¶ Canadian Government Response to Cybersecurity
So we've been talking a lot over the last few weeks about the many cyber security threats we're facing , but how are we fighting back ? We trust the state to keep us safe , but are they doing a good job ?
If we're going to get our kind of act together in Canada , it's going to have to be about this national approach .
Trying to stay ahead of the criminals and bad actors is a tough gig , and one that governments all over the world are struggling with . So this week , on what's Up With the Internet , we're looking at what the Canadian government's response to our current cybersecurity threats has been .
As always , I'm your host , takara Small , and this podcast is brought to you by CIRA , the Canadian Internet Registration Authority , which is a non-profit building a trusted internet for Canadians . So then , what is the government doing about the issues we've been talking about in our previous episodes ?
First , let's hear from one of the government bodies leading the fight . We spoke to Sami Khoury a couple of weeks ago in episode three . Sami has now taken up a role as the Canadian government's senior official for cybersecurity , but until very recently he was the head of the Canadian Center for Cybersecurity , and that's when we interviewed him .
He told us what the government is doing to help combat cyber attacks .
So we are actually we're doing a lot , and at the cyber center and with our partners across government . So , from the pre-ransomware notification so a lot of it , we do a lot behind the scene that isn't often known because it's a sort of capabilities that we are developing that generate things like pre-ransomware notification .
We are putting a lot of advice and guidance out there . I'm speaking like I'm doing right now to bring attention to the fact that this is a big issue and we need to , as a society , we need to take it seriously . We make a lot of our capabilities available in open source .
So on GitHub we've published some of the tools that we use , some of the tools that we developed here at the Cyber Center , that if somebody wants to use them , they can go and download them and make use of them . When we see something , we share it . So we see a lot of things .
We see a lot of activity against the Canadian government , people trying to hack into it , trying to scan it for vulnerability . Everything we learn from that . We publish it through some of our threat feeds and people can subscribe companies mostly can subscribe to our threat feeds and be up to date with threats that we know of , and then we issue alerts .
If there's something happening we will issue an alert or we will issue a cyber flash to let people know . And lastly , we've partnered with the private sector , with companies , so we partnered with CIRA to make available Canadian Shield .
Canadian Shield is a capability that anybody can download on your phone , on your home computer , and it essentially makes sure that you don't go to website that we know are malicious .
So , effectively , when you type something in your bar of your web browser , if where you are trying to go , or whether you click on a link , the minute that computers try to go out there , canadian Shield will stop you from going if we know that this site is malicious .
So that's a free service that we've partnered with CIRA on to make sure that Canadians have access to that capability called Canadian Shield . There's a commercial version for businesses , but the free one anybody can use it and download it and make use of it .
It's a one-way feed , so we tell CIRA what we know is malicious , so there's nothing that comes back to us . So , from a privacy perspective , I think your listeners can rest assured that we don't get anything in return in terms of your browsing history or what website you go to .
We just tell CIRA these are all the websites or all of the domains out there that we know are malicious . If you get an SMS we've partnered with the telecom companies you just have to send forward that malicious SMS to 7726 . And behind the scene , magic happens and we encourage people to send their SMS .
And if that SMS is malicious because there's a link in it that we know ends up being malicious , then it will be blocked , and it will be blocked by all of them and it will be blocked also . It will be added to our feed that is then shared with CIRA through Canadian Shield and blocked there too .
So you are making a difference and you're contributing to doing your part in ensuring that cybersecurity , that Canada is more resilient in that space . So those are examples of things that we do .
And you know , another government initiative is also Bill C-26 . Do and you know another government initiative is also Bill C-26 . For people who aren't familiar with that provision , can you tell me a little bit more about what it is and how it addresses the problem of cybersecurity ?
Yes , absolutely so . Bill C-26 is still going before Parliament , so we hope that it will come out at the other end and it will receive royal assent . But that's a bill that is going to raise cyber resilience in Canada for four sectors . So telecommunication , finance , energy and transportation these are four sectors that have been identified in Bill C-26 .
These are four sectors that have been identified in Bill C-26 . And through that bill , there will be an obligation on the companies that fall within those designated sectors . Not everybody will be subject to Bill C-26 . That is something that still is yet to be decided .
