{"id":310852,"date":"2021-07-28T18:13:32","date_gmt":"2021-07-28T15:13:32","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/as-cyberattacks-skyrocket-canada-needs-to-work-with-and-not-hinder-cybersecurity-experts\/"},"modified":"2021-07-28T18:13:32","modified_gmt":"2021-07-28T15:13:32","slug":"as-cyberattacks-skyrocket-canada-needs-to-work-with-and-not-hinder-cybersecurity-experts","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/as-cyberattacks-skyrocket-canada-needs-to-work-with-and-not-hinder-cybersecurity-experts\/","title":{"rendered":"#As cyberattacks skyrocket, Canada needs to work with\u2014and not hinder\u2014cybersecurity experts"},"content":{"rendered":"<p>&#8220;<strong>#As cyberattacks skyrocket, Canada needs to work with\u2014and not hinder\u2014cybersecurity experts<\/strong>&#8221;<\/p>\n<div>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2021\/as-cyberattacks-skyroc.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/as-cyberattacks-skyroc.jpg\" data-sub-html=\"When assessing whether the Government of Canada meets standards for vulnerability disclosure in comparison to G20 members, we discovered that Canada is falling behind its peers. Credit: Cybersecure Policy Exchange, Ryerson University, Author provided\">\n<figure class=\"article-img\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2021\/as-cyberattacks-skyroc.jpg\" alt=\"As cyberattacks skyrocket, Canada needs to work with \u2014 and not hinder \u2014 cybersecurity experts\" title=\"When assessing whether the Government of Canada meets standards for vulnerability disclosure in comparison to G20 members, we discovered that Canada is falling behind its peers. Credit: Cybersecure Policy Exchange, Ryerson University, Author provided\" width=\"800\" height=\"432\"\/><figcaption class=\"text-darken text-low-up text-truncate-js text-truncate mt-3\">\n                When assessing whether the Government of Canada meets standards for vulnerability disclosure in comparison to G20 members, we discovered that Canada is falling behind its peers. Credit: Cybersecure Policy Exchange, Ryerson University, Author provided<br \/>\n            <\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>Cyberattacks are on the rise, impacting people, systems, infrastructures and governments with potentially devastating and far-reaching effects. Most recently, these include the massive REvil ransomware attack and the discovery that the Pegasus spyware was tracking more than 1,000 people.<\/p>\n<p>                                                                                A common cause of cyberattacks involves the exploitation of security vulnerabilities. These are <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?assetid=503330\">conditions or behaviours<\/a> that can enable the breach, misuse and manipulation of data. Examples can include poorly written computer code or something as simple as failing to install a security patch.<\/p>\n<p><b>Exploiting vulnerabilities<\/b><\/p>\n<p>There can be particularly significant impacts when attackers exploit security vulnerabilities involving digital systems used by federal governments. <\/p>\n<p>For example, in July 2015, the United States Office of Personnel Management announced that malicious hackers had exfiltrated highly sensitive personal information and fingerprints of roughly <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.opm.gov\/news\/releases\/2015\/07\/opm-announces-steps-to-protect-federal-workers-and-others-from-cyber-threats\/\">21.5 million federal workers and their associates<\/a>, due to a string of poor security practices and system vulnerabilities.<\/p>\n<p>The massive data breach served as a wake-up call for the U.S. federal government. Barack Obama&#8217;s administration consequently announced the Department of Defense would be <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.washingtonpost.com\/news\/federal-eye\/wp\/2016\/01\/22\/pentagon-to-take-over-control-of-background-investigation-information\/\">responsible for storing federal employee data<\/a>. <\/p>\n<p>Not long after that, the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/dod.defense.gov\/Portals\/1\/Documents\/Fact_Sheet_Hack_the_Pentagon.pdf\">&#8220;Hack the Pentagon&#8221; pilot program was announced<\/a>, where the U.S. government invited external experts to responsibly report security flaws.<\/p>\n<p>This pilot paved the way for what has become a standard security practice used by the U.S. government. Since 2020, all American federal agencies have been required to enable the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/cyber.dhs.gov\/bod\/20-01\/\">disclosure of security vulnerabilities<\/a>.<\/p>\n<figure class=\"mb-4\" itemscope=\"\" itemtype=\"http:\/\/schema.org\/VideoObject\"><meta itemprop=\"name\" content=\"As cyberattacks skyrocket, Canada needs to work with \u2014 and not hinder \u2014 cybersecurity experts\"\/><meta itemprop=\"url\" content=\"https:\/\/www.youtube.com\/watch\/?v=jmkM3Dwiwo8\"\/><meta itemprop=\"description\" content=\"In 2016, the Pentagon announced a program to help them identify security vulnerabilities.\"\/><meta itemprop=\"uploadDate\" content=\"2021-07-28T09:05:21-04:00\"\/><meta itemprop=\"embedUrl\" content=\"https:\/\/www.youtube.com\/embed\/jmkM3Dwiwo8\"\/><meta itemprop=\"thumbnailUrl\" content=\"https:\/\/img.youtube.com\/vi\/jmkM3Dwiwo8\/maxresdefault.jpg\"\/><br \/>\n             <iframe loading=\"lazy\" title=\"Hack the Pentagon: Alex Rice of HackerOne | History NOW\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/jmkM3Dwiwo8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><figcaption class=\"text-darken text-low-up mt-4\" itemprop=\"caption\">In 2016, the Pentagon announced a program to help them identify security vulnerabilities.