Moving quickly on defence procurement and infrastructure projects does not mean throwing caution to the wind. To that point, the Government of Canada almost passed cybersecurity legislation in its last session. It was at the point of Royal Assent but fell short when parliament was prorogued. Canada remains one of the few countries that does not have such legislation.
We need this legislation on the books for three critical reasons. First, an increasingly interconnected civilian and military infrastructure, which may be targeted as part of overt or surreptitious attacks. The conflict in Ukraine has shown us that we would ignore this at our peril. Second, those managing these projects must be clearly and acutely aware of the need to protect that infrastructure in an increasingly digital world. At a minimum, this legislation should call out the need for proper risk assessments and design practices and should not fall back on less-robust practices like “compliance-based” approaches. Finally, w need to understand that building this infrastructure may be the first hurdle but it will need to be managed well into the future. Those managing it must be acutely aware that managing security risks, including cybersecurity, will be an integral part of the cost of doing business.
Canada needs to look at this seriously, and the track record points towards the need for legislation to ensure that management tables are seized with its importance. In defence, the Canadian Program -Cybersecurity Certification (CPCSC) is becoming mandatory within the Defence Industrial Base. What is needed, however, is for these national projects to be understood as part of Canada’s critical capacities and protected accordingly.