May 24, 2024 Welcome to Cyber Security Today. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.

My guest this week is Anita Anand, Canadian cabinet minister and president of the Treasury Board. She’s here to discuss the release of the first cybersecurity strategy for most federal IT departments.

Anand is the MP for the Ontario riding of Oakville. Treasury Board, which she heads, sets certain broad policies and strategies across the whole federal public service. She is also the former Minister of Defence.

I wrote in detail about the strategy earlier this week. It came after the government concluded federal departments and agencies are making only marginal progress in improving their cyber maturity.

The first phase of the strategy will

• establish a centralized evaluation system with independent assessments and thorough reviews of departments’ cybersecurity to identify and prioritize risks;
• create a federated integrated risk management platform to enable prioritization and data-driven reporting as a key part of a broader enterprise portfolio management system;
• create a government-wide vulnerability management program for a co-ordinated vulnerability disclosure process; and
• form a new Purple Team that will emulate techniques used by malicious threat actors against government systems to proactively test and audit any security gaps.

While Treasury Board sets certain broad policies and strategies the actuall running of federal departments’ IT infrastructure is in the hands of the departments, who have their own CIOs and IT security leaders. But some services, like email, communications and data centres, are provided by Shared Services Canada. In addition the Defence Department, through the Communications Security Establishment and the Canadian Centre for Cyber Security, provide technical advice. One of the questions I asked Anand is whether this multi-level arrangement causes problems.

The strategy calls for the eventual creation of centralized or command security operations centre (SOC) at the Cyber Centre Security to monitor all federal IT security infrastructure as well as an infrastructure security and network operations centre (ISNOC) at Shared Services Canada for network monitoring.

I asked Anand why the strategy was being released now, because the Liberals have been in power for over eight years. “We know that there are varying levels of cyber maturity across departments and agencies within our government,” she replied. “We know that a unified approach would be more effective, would improve cyber maturity And so we want to be able to effectively identify and respond to new and emerging threats, and doing it with a unified approach makes the most sense.”

In explaining why departments have different levels of cyber maturity she said it’s “because each individual department is responsible for its own cybersecurity. And what this announcement is saying is that an individual siloed approach to cybersecurity is less effective than a unified level playing field for all departments and agencies.

“As I said, this is going to be over a hundred departments and agencies combined, and it’s going to allow for comprehensive awareness of the cyber security risk environment. It’s also going to allow us to strengthen capabilities and resilience across the government of Canada to proactively prepare for and respond to and recover from cyber security events.”

I also asked if the federal government will lead by example and publicly share detailed lessons with the public on what it learns from its own, major cyber attacks and incidents.

“That’s a very good question,” she replied, “and one that I hope to be able to respond to more fully. I do believe in sharing best practices and lessons learned and so I will be ensuring that we are able to share some information along those lines.”

To hear the full interview play the podcast.