<\/figcaption><\/figure>\n<p><b>Canada lagging behind<\/b><\/p>\n<p>By comparison, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cybersecurepolicy.ca\/vulnerability-disclosure\">our recent report<\/a> found that the government of Canada is lagging behind countries like the U.S. by failing to welcome vulnerability reports from external experts.<br \/>\n                                            <!-- Google middle Adsense block --><\/p>\n<p>We haven&#8217;t had an attack the size of the Office of Personnel Management breach in the U.S., but we aren&#8217;t immune either. <\/p>\n<p>Consider the Equifax breach in 2017, when 19,000 Canadians were affected when attackers <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.priv.gc.ca\/en\/opc-actions-and-decisions\/investigations\/investigations-into-businesses\/2019\/pipeda-2019-001\/\">exploited a security vulnerability<\/a> in an online customer portal. <\/p>\n<p>In August 2020, the Canada Revenue Agency <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cbc.ca\/news\/politics\/canada-revenue-agency-cra-cyberattack-1.5688163\">locked more than 5,000 user accounts<\/a> due to cyberattacks partially enabled by the agency&#8217;s lack of two-factor authentication.<\/p>\n<p>Our report, published through the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/cybersecurepolicy.ca\/\">Cybersecure Policy Exchange<\/a> at Ryerson University, is the first publicly available research that examines how Canada treats the reporting of security flaws in comparison to other countries. <\/p>\n<p>We discovered that while 60 percent of G20 members have distinct and clear processes for reporting security vulnerabilities in public infrastructure, Canada does not.<\/p>\n<p>Cybersecurity experts can disclose &#8220;cyber incidents&#8221; to the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/cyber.gc.ca\/en\/\">Canadian Centre for Cyber Security<\/a>. But this term is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/cyber.gc.ca\/en\/glossary\">defined so narrowly<\/a> that it excludes vulnerabilities that have not yet been weaponized. <\/p>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2021\/as-cyberattacks-skyroc-1.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/as-cyberattacks-skyroc-1.jpg\" data-sub-html=\"Some of the legal risks in Canada for discovering and disclosing security vulnerabilities found in software and hardware. Credit: Cybersecure Policy Exchange, Ryerson University\">\n<figure class=\"article-img text-center\"><img decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2021\/as-cyberattacks-skyroc-1.jpg\" alt=\"As cyberattacks skyrocket, Canada needs to work with \u2014 and not hinder \u2014 cybersecurity experts\"\/><figcaption class=\"text-left text-darken text-truncate text-low-up mt-3\">\n                Some of the legal risks in Canada for discovering and disclosing security vulnerabilities found in software and hardware. Credit: Cybersecure Policy Exchange, Ryerson University<br \/>\n            <\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>And while the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/information\/vulnerability-reporting\">United Kingdom<\/a> and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/coordinated-vulnerability-disclosure-process\">the U.S.<\/a> governments have promised to make efforts to fix security flaws that are reported, the Canadian Centre for Cyber Security has made no such promise. <\/p>\n<p>By not supporting and protecting security researchers in identifying vulnerabilities, these gaps ultimately put Canada and Canadians at greater risk.<\/p>\n<p><b>Vulnerable systems, vulnerable people<\/b><\/p>\n<p>Cybersecurity experts can face significant legal risks when they report security flaws to the Canadian government. Computer hacking is prohibited by the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/hillnotes.ca\/2016\/03\/10\/computer-privacy-and-security-lawful-and-unlawful-access\/\">Criminal Code<\/a>, and in certain circumstances by laws like the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iclg.com\/practice-areas\/cybersecurity-laws-and-regulations\/canada\">Copyright Act<\/a>. <\/p>\n<p>But unlike in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/english.ncsc.nl\/publications\/publications\/2019\/juni\/01\/coordinated-vulnerability-disclosure-the-guideline\">the Netherlands<\/a> and the U.S., there is no legal framework here for reporting security vulnerabilities in good faith. <\/p>\n<p>Canada&#8217;s current <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roach has a chilling effect on the disclosure of security weaknesses found not only in government systems, but also for all software and hardware.<\/p>\n<p>This approach largely leaves cybersecurity researchers in the dark about whether\u2014and how\u2014they should notify the government when they spot security flaws that could be exploited. <\/p>\n<p>A cybersecure Canada requires working with experts who identify the security risks faced by our institutions and infrastructure.<\/p>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2021\/as-cyberattacks-skyroc-2.