Home Newsroom 2005 Speeches (archive) Bloodworth: 2005-01-19

Canadian Security Establishment cyber protection forum

Speaking notes for
Margaret Bloodworth 

Ottawa, Ontario
January 19, 2005

As delivered

Thank you. Good morning. It is a great pleasure to be here and I want to thank particularly our colleagues and partners at the Communications Security Establishment for the opportunity to speak with you today, and for assembling this forum.

I would also like to thank each of you for coming. I know how busy you all are. I have times when I’m pretty busy too and finding a half-day, let alone two or three days, to attend a forum like this is not an insignificant task. And I suspect all of you will pay the price when you go back to the office for doing that. But I thank you for taking the time because these are important events to have and certainly the fact that so many people are prepared to be here bodes well for the implementation of Canada’s National Security Policy.

Now, as you know, the National Security Policy, which Rob Wright talked to you about a little bit yesterday, set the framework for an integrated approach to addressing Canada’s core national security interests -- that is protecting Canadians here and abroad, ensuring Canada is not a base for threats to its neighbours, and contributing to international security.

What I would like to talk about today is the importance of integrating cyber protection with our overall approach to national security, the role and activities of the department and the portfolio that I represent, and last -- but far from least -- the importance that all of you play in this effort.

PSEPC

I’m delighted to see the title of this forum, Protecting Cyberspace -- a Collaborative Effort, because you will see as I make my remarks that that is basically the underlying theme. This is not a job that any of us can do alone. And I think I probably don’t need to tell this audience this, but there are still some audiences in this country that believe one individual, one organization can do everything that it needs to do about protecting Canadians. Not true, as I’m sure you know, and I think I can say that integration is what Public Safety and Emergency Preparedness Canada is all about.

This portfolio of organizations includes CSIS, the RCMP, Corrections, Emergency Preparedness including cyber response and critical infrastructure protection, and a new Canada Border Services Agency, which itself is a bringing together of customs officials, immigration enforcement officials and food inspection officials at the border.

In other words, all the core functions are together, under the leadership of one senior Minister.

With the capacity to exploit the natural synergies among these different agencies, as well as discover new ones, the creation of this portfolio offers clear benefits to Canadians. We can be more effective in identifying and closing security gaps, communicating with one another and operating more strategically to protect Canadians.

And, because we can do a better job within the federal government, we can do a better job with our partners -- the provinces and territories, municipalities, the private sector and our colleagues in the United States and around the world.

Now, when I say that the PSEPC portfolio has a leading role in implementing the integration framework set out in the National Security Policy, I’m not saying we are in charge of everything.

We do have some specific responsibilities, such as auditing business continuity plans across government. We haven’t really got going on that yet, so here is a fair warning to get your business continuity plans in order because as we all know, there hasn’t really been an auditing capacity in government, although we have all been under instructions to make sure we can continue business.

So we have that new responsibility, which we are hoping shortly to get some resources for to undertake, and we also have specific responsibilities for coordinating the federal response to a national emergency. But, in more general terms, our job is to promote and support the type of collaboration we need to achieve the integrated approach to public safety and security described in the National Security Policy.

We are there to promote, encourage and support the collaboration we need to achieve this and it is important to have an organization who actually sees itself doing that because we will never, and probably never should have, all organizations responsible for public safety in one place. I’m not sure it would be doable. You just think across government about the number of different organizations that have a role, a significant role to play in public safety and security. It is never going to be everyone in one place. But, we do have to work together because the roles are not distinctive and they overlap, as I will say more about in a few moments.

And nowhere is an integrated approach more important than in cyber protection -- the need to secure and protect our critical information infrastructure.

Need for an integrated approach to cyber protection

The safety and security, not to mention the economic well-being of Canadians is increasingly dependent on our critical information infrastructure.

As we have seen time and again, if there is a problem in any part of any one of those systems, the impacts can cascade. There is no more vivid example than the blackout in 2003. Very quickly, the functioning as a whole is at risk.

From the operation of electrical generation distribution systems to air traffic control, virtually all these systems are connected to one another -- through a myriad of networks that we have constructed for very valid business reasons that we know have become dependent on in many ways, including the impossible-to-discipline Internet.

