愛污传媒

Millions of computers went offline around the world on Friday after a faulty CrowdStrike software update impacted airlines, hospitals, banks and broadcasters. Cyber experts say Canada failed in its response compared to other countries, showing it's vulnerable and ill-prepared for future attacks.

鈥淐anada was middle of the road. I would score it very poorly; say three out of 10," said cybersecurity expert Brian O'Higgins during a Zoom interview on Sunday. "Some countries are a bit more organized."

"Canada is not prepared," said another cybersecurity expert, Ritesh Kotak, in a Zoom interview. "There's a lot of work that needs to be done."

Cybersecurity experts say Canada doesn't have a streamlined process on how to respond to a cyber outage or attack. Instead, they say, Canada relies on multiple, separate entities to deal with cyber issues.

"Having a cyber czar or one point of contact makes sense for all of this," said O'Higgins. "Right now, there are 10 of them, or maybe more, and there's a lot of expertise. But much of it is in classified domain and much of their life is spent not talking to people and we need the opposite. So, it's all about organization."

Cyber analysts say Friday's IT outage left multiple companies and provincial bodies to try and find solutions to the outages on their own -- instead of having a singular governmental body to go to for help.

O'Higgins and others point to Australia as the 鈥済old standard,鈥� where there is a Minister of Cybersecurity, whose sole responsibility is to be a point-person when cyber issues, like the outage, hit the country.

"At the macro-level, we need better coordination among all levels of government to ensure that there's adequate resources, that there's coordination when a cyber attack or outage occurs," said Kotak. "We need a single point of contact, somebody who is in charge, somebody to coordinate when there's an attack. I think it falls apart when it's sectoral, whether it be industry or defence or public safety -- and they're all having their own cybersecurity responses."

Cybersecurity experts also say Canada lacks a robust strategy like other countries, that allocates funding and other resources to cybersecurity initiatives, including holding tech companies accountable for gaps in their cybersecurity initiatives.

"We [Canada] don't have laws in place. We don't have frameworks in place," said technology expert Carmi Levy during a Zoom interview Sunday

"The European Union has its Cyber Resilience Act, which holds companies accountable for making sure they are doing everything they can to keep themselves and their stakeholders safe. And (they) have consequences built into the legislation if you don't comply," added Levy.

Cybersecurity experts also point to , released in late 2023, which allocates hundreds of millions of dollars in funding and other resources until 2030 to the cybersecurity sector.

"Australia's cybersecurity strategy has actual dates on it and funding to make sure they hit those dates as well, they have prioritized upfront and giving teeth to their legislation and teeth to their initiatives."

"Whereas, in Canada, we did introduce a national cybersecurity strategy earlier this year, but there's very little budget, there's no timeline and there's really no understanding where this is going to lead Canadians," said Levy.

Cybersecurity experts say there needs to be more legislation and funding to help companies who may not have the resources to respond to a cyber attack or outage. "These grants and funds should also be barrier-free," said Kotak.

"On a micro-level, what I would like to see is more grants, more resources, being given to small to mid-size businesses to prepare them for the inevitable.鈥�

O'Higgins says there need to be more regulation -- and enforcement of those regulations -- to get Canada caught up with other countries.

In response, Communications Security Establishment Canada (CSE) said "the Government of Canada is currently undertaking a renewal of the National Cyber Security Strategy, which originally launched in 2018."

It added "Bill C-26 (An Act Respecting Cyber Security) is a critical next step that provides the government with new tools and authorities to bolster defences, improve security across vital federally regulated sectors, and protect Canadians and Canada鈥檚 critical infrastructure from cyber threats. The bill is before the Senate and would require companies in four Critical Infrastructure sectors (energy, telecommunications, finance, and transport) to report cyber incidents to the Cyber Centre, along with making some important protective measures mandatory 鈥� like having a cyber security plan in place, for example."