But companies that are operating within those sectors , primarily the big companies , will have an obligation to have a cybersecurity plan . So , if something happens , what's your readiness ?
But also that will have an obligation to report cyber incidents to the cyber center , to our organization , to the organization I lead , and that's very important because it will , by reporting incidents , which is one of the key messages I'd like to leave people with . It's important to report incidents to us .
We connect , we then understand how it happened , what happened . We can connect a few dots , maybe by connecting dots between two or three incidents and starting to see a pattern there . So Bill C-26 will essentially mandate that those companies that will be designated at the end of the process have a cybersecurity plan and report cyber incidents to the cyber center .
So that's some of what the government is doing , but it's not enough to impress everyone . Back in June , a report from the Auditor General , karen Hogan , said that the RCMP and other Canadian security agencies do not have the capacity or capability to effectively police cybercrime , and a new , updated national cybersecurity strategy still hasn't been introduced .
We are sadly lagging our G7 peers in level of investment .
That's David Shipley . He's the CEO of Beauceron Security Inc .
We are lagging our peers in legislative tools , frameworks , requirements , standards and more .
We're making some progress , and I would be remiss if I didn't acknowledge that we're heading to third reading on finely updated laws to protect critical infrastructure that's federally regulated in Canada , like the banking sector , telecommunications , energy transmission and transportation Yay .
But the reality is as I wrote in an op-ed recently for the Hill Times is we still have a federal government where we are castle and moat , and so they are concerned with protecting the castle , without realizing that the castle lives off the proceeds of the village , that they will starve to death without the rest of us , and we are getting pillaged by the cyber
vikings left , right and center , and so we need to have a couple of really key conversations in Canada . The first is our policing models don't work in the 21st century when it comes to cybercrime .
The idea that your locally funded municipal police force in many parts of Canada is your jurisdiction to report crimes to , to resource to deal with , is absolutely insane when faced with these international multi-hundreds of millions of dollars cyber criminal organizations .
We need a single national police force , resourced to deal with cyber crime and able to deliver an equal response across the country , whether you're urban or rural , rich province or poor , across the country , whether you're urban or rural , rich province or poor .
We need a new national cybersecurity strategy that looks at policing , like I just mentioned , that looks at preventative investments in defense , so a dedicated cyber fund for municipalities and for healthcare , who are not federally regulated , so they are not getting the legislative support they need and certainly don't have the money on their own to do this , and the
areas of Canadian life when they're hit are the most disruptive either to safety or overall well-being . So we need to put some money into national cyber defense preparedness , invest in offensive cyber when we can't go after criminals , so that we can raise the cost of cyber crime by ruining their infrastructure , hacking them back .
And that needs to be an explicit mandate of the Canadian forces . Right now the Canadian spy agency , cse , has a mandate for active cyber . I would prefer and I've had this debate with national security folks back and forth that they stick to their espionage mandate because that's normal and expected in global affairs .
But I think when it comes to hacking back and working outside of law enforcement regimes , I think that's a role for the Canadian forces .
Why do you think we've lapsed in this area compared to some of our peers ? Why do you think Canada isn't at the forefront when it comes to cybersecurity , whether it's nationally , provincially , locally ? Why is it some of our EU counterparts are so far ahead ?
We have slept under the blanket of American security since the end of the Second World War and we have cashed in the dividends from being able to rely on American investment in this to fund all kinds of really important things for Canada social programs , etc . You know , universal health care , other things .
We have slept ourselves into complacency and we struggle in this country to take national security seriously on a numerous front . So I'm obviously you know , I'm a proud Canadian Forces veteran .
So I have strong feelings about the need and necessity for us to show up and be a valued member of NATO , to actually contribute our 2% GDP spending to that , so that we can continue to benefit from that collective investment in defense in a world that's a lot more hostile .
¶ National Security Strategy for Cybersecurity
We for some reason cannot seem to rouse ourselves to the fact that we are in an active conflict of ideologies with China , that the idea that we had in the 1990s that we could normalize relations with China and China would become like the West through trade has failed miserably , and that we are living through the consequences , whether that's , you know , election
interference , whether it's , you know , actual impacts on diaspora communities in Canada . That's just one country's foreign policy being pursued without a lack of response . Here in Canada we have others India , you know , we had a Canadian citizen murdered on our territory .
