Canada’s public safety minister says the federal government is weighing introducing mandatory incident reporting for cybercrimes to better understand their prevalence domestically and how to prevent them going forward.
Speaking to the House of Commons Public Safety and National Security committee on Thursday about Canada’s security posture in relation to Russia, Mendicino said the government is on “high alert” for cybercrime activity.
“I cannot emphasize enough how important it is that in the current geopolitical environment within which we find ourselves that we are very much on high alert for potential attacks from hostile state actors like Russia, which could manifest through cyber-attacks, through ransomware, which look to identify potentially valuable targets to Canadian interests, like critical infrastructure,” he said.
As it stands now, it’s only recommended that non-federally-regulated entities report cybercrimes.
Asked by NDP MP Alistair MacGregor whether Ottawa is considering making it mandatory for all sectors, the minister said “I absolutely think it's something that we need to be considering, for sure, yeah, it's an option that we're considering very carefully.”
The Canadian Security Intelligence Service “espionage and foreign interference activity at levels not seen since the Cold War.”
In January, the Canadian Centre for Cyber Security and the Communications Security Establishment issued warnings about Russian-backed cyber threat activity targeting Canadian critical infrastructure network operators and their operational and information technology.
At the time, to businesses to enhance organizational vigilance, have a cyber-incident response plan, and be prepared to isolate infrastructure components and services from the internet.
Those warning calls have grown louder amid Russia’s invasion of Ukraine.
David Shipley, CEO of Beauceron Security, a Fredericton-based cybersecurity start-up, told the committee on Tuesday some companies are encouraged not to report cybercrime activity with the government as it can be too laborious.
“Most organizations are not going to voluntarily engage with the federal government. During incidents, they're told by their legal and risk teams or by their insurer to limit information sharing and disclosure as working with government does seem to offer limited gain, and much to lose,” he said.
“This means we lose crucial insights into attacks on Canada and even more importantly, the root causes and key lessons are not learned or shared effectively.”
He says Canada needs to shift the risk equation so that companies operate based on the premise of report or face consequences.
