Ontario BPS cyber expert panel raises alarm

Last autumn, the Ontario government struck an expert panel of cyber advisors. Among other things, it gave the panel a mandate to “assess and identify common and sector-specific cyber security themes and challenges encountered by Broader Public Sector (BPS) agencies and service delivery partners in Ontario.”

The panel got quickly to work, and in late 2020 gathered feedback from panel members and BPS stakeholders to produce an interim report under the name of its Chair, Robert Wong. The interim report is as unsurprising as it is alarming, speaking to wide-ranging maturity levels derived from under-resourcing as well as failures of governance. It includes characterizations of well-understood governance challenges in the university, school board and health care sectors. On universities, for example, the Chair reports:

Even in institutions with relatively strong and mature corporate governance practices, there are still significant challenges to effectively manage cyber security risks that result from competing priorities and inconsistent application of oversight and policies. For example, funding in higher education comes from various sources and is allocated based on various criteria. Some university research groups that have successfully secured grants or private sponsorship dollars often have a sense of entitlement and feel that because it is their money, they get to call the shots and ignore cyber security concerns when they procure technology tools. Why don’t universities impose the same cyber security requirements on their researchers as they do on other faculty and staff?

Notably, the Chair says, “A regional-based shared-services model may be the only viable option for the smaller players to be able to afford and gain access to the limited availability of technical expertise in the marketplace.”

He also makes the following two interim recommendations, one to government and another to BPS entities themselves:

1. That the National Institute of Standards and Technology (NIST) Cybersecurity Framework be endorsed by the Government of Ontario for the Broader Public Sector’s cyber security practices. If an entity has already adopted a cyber security framework other than that of NIST, the expectation is that they map the framework they are using to the NIST framework to ensure alignment and consistency. Understanding that BPS entities vary in size and risk-profile, it is reasonable to expect that the breadth and depth to which the NIST Cybersecurity Framework is implemented will also vary accordingly, following a risk-based approach. To assist small- and medium-sized organizations in adopting and implementing the NIST framework, the Canadian Centre for Cyber Security’s “Baseline Cyber Security Controls for Small and Medium Organizations” is a useful guide that provides the fundamental requirements for an effective cyber security practice that aligns with the NIST framework.

2. That all BPS entities implement a Cyber Security Education and Awareness Training Program. The content of the training materials shall be maintained to ensure currency of information. New employees shall receive the training immediately after joining the company as part of their orientation program, and all existing employees shall receive refresher training on an annual basis, at a minimum. Information Technology and cyber security specialists shall receive regular cyber security technical training to ensure their skills are kept current. Specialized educational materials may be developed that would be appropriate for boards of directors, senior executives and any other key decision-makers. Effective management of cyber security risks requires the efforts and commitment of everyone and cannot simply be delegated to the cyber security professionals. A strong “tone-at-the-top” is a critical success factor to strengthen the cyber security resilience of BPS service delivery partners.

The panel is not a standard setting entity, but the second recommendation does establish something to which BPS entities now ought to strive. Of course, this raises the question of resourcing. Minister Lisa Thompson’s response to the interim report suggests that the government’s assistance will be indirect, via the Cyber Security Centre of Excellence’s learning portal.