So the reason I mentioned all of these issues in the national security context is if we can't even take national defense seriously , if we can't take foreign interference seriously , cyber does not even make it to the top of the list for most of our most important conversations at the most senior political level in Canada . It just isn't there .
I have been to Parliament Hill twice . I have testified in front of the National Security and Public Safety Committee twice . I have watched one of my testimonies was delayed while a filibuster on the Emergencies Act for political performative reasons was performed rather than listening to expert testimony on the issue at hand . So we're not a serious country .
Okay , well , aaron Shull , who we heard from in our last episode , is a little bit more positive about how well-equipped we are . He thinks the provinces and city councils need to be more involved , though . Aaron is the managing director and general counsel at CG , and his work is helping influence government policy .
I want to talk about policy , then , a little bit . We've discussed so much when it comes to the impact of cybersecurity , cyber warfare , and I'm wondering if Canada is well equipped to deal with these threats now and in the future .
Yeah , so maybe as a starting point , canada's part of something called the Five Eyes Alliance , so that's the UK , united States , australia , canada , and so we're in this intelligence sharing arrangement with our closest allies . So that's good with our closest allies , so that's good .
Within that , canada contributes through something called the Communications Security Establishment . That's our national cryptological agency , kind of Canada's code makers , code breakers , and that's where all of our premier cyber capabilities reside . The CSE is some of the best in the world , and you don't have to take my word for it .
This is what I've heard from allies , and so we are very well equipped for a nation of our size by virtue of having this institution . But that's one piece of a big puzzle , right , like the problem is that the government doesn't own most of the critical infrastructure in the country . Right , it's privately owned .
And also we've got a constitutional division of powers Right , we've got a federated system , and so hospitals and schools are under provincial jurisdiction , right , and so so we've got to take that into account .
Plus , we've also got municipalities , and it's a bit weird because it's actually at the municipal level where people have their closest relationship with democratic institutions . Right , this is where they've got their closest relationship with government .
Like I said earlier , if your power turns off or your water doesn't come out of your tap or your garbage doesn't get picked or your hospital goes down or your kid's school gets hacked , you'll notice right , and where we do most of that work is actually at the municipal level , but that's where our capabilities are the lowest .
And so if we're gonna get our kind of act together in Canada , it's gonna have to be about this , a national approach and I'm using the word national here advisedly , as opposed to federal .
It's going to have to be a national approach where we bring together the feds , the provinces , territories , municipalities , indigenous government groups , along with critical infrastructure providers , in a bit of a holistic way , like it can't just be a one and done type of thing , and we also have to be prepared to continue to update our approach to this as we
continue to hook more stuff to the internet and as the threats get more and more sophisticated .
You've actually talked a lot about this and you know what other- .
I'll talk to anybody who'll listen to me about this .
I mean you've talked in parliament about this . You've also done extensive work when it comes to government policy . I'm going to just plug your work reimagining a Canadian national security strategy . Can you tell us about your project and what your hopes are for your advocacy on this issue ?
Yeah , sure , sure . Well , maybe I'll back up a step and so say I work at a think tank , we do public policy research right , and we always talk about wanting to have a policy impact from our work .
So it's a little bit different than like a typical university where you know a lot of the work can be , you know , curiosity driven or whatever this is meant to . Our work is meant to have a point and to have a kind of impact in the , in the real policy world , and so . But for me it's not just about impact .
I actually break impact into two constituent elements .
The first is , if you want to have an impact , you want to be helpful to policymakers , and the second is you want to be relevant to policymakers , and so the easiest way to be helpful and relevant is to work on stuff that policymakers would think would be helpful and think would be relevant , and so our last national security strategy was done in 2004 .
So 20 years ago . And so to say that that is outdated would be the understatement of this conversation , right , like , think about your computer 20 years ago . And so to say that that is outdated would be the understatement of this conversation , right , like , think about your computer 20 years ago , anyways .
