In its recently released fall 2012 report, the Office of the Auditor General of Canada (AG) outlined several shortcomings in the country’s efforts to protect critical infrastructure from cyber threats.
The report provides specific recommendations for information-sharing policies that the U.S .government should use as it tries to develop U.S. cybersecurity policies.
The Canadian government has correctly emphasized the important role that information sharing plays in maintaining cybersecurity. Cybersecurity threats to important infrastructure—such as the electrical grid, the financial sector, and water reservoirs—are constantly changing. As a result, it is essential that those charged with protecting against cyber threats have up-to-date information about the latest risks. Even though Canada recognizes the value of such an approach, its execution has left something to be desired.
For example, in 2005, Public Safety Canada established the Canadian Cyber Incident Response Centre (CCIRC). The CCIRC is essentially an information clearinghouse for the Canadian government and the private sector. According to the AG report, CCIRC’s effort in “monitoring the cyber threat environment has not been complete or timely.”
Specifically, CCIRC does not operate around the clock. Also, many businesses and government departments did not notify CCIRC about new cyber threats. In some cases, private-sector actors were not even aware of CCIRC’s existence.
The AG report also highlighted the incomplete development of partnerships between the government and private sector. Canada has established 10 working-sector networks so that the government and private sector can coordinate efforts to identity and protect against cyber threats. According to the report, six of these networks do not include representatives from the private sector.
As the U.S.attempts to pass and implement its own cybersecurity policies, U.S. officials can learn from Canada’s experience. Any effective information-sharing system should have cooperation between the government and the private sector. All parties involved should understand the process by which information will be shared. Additionally, any information-sharing system should consistently facilitate the flow of information between the private and public sectors in a timely fashion.
Most importantly, the U.S. can also greatly improve information sharing by removing legal barriers, offering liability protection to those who share information, and protecting shared information from Freedom of Information Act requests. Providing such protections would improve the quality and quantity of information sharing by lowering the potential costs to the private sector. Eliminating legal ambiguities in private-to-private sharing would also allow stakeholders to share in a trusted, bilateral way and coordinate efforts in identifying threats.
These lessons learned from the Canadian AG report should be carefully considered by President Obama as he moves forward with a harmful cybersecurity executive order, and they should be at the forefront of any cybersecurity legislation that Congress takes up when it returns.
Steven Ballew is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please visit: http://www.heritage.org/about/departments/ylp.cfm.