Fed up with what it believes is a federal government that doesn’t work closely enough with the private sector on cybersecurity-related acquisitions, an industry association has called on Ottawa to look at other countries for models of public-private co-operation.
In a report issued this week, the Canadian Association of Defence and Security Industries (CADSI) says the United States, the U.K. and Australia offer strategies the government here should pick up on to improve this country’s cyber defence.
The association believes the pace of federal decision-making on software and hardware procurement pick up with better collaboration. Unlike the public sector, the report says pointedly, cyber firms are “the engine driving the relentless pace of cyber innovation” and “are not burdened by years-long or decades-long acquisition and deployment processes. Instead, they can field a new, fully-functioning technology solution in months or weeks.”
The report is a follow-up to one released last year by the association with a similar complaint. But the latest report suggests best practices from other countries Ottawa could use as models to kick decision-making here to a higher gear.
For example, it cites the U.K.’s Industry 100 program, which enables industry experts to work directly with the National Cyber Security Center (NCSC) in short-term placements. This gives them an opportunity to understand and challenge the way the government thinks and, tests innovative ideas inside the government environment.
“Overall, Industry 100 promotes greater mutual understanding of cybersecurity, better cyber policy, improves the delivery of programs, helps both government and industry identify systemic vulnerabilities, and reduces the future impact of cyberattacks,” says the report.
By comparison, Canadian national security agencies “seem exceptionally reticent” to have private-sector contractors work on sensitive government networks, the report says.
The report does praise the new Cyber Security Co-operation Program launched last fall by Public Saftey Canada, which funds cyber research projects. as signalling the government’s intent to experiment with new arrangements. But ultimately it wants the government to place responsibility for the development and delivery of cyber solutions in the hands of the private sector, supported by the government with controls to ensure appropriate implementation.
“Collaboration between government and domestic industry on cyber has become second nature to our allies,” CADSI CEO Christyn Cianfarani said in a release accompanying the report. “But our own government is not leveraging the industry to its full potential. It’s estimated that 98 per cent of Canadian cyber infrastructure is owned and operated by private firms, so we need to be at the table.”
The report recommends a series of steps that the Canadian government can take within the next one to three years, including:
- Establishing an Economic Strategy Table dedicated to cyber. The government has already created ESTs in other areas, pairing industry execs with senior bureaucrats to jointly tackle pressing problems.
- Opening the door to public/private sector talent exchanges, like the U.K. Industry 100 program.
- Setting up a classified operational network for threat information sharing with the private sector and testing solutions. The government said in its last budget it plans to do this.
The report intentionally avoids suggesting what it calls complex, machinery-of-government overhauls, Cianfarani said.
“Deep institutional change is hard, and we acknowledge that. But most of these solutions have already been road-tested by our allies and can be implemented in relatively short timelines.”
CADSI represents some 900 companies that sell defence and cybersecurity solutions, ranging from IT technologies to aircraft.