The federal government is moving to strengthen Canada’s national cybersecurity ecosystem with the help of five universities, amid rising digital crimes perpetrated by hackers, companies and governments.
The Cyber Security Innovation Network (CSIN) aims to enhance research and development, increase the commercialization of IT security, and expand the country’s talent pool. The network was unveiled last month by the Ministry of Innovation, Science and Economic Development Canada (ISED) as part of the government’s roughly $500 million National Cyber Security Strategy. This pan-Canadian initiative is being led by the National Cybersecurity Consortium (NCC), a federally incorporated non-profit consisting of Concordia University, Ryerson University, the University of Calgary, the University of New Brunswick and the University of Waterloo.
The consortium’s work is getting underway as Russia’s invasion of Ukraine is raising awareness of cyberattacks, said Mourad Debbabi, director of Concordia’s Security Research Centre. “But the reality is, cyber war is happening every day, with governments, utilities, banks, industrial corporations, academic institutions and individuals worldwide targeted on a daily basis” he said. “We are aiming to bring together all of the major actors in this space to help push forward the agenda of cybersecurity in Canada.”
As homes to distinguished cybersecurity R&D centres, the five consortium universities bring a robust mix of sector knowledge, experience and connections. Combined, they have expertise in conducting interdisciplinary fundamental and applied research, delivering training to individuals and companies, and nurturing start-up and scale-up firms. They will focus the network’s projects in the following areas: critical infrastructure protection; privacy and privacy-enhancing technologies; human-centric cybersecurity; software security and network security.
With up to $80 million in funding over four years, plus one-to-one in matching funds to be obtained by the consortium through cash or in-kind contributions, the NCC will facilitate multidisciplinary, cross-sector cybersecurity R&D, talent and business development collaborations between academia, industry, non-profits and government. It has already attracted the participation of numerous stakeholders: 140 researchers at 42 postsecondary institutions, 36 companies of all sizes, 26 non-profits and eight government entities.
“We see the three parts of our mandate – R&D, commercialization and talent development – as like three legs on a stool, in that all three are needed for the program to move forward in a meaningful way,” said Ken Barker, director of the Institute for Security, Privacy and Information Assurance at the University of Calgary. “Our job is to strike the right balance in how we invest in these three ‘legs’ in order to be catalytic across the entire ecosystem.”
‘A crisis in talent’
The CSIN’s work will help bolster a sector that is becoming increasingly important to Canada’s economy: according to Statistics Canada, the cybersecurity industry contributed over $2.3 billion in GDP and 22,500 jobs in 2018. Yet, in its February 2022 federal budget recommendations, the Canadian Chamber of Commerce noted that the country’s cybersecurity spending per capita is about half that of some other G7 countries and advised investing an additional $1.5 billion in the federal cybersecurity strategy.
“Canadian companies like Entrust, Certicom and BlackBerry were pioneers in cybersecurity innovation,” said Charmaine Dean, vice-president, research and international at the University of Waterloo, home to the Cybersecurity and Privacy Institute. “But Canada needs to step up the pace in terms of generating intellectual property compared to the major players like the U.S., China, South Korea and Europe.”
Of course, it’s difficult for organizations to invent and commercialize new cybersecurity solutions when there aren’t enough specialists around with the right expertise. The Information Systems Security Association surveyed nearly 500 cybersecurity professionals worldwide last year and found that 57 per cent of organizations were affected by a shortage of talent. A larger survey by (ISC)2, a non-profit focused on IT security training, identified a shortage of 2.7 million cybersecurity professionals worldwide – including 25,000 in Canada – and a need to grow this workforce by 65 per cent to defend the critical assets of organizations effectively.
“Industries are experiencing a crisis in talent, and this is true across a range of sectors, including the financial and infrastructure sectors. This problem is not limited to Canada; other countries are also experiencing critical shortages of cybersecurity experts,” Dr. Dean said. “Unfortunately, the demand for talent in this field is not being met by the existing labour supply.” The NCC will support the development of a diverse range of cybersecurity training programs, she said, including academic degrees, career upgrading and workforce upskilling.
The rising cost of cybercrime
The CSIN faces high stakes: cybercrimes are not only increasing each year, they are also becoming increasingly sophisticated. Statistics Canada found that one in five Canadian businesses reported being impacted by cybersecurity incidents in 2019. For example, the federal government reported that in the first half of 2021, ransomware attacks in Canada increased by 151 per cent compared to the first half of 2020.
The costs of dealing with growing cybercrime continue to rise. Last year, IBM reported that in Canada, the average cost of a data breach was $5.4 million, compared to $4.5 million in 2020. To prevent, detect and recover from cybersecurity incidents, Canadian businesses reported spending $7 billion in 2019, Statistics Canada says. According to PwC’s 2021 Global CEO survey, 80 per cent of Canadian CEOs say they’re concerned cybercrime will affect their growth prospects. The mounting concerns led Prime Minister Justin Trudeau to task ISED and other ministries in December 2021 with renewing the National Cyber Security Strategy.
Looking ahead, the consortium will need to focus on a few essential areas, said IT security consultant Terry Cutler. He leads Montreal-based Cyology Labs, which provides data defence services to companies nationwide, and founded Internet Safety University, which offers free cybersecurity training. Noting that interns at his firm have often lacked essential competencies, he said the NCC will need to ensure educational curricula feature up-to-date content as well as opportunities for real-world training. It will also be vital for CSIN projects to engage cybersecurity experts, he said, in order to better understand the gaps and opportunities in the sector.
Mr. Cutler also emphasized the need for the consortium to promote the development and use of endpoint detection and response. That’s an advanced data security approach which involves humans and software conducting real-time continuous monitoring of internet-connected devices for suspicious activity, combined with highly automated analysis and containment capabilities.
“What’s lacking right now in our government and most organizations is visibility” of threats, he said, because detecting attacks usually takes many months. “We’ve got to be able to find technology that can effectively identify intruders, and then have proper management to get these people out.”