Recently the MIT Tech Review released their global cyber defense ratings, which ranked Canada as the 5th top country contributing to cyber defense.
I am here to tell you and explain how this is completely false.
#cdnpoli #cdnnatsec #cyberdefense #CDNdigital
I am here to tell you and explain how this is completely false.
#cdnpoli #cdnnatsec #cyberdefense #CDNdigital
Canada deserves a good score because of its private sector, but the federal government's policies and direction of cyber defense is ad hoc, shallow, and broadly lacks coherent direction or recognition of cyberspace as a threat environment.
There is a lot to discuss, but I'll focus on cloud networking.
On paper there is a lot of good that Canada has planned, it is working towards a classified defense cloud network in the Canadian Armed Forces (CAF), but last I heard the estimate for delivery/completion is 2030.
On paper there is a lot of good that Canada has planned, it is working towards a classified defense cloud network in the Canadian Armed Forces (CAF), but last I heard the estimate for delivery/completion is 2030.
There are a lot of reasons for the major delay, but a big one is a misunderstanding of how to treat cyber in the procurement system and governing policies that relate to the administration of the Department of National Defence (DND)/CAF networks and how to protect them.
This is not to say it is only DND/CAF's fault. Equal, or perhaps more, of the blame goes to PSPC and ISED. Leaders, in the military and government, are not taking cyber capabilities seriously.
They're not taking them seriously as neither a capability or the threats they can pose
They're not taking them seriously as neither a capability or the threats they can pose
This is directly coming into confrontation with the United States and Canada's plans for NORAD modernization.
I'm already hearing you: "Isn't NORAD modernization about new radars and deterring new ballistic threats and etc?"
Yes, but I will ask you in return how does NORAD intend to do this? New capabilities and radars, yes, but the foundation to NORAD modernization is IT infrastructure
Yes, but I will ask you in return how does NORAD intend to do this? New capabilities and radars, yes, but the foundation to NORAD modernization is IT infrastructure
Over the horizon radar is the big toy that is coming, but the foundation of #NORAD modernization is fundamentally about Joint All Domain Command and Control (JADC2). JADC2, more or less, is about connecting everything and everyone and feed that data to leaders.
The focus of JADC2 is about capturing the data produced by radars, sensors, infantry, etc, automatically process it with AI/ML, and feed that data to commanders and those who could use it.
Fundamentally, this is all about data and information management. There needs to be an increased emphasis on information security and how to protect these networks and data.
This is why Canada and DND/CAF's lack of policy and progress is concerning.
Shows they're not prepared.
This is why Canada and DND/CAF's lack of policy and progress is concerning.
Shows they're not prepared.
The divide between the infosec community and the government hasnt been bridge in Canada. There is a deep mistrust in the community.
Policies by Canada which deprioritize cyber defense and cybersecurity has the dual action of demotivating operators from working in government and the military, but also broadly reduces the cyber defense of Canada.
Which policymakers did the authors of the MIT Tech Review report actually consult with? Because it highlights the failure of the federal gov is begins with not understanding the threat.
How can Canada be taken seriously if it perpetuates a culture which says this is okay?
How can Canada be taken seriously if it perpetuates a culture which says this is okay?
Foremost, Canadian policy/poor leadership has been the top variable holding back cyber defense and cybersecurity at the federal level.
There has not been a whole-of-government approach to this because cyberspace is viewed as a tool, not as a domain that must be managed.
There has not been a whole-of-government approach to this because cyberspace is viewed as a tool, not as a domain that must be managed.
Word is there will soon be a new lead at the Prime Minister's Office to address digitization in the Department of National Defence. I called for a similar in my most recent CGAI article (cgai.ca/when_empty_pro…)
This move places an even higher level of attention than I even recommended, which is potentially a positive sign. I have heard some word on who it is specifically, but I am trying to not be too optimistic.
The bottom line: we need action and movement on this file.
The bottom line: we need action and movement on this file.
The problem with quantitative approaches is that cyber defense cannot be gauged by the baseline. The very nature of cyber defense is your threat model will differ from others.
Overall, I find the report has many issues, particularly with its methodology and methods. To rely on such models gives an incredibly false assumption of what is occurring and leads to additional poor policy.
Full report found here: mittrinsights.s3.amazonaws.com
Full report found here: mittrinsights.s3.amazonaws.com
• • •
Missing some Tweet in this thread? You can try to
force a refresh