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/as-cyberattacks-skyroc-2.jpg\" data-sub-html=\"The phases of vulnerability disclosure: discovery, reporting, validation and triage, developing a solution, applying that solution, and informing the public. Credit: Cybersecure Policy Exchange, Ryerson University\">\n<figure class=\"article-img text-center\"><img decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2021\/as-cyberattacks-skyroc-2.jpg\" alt=\"As cyberattacks skyrocket, Canada needs to work with \u2014 and not hinder \u2014 cybersecurity experts\"\/><figcaption class=\"text-left text-darken text-truncate text-low-up mt-3\">\n                The phases of vulnerability disclosure: discovery, reporting, validation and triage, developing a solution, applying that solution, and informing the public. Credit: Cybersecure Policy Exchange, Ryerson University<br \/>\n            <\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>It&#8217;s not too late for the federal government to institute a process allowing experts to report security flaws, and to draw on best practices while doing so. <\/p>\n<p>Our work <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cybersecurepolicy.ca\/vulnerability-disclosure\">outlines the importance<\/a> of defining who can submit vulnerability reports, and describes what the reporting and fixing process can look like. It&#8217;s important to credit or recognize the experts who disclosed. The public should be given information about vulnerabilities and the solutions required to fix them.<\/p>\n<p><b>Imperative improvements<\/b><\/p>\n<p>Cybersecurity experts are &#8220;<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.oecd-ilibrary.org\/science-and-technology\/encouraging-vulnerability-treatment_0e2615ba-en\">a significant but underappreciated resource<\/a>&#8221; when it comes to reducing security risks of government systems. They want to help. <\/p>\n<p>The Canadian government needs to implement clearer processes and policies to foster co-operation with cybersecurity experts working in the public interest. <\/p>\n<p>As cyberattacks grow in frequency, scale and sophistication, better cybersecurity practices in Canada are not just desirable\u2014they are imperative.\n                                                                                                                        <\/p>\n<hr\/>\n<div class=\"article-main__explore my-4 d-print-none\">\n<p>                                            China tightens control over cybersecurity in data crackdown\n                                        <\/p><\/div>\n<hr class=\"mb-4\"\/>\n<div class=\"d-inline-block text-medium my-4\">\n                                                Provided by<br \/>\n                                                                                                    The Conversation<br \/>\n                                                                                                        <a rel=\"nofollow noopener\" target=\"_blank\" class=\"icon_open\" href=\"https:\/\/theconversation.com\"><br \/>\n                                                        <svg><use href=\"https:\/\/techx.b-cdn.net\/tmpl\/v2\/img\/svg\/sprite.svg#icon_open\" x=\"0\" y=\"0\"\/><\/svg><\/a><\/p><\/div>\n<p class=\"article-main__note mt-4\">\n                                                This article is republished from <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/as-cyberattacks-skyrocket-canada-needs-to-work-with-and-not-hinder-cybersecurity-experts-164999\">original article<\/a>.<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/counter.theconversation.com\/content\/164999\/count.gif?distributor=republish-lightbox-advanced\" alt=\"The Conversation\" width=\"1\" height=\"1\"\/><\/p>\n<p>                                        <!-- print only --><\/p>\n<div class=\"d-none d-print-block\">\n<p>                                                 <strong>Citation<\/strong>:<br \/>\n                                                 As cyberattacks skyrocket, Canada needs to work with\u2014and not hinder\u2014cybersecurity experts (2021, July 28)<br \/>\n                                                 retrieved 29 July 2021<br \/>\n                                                 from https:\/\/techxplore.com\/<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>\/2021-07-cyberattacks-skyrocket-canada-withand-hindercybersecurity.html<\/p>\n<p>                                            This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no<br \/>\n                                            part may be reproduced without the written permission. The content is provided for information purposes only.<\/p><\/div>\n<\/p><\/div>\n<p><script id=\"facebook-jssdk\" async=\"\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more Like this articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/science\/\" target=\"_blank\" rel=\"noopener\">Science category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techxplore.com\/news\/2021-07-cyberattacks-skyrocket-canada-withand-hindercybersecurity.html\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#As cyberattacks skyrocket, Canada needs to work with\u2014and not hinder\u2014cybersecurity experts&#8221; When assessing whether the Government of Canada meets standards for vulnerability disclosure in comparison to G20 members, we discovered that Canada is falling behind its peers. Credit: Cybersecure Policy Exchange, Ryerson University, Author provided Cyberattacks are on the rise, impacting people, systems, infrastructures and&#8230;<\/p>\n","protected":false},"author":1,"featured_media":310853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/scx2.b-cdn.net\/gfx\/news\/2021\/as-cyberattacks-skyroc.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-310852","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sciencee"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/310852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=310852"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/310852\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/310853"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=310852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=310852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=310852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}