Indeed, perhaps no facet of critical infrastructure is more vulnerable, faces such a range of threats and is as disposed to the cascade effect than our critical information infrastructure.

The threat, as I’m sure those of you in this room know, is not just worms and viruses, although with recent major infections such as Blaster, SoBig and MyDoom, we continue to see the potential of viruses, bugs and worms to cripple vital systems and afflict literally billions of dollars of economic loss.

Our critical information systems are also vulnerable to physical damage, whether by accident or intent. Earthquakes, floods, tornadoes and certainly ice storms can all disrupt information systems as well as physical infrastructure.

An intentional attack can cause significant problems without being large or especially sophisticated. A few years ago, an individual used small and fairly simple explosive devices, a couple of them, to destroy the master terminal of a hydro electric dam in Oregon. The explosives didn’t do any harm to the dam itself, but the simple attack disabled the power generating turbines, and forced the switch to manual control.

Any type of coordinated attack on even a handful of these types of control systems -- electrical, water, gas distribution -- could lead to a major disruption. And just as physical events can disrupt information infrastructure, cyber disruptions can result in real physical damage and physical risk.

Consider the implications for public safety of an extended disruption -- and I’m talking about something as little as a few hours -- in the systems that control electricity distribution, water treatment and purification, or the communication networks that dispatch police and fire networks.

And consider too that a situation, whether physical or cyber, that puts our critical information infrastructure in jeopardy occurs at the very time when we are most reliant on this infrastructure to coordinate a response, assure public confidence and bring about an efficient recovery. It is not just the damage it does initially; our ability to be able to respond and recover from any disaster is very reliant on the information infrastructure.

These connections and interdependencies make an integrated approach to cyber protection essential. And because of the fundamental role our information infrastructure plays in delivering virtually all other services, this approach must in turn be integrated with our overall efforts to ensure public safety and security.

Now that is a huge task, and let me suggest it is a task that I’m not sure any of us will ever be able to declare victory over. It is an ongoing struggle that we must maintain continually because lo and behold, the systems and the interconnections, the networks and the uses, all change all the time too.

Now PSEPC is working on a number of fronts to promote this type of integration -- within the federal government, with other governments and the private sector in Canada, and internationally.

The Canadian Cyber Incident Response Centre is now the focal point for our activities in this area.

Canadian Cyber Incident Response Centre

This centre will be officially launched in the coming weeks and will be the cyber security component of the new Government Operations Centre established under the Government’s National Security Policy. This Operation Centre as a whole gives PSEPC the ability to carry out its responsibility for providing strategic coordination for the Government of Canada’s response to any emerging or occurring events that affect national interests.

I should mention here that the Government Operations Centre is also the core of the National Emergency Response System, which is being developed by PSEPC to ensure Canada is prepared and able to respond to all current and future threats or emergencies, and, as necessary, coordinate the federal response with provincial and territorial governments and the international community.

Again, reflecting the need for an integrated approach, the National Emergency Response System will provide a common structure to be used by the federal government to respond to all safety and security situations, including events affecting critical information infrastructure.

The Cyber Incident Response Centre will monitor for cyber security threats on a 24-7 basis and will certainly be a key element of the national response system. However, we are not building in our department a replica of the capacity, even if we could do that which I have serious doubt, the capacity and the expertise that exists across government in this area. The Royal Canadian Mounted Police, the Canadian Security Intelligence Service and the Communications Security Establishment are all partners in the work of this Cyber Incident Centre. What we are doing is providing infrastructure to coordinate and to plug in the parts of the Government that can bring their specialized expertise.

In addition to maintaining a regular flow of information in response to potential, imminent or actual threats to Canada’s cyber structure, the centre will also issue cyber alerts and advisories as situations warrant.

This information -- including recommended actions for protection and correction as required -- will be made available to governments at all levels as well as key private sector stakeholders such as energy and utilities, communications, transportation and safety services. We will also share with international partners as appropriate.

International cooperation

Now the reason for strong international cooperation is pretty fundamental. Our fibre-optic cables and wireless networks don’t terminate at the border, and I have yet to see any kind of firewall that can divide us all at the border either. Hackers anywhere in the world can very quickly make their presence felt in Canada. The threat of cyber-terrorism from abroad, an attempt to disrupt the nation’s financial sector for example, remains very real.