So I thought this is an area where we could help , and so we put together a team of about 250 experts and , along with current government officials , to think through some of this . We wrote a whole bunch of reports .
But the nice thing is , in our , our kind of capstone report that my colleague Wesley Wark and I wrote , we had a bunch of recommendations in there . The first was you got to do a national security strategy , but come on and the government agreed , in something called the defense policy update , which was , I'm saying , maybe released a month ago . They agree .
So there's going to be a new national security strategy that's going to be updated every four years . So we can tick that one off the list . The second we argued for the creation of a national security council chaired by the prime minister , and they agree .
Now there is a national security council chaired by the prime minister , and so , kind of one by one , we're ticking things off of our list .
But the point here is that when we're looking at our work , we are always doing it with a view to being helpful and with a view to being relevant and to using our good offices to try and advance a national conversation , and so I'm thankful that we were successful at it .
So you know , I'm thankful that we were successful at it . Do you think Canadians are now more concerned with cybersecurity than in years past ? And I say that because we have seen quite a list of institutions , both public and private , that have been hacked and have been taken down in this year and last year alone .
So one of the big ones , obviously Toronto Public Library . That's Canada's largest library system . In this year and last year alone so one of the big ones , obviously toronto public library . That's canada's largest library system . Um , the lcbo and medical hospital , like the list goes on and on .
Do you think now voters and politicians , as an extension of that , are much more aware ?
yeah , oh , for sure , for sure , and that's what I was saying , kind of at the top of the interview . What this will now require is , you know , uh , depending on whose , whose notes you're looking at , we're , we're going to be in an election in the next , you know , 12 months , or whatever .
I think that this , like every party , should have to say something about this and what their , their vision is for the future , because you're absolutely right , like it's impossible to have a local school hacked or a hospital taken down and to not notice , right , like this is , this is genuinely affecting people's real lives now , and so , while it might not be the
topic of conversation around most dinner tables , I think this is one of those areas where politicians and the political parties need to lead , they need to shape the discourse in the country , and we've got to get serious about it because , like we've been saying throughout the duration of this conversation , the trend lines do not look good .
Like if you think this is going to get better on its own , like I got news for you , it's not , and so this is one of those areas where , while it might not be the top of mind when people are thinking about who they want to vote for . This is one of those areas that requires political leadership and vision .
And then there's Bill C-26 . If you're not familiar with it , that's the new cybersecurity bill aimed at protecting Canadians . It's been called one of the most important pieces of safety regulations for a generation and it's been in the pipeline for years . The bill has already gone through the House of Commons and is waiting to be rubber stamped by the Senate .
Bill C-26 is supposed to be our cybersecurity hero , but there are concerns around privacy and transparency . We got Matt Malone on the line from Waterloo to discuss it .
Matt is an expert in all sorts of law around cybersecurity and privacy , and he's a Balsillie scholar at the Balsillie School of International Affairs . So Bill C-26 was a bill that was introduced in the summer of 2022 by then Minister of Public Safety , marco Mendicino . The bill has two main components to it .
It makes a series of amendments , principally to the Telecommunications Act and a few other acts , and then it passes a new act entirely , which is called the Critical Cyber Systems Protection Act .
So if you zoom out and you look at this bill , it can be situated with a series of legislative efforts that have been taken in recent years across peer states of Canada , like Australia , the United States , across the EU , where you've seen an interest by governments to use regulation to nudge or to require certain postures when it comes to cybersecurity .
And that's really rooted in something that became clear when our last national cybersecurity strategy came out , where it became very clear that there was a recognition of the role of regulation in changing and improving our cybersecurity posture as a country . So more or less , we settled on that view in 2016 .
But it took us until about 2022 to come up with this law and we have not by any means expedited the law . It's more than two years later . Now we're in September 2024 having this conversation and the bill still hasn't become a law . It's currently in the Senate on second reading as I'm talking to you , but we'll see the stage it gets to later on .
So just to answer your question about what the bill is , these two main parts of the bill , the amendments to the Telecommunications Act really recognize the role of security as a key objective of Canadian telecommunications policy .
