Meeting the challenges of cybersecurity requires new regulatory solutions
With the rise of online communication and data-driven technologies, cybersecurity has become an increasingly important area to ensure the protection of essential services that are delivered via digital platforms across all of society.
Cybersecurity is the practice of protecting infrastructures, applications, systems, and networks from digital attacks. Cyberattacks can take advantage of technological vulnerabilities and attack target systems by accessing, changing, or destroying sensitive information without permission, extorting money from victims, or interrupting the normal functions of digital service providers.
Notably, the increased demand for remote work arrangements in the wake of the COVID-19 pandemic requires more stable and secure cybersecurity systems, including new solutions to concerns around data privacy. However, despite cumulative efforts to improve best practices in recent years, many sectors continue to face adversarial targeting.
Due to the importance of such efforts, it is crucial for governments to leverage their resources to develop a more comprehensive strategy for national and global cybersecurity, in addition to raising awareness among citizens, businesses, and other aspects of civil society.
In a roundtable hosted by the Schwartz Reisman Institute for Technology and Society (SRI), SRI Research Lead David Lie moderated a conversation with Marc Kneppers, chief security architect for TELUS, and Charles Finlay, founding Executive Director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University, to discuss the future of cybersecurity regulation, and the role of government in managing cybersecurity in the private sector. A professor in the University of Toronto’s Department of Electrical and Computer Engineering and Canada Research Chair in Secure and Reliable Systems, Lie’s research explores security for mobile platforms, cloud computing, and how to bridge the divide between technology and policy.
The panel’s discussion integrated technical, legal, and social perspectives to consider how cybersecurity practices impact public and private spaces, strategic considerations around policy, and how Canada’s approach fits within an international context. The conversation made clear that successful cybersecurity requires extensive partnerships and communication across a wide range of sectors, and that innovations and standards must be developed by policy leaders and experts in advance with an eye towards emerging developments across the political and technological landscape.
The role of government in ensuring cybersecurity protection
The panel agreed that government can take on many roles when it comes to cybersecurity, including a wide range of contexts from pre-attack preparations to post-attack recovery actions. Specifically, panelists noted that governments should focus on social coordination efforts such as prioritizing threats, identifying best practices and standards, and establishing minimum security requirements for organizations.
More support in monitoring cybersecurity is needed within the Canadian federal government, observed Kneppers, who highlighted the importance of governmental authority to play an active role in developing long-term strategies, directing activities, and explaining concrete outcomes. Finlay suggested that government should drive considerations of priority, manage expertise to ensure better forms of regulation, and respond to real-time events with social and political impacts—such as changes in international dynamics and authoritarian regimes—to ensure that organizations across Canadian society are better prepared.
What trends in cybersecurity legislation are on the horizon?
While cybersecurity protections are most often considered on an individual or organizational level—for instance, consumer privacy and protection—recent trends indicate an increase in strategic national interests around cybersecurity issues.
In recent years, governments have introduced increasingly significant regulatory regimes related to cybersecurity amidst political pressure, such as the United States’ “Strengthening American Cybersecurity Act,” which was developed in response to the Russian invasion of Ukraine, the United Kingdom’s amendment to its Telecommunications Act for additional requirements on supply chain and operational security, and Canada’s recently-proposed Bill C-26. The panel noted that governments must increasingly focus on aspects of cybersecurity relating to domains such as healthcare, public transportation, and power generation, and establish clearer and more consistent protocol for federal intervention against potential attacks.
In response to deteriorations in the international security environment through global conflicts, the panel observed that it will be crucial for policymakers to develop thoughtful regulations and long-term investments, possibly through leveraging computing and information technology. However, identifying malicious attacks and responding in real-time is still challenging for current regulatory mechanisms. For example, governments often focus on telecommunications security, but gaps continue to exist between unregulated innovation and legislative responses.
How does Canada’s approach differ from other countries?
Panelists noted that the United States tends to lead in both its coverage of details in legislation as well as the effectiveness of such regulations due to its economic power and weight, while Canada tends to lag in developing legislation responsive to global changes and international events.
In most cases, Canada’s approach is closer to that of the UK in terms of particular legislative efforts, but also takes into consideration the topics recently deployed or revised by the US, such as plans for cyber investments and law enforcement. For instance, Bill C-26 serves as an effort from Canada to catch up with the allies in cybersecurity and privacy protection.
However, despite being slow in responding, Finlay suggested that it is unnecessary for Canada to jump ahead due to factors such as cultural differences. Kneppers also pointed out differences between Canada and other countries in handling attacks such as hacking: the US tends to deploy more aggressive and stricter enforcement when it comes to prosecuting cybercriminals.
The panel observed a significant disparity between the ways that the US and UK governments develop legislation, as the UK acknowledges that some amount of cyber security issues are due to benign errors, so there is no need for heavy prosecutions, and concluded that Canada falls in the middle in most aspects, including overall security strategy, deployment of regulations, and tendencies to punish cybercrimes.
What other sectors are likely to see increased cybersecurity legislation?
Projecting into the near future, public and private sectors should work in parallel, develop long-term relationships, and ensure secure infrastructures. The panelists suggested that it would be beneficial for governments to increase their cybersecurity capacities for private sector operators and optimize the resource allocation given specific tasks and goals.
The panel also noted that academic sector in Canada is critical to driving cybersecurity innovation. By convening various sectors and enabling collaboration, governments could leverage the diversity of perspectives within higher education institutions to develop new and innovative approaches towards security and privacy issues, in addition to legislation and law enforcement. For efficiency, the federal government should play an essential role in bringing provincial jurisdictions together to follow a general direction when deploying solutions to not only cybersecurity but also other social issues.
About the author
Wenjun Qiu is a PhD candidate in the Department of Electrical and Computer Engineering at the University of Toronto. She is a graduate fellow at the Schwartz Reisman Institute and a member of the Vector Institute for Artificial Intelligence. Her research area lies at the intersections of AI, machine learning, law, privacy, and security. Her current projects focus on automated analysis of privacy policies with machine learning and NLP techniques, the improvement of readability, transparency, and accountability of privacy policies, and attacks and defenses of machine learning models.