Regardless of the country being targeted, the repercussions of such an attack would almost certainly be felt around the world. In other words, even if the attack is not against us, we could well feel the impact. One could imagine, for example, if there had been a concerted attack last summer on the American financial system. Our financial system is intimately linked with the American one and there is no doubt it would have had huge implications for our system and our country as well.

For this reason, PSEPC is very active in promoting greater international cooperation in cyber protection. Through the Canadian Cyber Incident Response Centre, we will continue to expand Canada’s international partnerships, enhancing our capacity to respond and warn of threats wherever they may originate in the world.

The Centre already has reciprocal relationships with its counterpart national cyber incident response agencies in the United States, the UK, Australia and New Zealand and is also a member of the Forum of Incident Response and Security Teams, or FIRST.

The FIRST organization currently has more than 170 members representing computer security incident response teams from government, commercial and educational organizations around the world. One of PSEPC’s predecessor organizations was the major sponsor of the annual meeting of FIRST held in Ottawa in June of 2003. We are encouraging FIRST members to hold a future annual meeting in South America as a means of promoting greater cooperation and cyber protection with that region.

We are also active in the Organization of American States’ Cyber Security Strategy. The first ever meeting of national cyber security experts of the Americas was hosted by PSEPC and Foreign Affairs in Ottawa last March. This meeting led to an agreement to build the cyber incident watch and warning network in the Americas.

Our relationship with the United States is of course a key and ongoing priority in this area as well as in the full range of things that the department and the portfolio are involved with. Our two countries are linked in so many ways and the impact of any significant event in either country is almost certain to be felt in the other.

We continue to deepen our cooperation with the Department of Homeland Security, which is a challenge for both of us because we are both new organizations. I would like to think it is even a bigger challenge for them given their size. They are about 180,000 people, which is almost the size of the Government of Canada in the one department and there is no question they have challenges. But they have made huge strides and don’t believe all the press you read occasionally about the fact that they are involved in bureaucratic squabbles. I have seen very little of any evidence of that. The Americans, when they make up their mind to do something are very effective at getting things done, and they have made huge progress.

Fortunately, they have been very good partners with us. We now have a joint action plan between myself and the Deputy Secretary and included in that is Critical Infrastructure Protection, which is being headed up by Paul Kennedy, Senior Assistant Deputy Minister here and, currently, Assistant Secretary Robert Liscouski, who will be moving on in the next few months, but will be replaced.

This is key in all areas of public safety and security, including the protection of our shared critical infrastructure -- physical and cyber. Among other activities, we are conducting joint vulnerability assessments and working together to set priorities for the protection of shared infrastructure, improving joint plans for bi-national emergency response, improving information-sharing for alerts and warnings and sharing information with key stakeholders. This is a huge priority for all of us at Public Safety and cyber is an important component of that.

Domestic initiatives -- National Cyber Security Task Force and Strategy

Our work with key stakeholders is also a cornerstone of our cyber protection efforts within Canada. In addition to our collaboration with the provincial and territorial governments, we must recognize that some 85 percent of the critical infrastructure as a whole, including critical information infrastructure, is owned and operated by the private sector.

We are consulting with those private sector partners before establishing a National Cyber Security Task Force, which is part of meeting one of the National Security Policy commitments to develop a National Cyber Security Strategy for Canada. The task force will lay the groundwork for the National Strategy by taking stock of the critical components of the national cyber infrastructure and describing the nature and scope of the threats to this infrastructure.

But one of the key challenges is making sure that as we do this, we can protect the information associated with it. This is not exactly something that we would like to lay out for the world to know, so that is one of the key challenges we are discussing with the private sector. I have had several discussions with some of the heads and some of the big associations about how we go about doing that.

The Task Force will also examine Canada’s state of readiness to respond to and recover from a cyber incident, and recommend action plans to strengthen our critical information infrastructure.

Now the members of the Task Force will be drawn primarily from the senior niche of Canada’s key critical infrastructure sectors, and we have engaged with key representatives from those sectors in determining the composition and structure of the Task Force. That kind of engagement and consultation is a necessity if we are not only to benefit from the considerable expertise that exists in the private sector on this, but also ensure what is fundamental -- the private sector’s buy-in and commitment to doing something about it.