So we have a Telecommunications Act that recognizes various policy rationales that guide our policy , you know , through entities like the CRTC and so forth .
But what it does is it adds security to those rationale and it endows the government , technically the governor and council and the minister of industry , which has responsibility over telecommunications , to direct TSPs or telecommunication service providers to take or refrain from taking actions that might be necessary to ensure security .
So that's sort of the main part of the bill that concerns the Canadian Telecommunications Act . But there's a second part , and I apologize if this is boring because it is a little bit boring .
What are you talking about ?
Right , that's the attitude .
Maybe scary is the actual right word , but continue .
Well , you know , I think we'll talk about scary in a second , and that's for me when it comes to transparency . So the second part is really .
The second part of Bill C-26 is the Critical Cyber Systems Protection Act , and this got a lot less attention , but it's equally important because it allows the government again technically the governor and council to designate certain services as vital systems , so systems that would be under the federal jurisdiction , systems like and there's already a few that are recognized
in the law , like telecommunications , pipelines , energy , nuclear energy , banking , various transportation systems and so forth .
So what this bill does is it allows the government to recognize these systems as vital services , vital systems , and then it authorizes the government to designate certain operators of those systems as parties whom the government can direct to do all different kinds of things .
And perhaps the most important is , once a designated operator of a vital system is recognized , there's an obligation to create a cybersecurity program where you have to identify risks , protect the system and so forth .
But there's other requirements , and this is where the bill gets really interesting , where the bill endows the government with the ability to take all different kinds of actions , including so it's not just about these entities engaging in certain conduct , like reporting a cybersecurity incident to the government or establishing a cybersecurity program .
But the bill also allows the government to issue what are called cybersecurity directions , which are totally secret directives that the government can issue to these entities to take , or refrain from taking , a certain action to bolster the cybersecurity of their services .
So it's really interesting because there's not a lot of transparency over those directives , and so I think this continues a trend that we're seeing with cybersecurity generally in Canada , where we're endowing the government with a lot of power that is not accompanied with a lot of transparency around that power , and I don't think that that's necessarily a good recipe for
bolstering trust in federal institutions .
¶ Government Cybersecurity Initiatives in Canada
Personally , so there is a history of Canada following in the footsteps of our closest neighbor , the US , when it comes to legislation , when it comes to initiatives and funding , but I'm wondering what government initiatives you would suggest need to be put in place , divorced from what's happening south of the border .
What would you think the government needs to focus on or needs to enact ?
would you think the government needs to focus on or needs to enact ? Well , I think , as much criticism as I have of Bill C-26 , I think it's , you know , to borrow a phrase from Christopher Parsons , who was a senior researcher at the Citizen Lab , who's now at the Ontario Information and Privacy Commissioner I think Bill C-26 is incredibly well-intentioned .
This is definitely a bill that we need , but I think a few things need to happen . I think the first is that we need to get back into this show-don't-tell approach . It's important to remember that Bill C-26 only regulates the private sector . It doesn't actually regulate government itself and the government .
Cybersecurity is characterized by a lot of fragmentation and approaches that are sometimes illogical , and this fragmentation is apparent from Bill C-26 itself . Right , the bill was introduced by the public safety minister , but what it really does is give a lot of powers to CSE , which reports to the national defense minister and sort of .
Who is responsible for cybersecurity overall in the Canadian government is an interesting question .
I mean , you recently had Sammy Currie on , you know , an incredible individual who's done a lot of service for Canada , and he's actually just been appointed or elevated into a new role , and I'm not entirely sure where that resides in government , but there's you know , there's folks who sit in the Privy Council who have some responsibility with cybersecurity policy and
Shared Services Canada with respect to devices that are issued to government , and then Global Affairs Canada has its own say in certain conduct that CSE will take , in particular , when it takes active or offensive cyber operations against other states .
So there's a lot of fragmentation here , and I think one of the main things that needs to change in Canada is an approach that really operates by show , don't tell . Cse's annual report came out this summer and it highlighted a lot of the incredible work that they do .
I mean , this is a super talented group of people , probably one of the most competent entities in government and highlighting things like leading multilateral efforts to take down a ransomware gang and liaising with sensitive industries like oil and gas , and so forth . So a lot of good stuff coming out of that .
