Ottawa should deploy a wide range of strategies, including tax breaks, to encourage small businesses to take cybersecurity more seriously, a member of a think tank told a parliamentary committee this week.
“I think the government should incentivize companies to adopt the latest security measures, such as the cybersecurity standard established by ISED (Innovation, Science and Economic Development) and CSE (the Canadian Security Establishment, the country’s electronic spy agency that also protects federal IT networks) for small and medium organizations,” Aaron Shull, managing director and general counsel of the Centre for International Governance Innovation (CIGI) told the House of Commons defence committee.
The standard he referred to is CyberSecure Canada, a program for small and medium-sized firms. Companies that meet certain criteria and pass a security audit can tell customers and partners they have met the certification standard.
Started in 2019, the program hasn’t been widely adopted. A year after the program was announced, IT World Canada found that only three firms had been certified.
“The standard provides a high level of protection,” Shull told the committee, “but its adoption — and this is the problem — has been limited. Implementing a tax benefit system as an incentive to help increase the overall level of cybersecurity in the country and reduce the risk of cyberattacks on businesses would be a way forward.”
Second, the federal government should establish a clear and concise legal framework for how the private sector can deal with cyber attacks, including guidelines for attribution of attackers, response, and for liability should companies be allowed to hit attackers back. But, he added, the framework should also be “nimble and respond to a fast-changing environment. And the regulations should be driven by “sound policy” and not politics. The cabinet would set standards, a code of practice and certification programs to act as an integrated compliance program, he said.
Third, Shull said, Ottawa should convene an annual cybersecurity conference for a wide range of stakeholders — companies, the IT industry, provincial, territorial, and municipal governments, academics, Indigenous communities, non-profits — to learn more about cybersecurity and do tabletop exercises. Not all sessions would be open to the general public.
One model, he added, is a “cybersecurity dialogue” that CIGI will host in June in Waterloo, Ont., where it is headquartered.
“In my view, cybersecurity is a whole of society concern for Canada,” Shull explained, “and everyone should do more to address this issue.”
In an interview, Shull noted the CyberSecure Canada program has been put forward by the Standards Council of Canada and the Digital Governance Council (formerly the CIO Strategy Council of Canada). “If you are a small and medium-sized enterprise you will probably be OK” to withstand attacks from unsophisticated threat actors, he said. It’s “relatively rare” for nation-state actors to go after SMEs here, he said.
But the federal government needs to give incentives to the private sector to act, Shull said. “We always wait for the ‘Oops’ moment before we do something.”
He isn’t sure how much of a tax incentive Ottawa should offer, other than “make it big enough that people will actually do it.”
But he added, the economic benefit of having companies spend less on recovering from a cyber attack should increase government revenue, and spur innovation.