I think that is still very uneven across various sectors. I don’t think there is any question of the buy-in and commitment of the electrical sector for example. I think any CEO of any electrical company in Canada has now been made vividly aware of the need to do things in this area, but it is a little more mixed when you look at other sectors.

Equally essential to achieving that buy-in is evidence that the government of Canada is putting its own cyber protection house in order. It is not enough, as they say, to just talk the talk. And in that certainly the Communications Security Establishment is a key partner of ours. They have huge expertise and we all need to rely on that as we go forward.

Conclusion

And, if I can return to the sentiments I expressed at the beginning of my remarks, that’s why I consider this as such as important forum. It is an opportunity to emphasize the need to work together towards our goal.

This is the first time I’ve had an opportunity to speak to the Government of Canada’s cyber protection community as a whole, and so it is also my first opportunity to reinforce with this community the message that developing an integrated approach to cyber protection across the Government of Canada is everyone’s job.

And by that I mean that this is a job that goes beyond our responsibilities as individual departments to meet government-wide requirements such as the Operational Security Standard on Business Continuity Planning.

Achieving integration is not a departmental job -- it is a Government of Canada job.

And it is the responsibility of all of us as part of the Government of Canada to achieve it.

Yes, PSEPC has been assigned a lead role in efforts to protect the Government of Canada’s own infrastructure to ensure it is robust and able to deliver essential services to Canadians in times of crisis -- but it is not all going to be done by that one department. All we can do is provide a leadership, and provide fora for people to do that.

But it is up to people like you, the key policy and decision-makers in cyber protection to look beyond the borders of your own department, to understand the critical information connections across government, and to work with your colleagues and other departments to ensure those connections will continue to function in an emergency.

Part of this job is integrating the numerous cyber security-related initiatives and capacities that exist right now across government.

We need to connect these different initiatives with each other and also with other related policy areas such as privacy and information management. Cyber security needs to become an enabler for our other existing policy commitments, not an impediment to achieving them.

National Security Policy designates PSEPC as the lead department in developing an integrated approach to government preparedness and response and with resources like the Government Operations Centre and the Canadian Cyber Incident Response Centre. And we do have a lot of expertise and important operational capacity. We can provide significant support, but let me underline the word support.

We cannot do it all and I think it would be foolish to suspect -- to think that any one organization can do it all. What one organization including PSEPC cannot provide is the type of cross-governmental collaboration that is needed to achieve these aims, which are so essential to the safety and security of Canadians. We can encourage it, we can promote it, we can support it, and as I’m doing right now, we can try to explain why it is necessary. But actually doing it is all up to us. And this, in the cyber area, is very much up to those of you in this room.

Let me assure you that if Canadians are depending on me to protect their cyber space, they are in deep trouble. I’m very much on the -- I wouldn’t say completely illiterate, but the lesser-literate side of the cyber world. It needs those of you who understand and know what it is about to actually tell those of us who have an interest in pursuing it what it is we need to do in a practical, pragmatic way because we know we can’t change the world tomorrow. But you know what? If we don’t make a start, it won’t be changed at all. So we have to change step by step.

I personally strongly believe that as public servants, we have an overarching responsibility to ensure the health, safety and security and well-being -- economic well-being -- of Canadians. Whatever job we might happen to be in, that is part of all of our responsibilities.

This forum provides an excellent opportunity to talk about how we can work together as government to carry out that responsibility and I certainly congratulate the Communications Security Establishment for having the foresight to be a leader in establishing this forum. I encourage them to continue in this because we know we will not fix all these issues in the next week, the next month or next year. So, we will need to continue to talk with one another, and be able to compare notes both on what we need to do and on what some of our problems and challenges are. This is an excellent forum for being able to do that.

So I thank the Canadian Security Establishment for creating this forum, for inviting me here to speak and let me wish you the best of luck in doing this and assure you of my full support. That is not just because you and I might want to do it. It is because it is truly important to this country that we get that right. So you can be assured of my full support as you make great strides in this area. Thank you very much.