But one of the things that caught my attention was that CSE is very well known for sensors that it places on networks to identify and anticipate and mitigate cybersecurity risks , and something I found very interesting in their report was that some 50 federal institutions still don't have any of those sensors installed on their networks , and these sensors are famous .
I mean the UK has actually installed more than 100,000 of them on their networks , these Canadian sensors . So you know it's brought in CSE a lot of . So you know it's brought in CSE a lot of . You know praise , and rightly so , but the government itself hasn't responded to shortarians , NSICOP or NCCOP . So I think show not tell is an important part of it .
If I were to critique the bill itself , I have a few overriding critiques . I mean one of them is that the bill is titled the Critical Cyber Systems Protection Act , but what is critical ? And the government has a very sort of limited remit for what is defined as critical ?
As I said , it only applies to private sector entities , so it doesn't apply to the federal government's own conduct . And it also fails to mention sectors that are very clearly of tremendous importance and you can imagine space is going to continue to become a major sector in Canada over the next few years Water and wastewater infrastructure .
I mean the European Union's main cybersecurity law identifies that as one of its critical sectors . It doesn't mention food and so forth . So I think there's some interesting questions around what is being brought in or identified as critical and what is not . It makes sense when you think about the cybersecurity threats that we have faced .
I mean , the colonial pipeline was a very notable disruption caused by a threat actor and you know it makes sense that we might want to focus on pipelines and energy and nuclear within this bill , but we shouldn't limit it there .
The other problem I have with the bill is that it's based on an approach where the government needs to register a designated operator for the bill to apply to them , and I think there's a lot of problems with this approach because it basically requires us to count on the government being vigilant and identifying everyone who could possibly be critical , taking the right
action and putting them on . Forget what it stands for NIS1 and NIS2 , the cybersecurity , the big cybersecurity legislations .
They have these long EU names the Directive on Network and Information Security , something , something specifically identifying and adding designated operators by government entities and made it so that there were certain requirements that automatically triggered the application of the law .
So entities that were above a certain size in certain industries would automatically have requirements to follow NIS2's obligations with respect to taking certain measures , and I think that's a much more organic and sustainable approach , because it doesn't require someone in government to constantly be out there scanning the threat environment and adding specific entities to the
list . Rather , it automatically adds them as they grow or as they gain in importance . So I think that's a big part of it and , of course , with that , I would probably say the penalties , the administrative monetary penalties in the law .
Although they're tiered for individuals and corporations , I think they actually need to be matched to follow the EU example , where we basically , just in the EU EU use a percentage-based approach , so failure to act can cause a penalty that is X percent of your total revenue in the last year , as opposed to the Canadian approach , which is just $1 million , $10
million , whatever it is . So I think those are the main critiques that I would have . I think the overarching critique , however , is a transparency critique .
The bill endows the government to issue these directives shrouded in complete secrecy , and that's a major problem Because , as much as CSE is a you know , an entity that deserves a lot of praise , it also is still getting its sea legs when it comes to showing its work and being transparent about its work .
It's been called out by review agencies for failing to submit its own records that it needs to provide to those review agencies . For years it has one of the worst rates in responding to provide to those review agencies . For years , it has one of the worst rates in responding to access to information requests .
It refuses to answer sort of basic questions around its practices , including whether it's using third-party spyware like NSO Group's Pegasus software , and the BC Civil Liberties Association has called out CSE saying that it's in dire need of oversight , and I would share that view .
They've done great work cooperating with various sectors , issuing pre-ransomware notifications having a tangible impact on the private sector , but transparency is lacking and that's a major concern .
And that was Matt Malone .
¶ International Cybersecurity Policy and Public Engagement
Now , that issue of finding balance with government power is a bit of a trend . Fighting cybercrime shouldn't mean creating limitless government powers . Kate Robertson spoke to us about Canada's involvement with the UN Cybercrime Treaty . It's an agreement that wants to harmonize laws around cybersecurity across its member states .
