals and breaks
To register, visit www.sccongress.com/toronto
Use code SCCKPP for your complimentary Keynote Plus Pass!
#SCCAN