Well , this is a good example of where Canada has been playing an important role in demonstrating leadership and calling for the need for human rights standards to inform how we approach cyber threats , including the threat of cyber crime , and the agreement you're referencing is an international treaty that has been put forward in draft form for the United Nations General
Assembly to ultimately consider and vote on , and it remains to be seen what countries like Canada and others around the world will do about it , because there have been many experts in both cybersecurity and civil society and digital rights who have pointed to how some of the powers that are being discussed , including cooperation powers around cybercrime , will actually
pose really significant risks when conceived at an international level , given these same powers might be used by authoritarian governments against human rights activists , journalists or political opponents , and so it's again one of the important balances that policymakers need to strike when you're responding to a problem like cybercrime , so the need to react to those types of
problems rather than operating from a place of fear , but instead to bring forward a really right-centric approach to cybersecurity , which says that , yes , we do need to respond to some of the new and or even growing threats that we're seeing on an online environment , but taking a really long view that protects the security of our networks , which is really about
protecting the security of us as people , making sure that we're not exposing individuals unnecessarily to other types or even more dangerous types of security threats in the process , particularly when it's not necessary to do so .
If I can be frank , you know , governments really are only likely to take action when there's public demand for it , and it creates this kind of catch-22 because you need the general public to care about something in order for the government then to acknowledge and take the next steps .
So I'm curious you know , how do you go about increasing public awareness around this topic and increasing , I guess , education for the general public about what can be perceived as a very complex issue ?
I think that is a really fair comment and an important comment , and touches on some of the broader themes that you've been speaking about on this podcast and in recent weeks with other guests as well , and I think it's helpful perhaps to return to the analogy of thinking about cybersecurity as a team sport .
Yes , we do think of it as a really technical area , but it's also a highly interdisciplinary area as well .
Effective cybersecurity integrates expertise from a whole range of sources , including independent regulators and government , industry , civil society , academic researchers , security researchers , data journalists like yourself , who hosts really informative and translatable messages around how technology impacts us in our day-to-day lives , and so I do think it is true that it can often
feel overwhelming for certain individuals to hear about some of the vulnerabilities that do exist , and sort of a powerlessness feeling can surface at times , but I also think it's important to look at it in light of what amazing dynamics are already unfolding , when you have many who are working with the public at large to help translate and shine a light on some of
the ways that governments and companies can be doing much more to protect us at a human level and a policy level , and so I would actually even think of the question a little bit differently is that there are many , many in the public who are participating in really important public debates about cybersecurity and , in fact , when you look at how the parliamentary
process around Bill C-26 has been unfolding , there are many pointing to how the secrecy that's embedded in many of these new government powers are actually running up against a desire from the public to have much more transparency about what's going on , and that's really a reflection of the really rich part of society that has and has historically played a really
important role in protecting us at an individual level . And one of my colleagues has actually done some research about this and he's talked about how surveillance powers that government has traditionally turned to have sometimes had a really detrimental effect on cybersecurity .
And he pointed to some really interesting research that talked about how , when the public perceives or believes that the government has had a really large role in terms of surveillance , that can lead to a sort of disempowering reality where the less control we perceive to have over our data , the research actually has shown that the less likely we are to take steps
to protect our own personal security .
In one study , they showed that individuals were actually less likely to implement strong passwords when they perceive the government to have a larger surveillance role , or were less likely to implement strong passwords when they perceive the government to have a larger surveillance role , or were less likely to take other types of measures like two-factor authentication .
And so I think it does speak to really competing dynamics that have been unfolding , but part of a larger shift towards recognizing that the public , while they may not be looking at the very innermost nuts and bolts of our networks , they can and do have a really important role to play .
That was Kate Robertson , who is a senior research associate at the University of Toronto Citizen Lab . Ok , so next week is the final episode in our series and we want to look forward .
The thing that we can count on is that there's going to continue to be more innovation and change , and we're going to need to be agile and adapt .
Yes , we'll be looking at future trends in cybersecurity and how emerging technologies are going to impact this space . Remember , you can email the show at podcast at CIRAca , and you can find me on social media at Takara Small . You can also check out CIRAca slash cybersecurity if you want to learn more about cybersecurity in Canada .
Thanks for listening and we'll see you again next week .