Saturday 15 October 2022

Creating A Canadian Cybersecurity Ecosystem

Last week I attended my first conferences in a long time. Someone will have to explain to me why classroom teachers have no access to professional development like this. On Wednesday and Thursday morning I was at SecTor in Toronto, making many new contacts in industry and realizing that the vast majority of companies on the front lines of cyber-defence in Canada are eager to help both the public and public education get a handle on cybersafety and digital hygiene. On Thursday afternoon and Friday I was at the University of Waterloo for their Privacy & Cybersecurity Conference. These were two very different conferences with SecTor clearly focused on industry and sales and Waterloo's CPI on academic research and strategic thinking, but you'd be amazed how well the two fit together. I really wish they'd arrange things so people could do one and then the other instead of overlapping them, but that failure to look after each other symbiotically is emblematic of a larger problem in Canada.


I had a great chat with a colleague at ICTC a few weeks ago where he described his approach as 'serving the ecosystem', which I intend to emulate.  He sees ICTC's role as helping everyone working in Canada's digital skills development space to meet the council's mission, which is to strengthen Canada's digital advantage in an ever more connected and volatile global economy.  This sounds like a big ask but I believe in the goal, and that belief gives me the energy to take on this seemingly insurmountable task.

One of my favourite moments from the Waterloo CPI conference was when one of the audience, after listening to how five universities are connecting to each other, interrupted with a clear and present warning.  He guaranteed that in the next five years Canadians are going to be sitting in the dark after a cyber-attack from a well developed foreign aggressor.  When we're all sitting there in the cold and dark with no electricity, gas or communications, will we think we've done enough?  Intense, right?

Early in the talk that question came up in, the head of TMU's CyberSecure Catalyst was talking about how he headed to Israel to see how they created a world-class cybersecure ecosystem in the most challenging of circumstances.  His takeaway?  The Israeli system is predicated on familiarity, trust and connectivity.  After only a month and a bit observing Canada's approach, it seems we're doing the opposite.  I've stumbled across excellent resources in both government academia and industry, but each one is working from its own funding formula and entirely focused on meeting the targets in that formula.  Even our connectivity is fractured with numerous 'networks' forming independently of each other, all with the idea of uniting us.  It'd be funny if it weren't so absurd.  Here are a few of them:
They're all doing good work, but they're doing it in silos and in many cases repeating material found in other programs.  It's neither efficient nor is it anything like the Israeli approach of centralized trust, familiarity and cooperative development.  I'm not surprised that, after announcing yet another Canadian network that'll cure our cyber-skills shortage (which is so bad that the government says we need to bring in talent to fill the gap), that guy in the audience lost his patience.

"The siloed approach we know doesn't work anymore. We think it should change and this budget didn't give us the warm fuzzies."

Christyn is exactly right, Canada's initial approach of jumpstarting as many programs as it could to try and cover the cybersecurity shortfall doesn't scale well now that cybersafety is a part of everyone's lives from individuals and small businesses all the way along to multi-national corporations and federal governments.  COVID only accelerated our dependence on digital connectivity yet we continue to lag behind in terms of cyber capacity, especially in education.

At the conference, Ontario's Ministry of Economic Development representative kept describing Ontario's many cyber-focused companies and educational organizations as an ecosystem, but a lot of potted plants all sitting in the same area are not an ecosystem, which is exactly Canada's problem.

How Canada is approaching cybersecurity capacity development.

How Israel does it - with trust, interconnectivity and familiarity - no silos, and everyone looking after each other.

Canada needs to work together to create a national focus on cybersecurity skills development starting in elementary school with integrated digital hygiene and cybersafety learning that leads to middle school access to programs like CyberTitan that introduce students to hands on I.T. skills that demystify the subject and open up pathways.  In high school everyone should be learning essential digital skills (which are atrociously poor - more than 80% of successful cyber-attacks are the result of user ignorance) as a mandatory course. Students interested in pursuing cybersecurity should have early access to coop and STEM programs that will set them on the right track for post-secondary - no adult upskilling required.  This is also where we need to address how our high schools genderize pathways, knocking many girls out of these opportunities.

If we can demystify cyber in k-12 we will be able to graduate cyber-safe students who are able to operate in our interconnected digital economy in every pathway.  Digital fluency and access to cyber-opportunities is, of course, also an equity and inclusion issue; these opportunities aren't just for wealthy, urban boys, though they continue to dominate the industry.  Emerging digital careers tend to be more future proof and higher paying, and everyone deserves a crack at them.

Canada is the only major federation and one of few countries in the world without a national education standard, leaving our minors open to wildly differing political influences and support in our schools; there is no such thing as 'Canadian Education'.  Rather than start with central administration, I think Canada should start with a canadian student bill of rights to protect minors from these changeable winds, but I digress.  Canada's fractured approach to education (like its fractured approach to cyber) means that we need to reach a critical mass with government and industry partners in order to break into the siloed world of canadian public education.  But with no central authority to get onside, a win in Ontario does not mean a win in Quebec, or anywhere else in the country.

Canada's patchwork approach to governance along with its challenging geography means we're facing barriers that Israel and other world leaders in cyber have never had to contend with, which is precisely why we need to pool our resources, grow an interconnected ecosystem of pubic and private cyberskills supporters and then take on this seemingly insurmountable task.

Cybersecurity might sound like an esoteric reason for this big of a challenge, but cyber lives at the pointy end of a pyramid of digital infrastructure needs that Canada is still sorely in need of developing.  Focusing on cyber means we're also focusing on equity and inclusion by connecting everyone, including remote northern communities, new Canadians and people who can't afford Canada's monopolistic telecom infrastructure, to the digital economy.  To get to cyber we need to get through device accessibility, network connectivity and digital skills development, which is why it's a worthy strategic goal. 

The trick is going to be getting all these disparate interests to unite in order to tackle Canada's unique and challenging geography and history - otherwise we're all going to be sitting in the cold dark in a few years wondering why we didn't do more when we could have.

***

UPDATE:  News from the frontlines of 21st Century war, which includes cyber:  

"Collaborating, exchanging information, assisting one another — this is the best way to thwart cybercriminals."

"All told, cyber resiliency relies on collaborative efforts from the global community, he said. Addressing the corporate audience, he underscored the importance of investing in and building a cybersecurity system as a strategic method to improve the cyber resilience of the state."


The importance of collaboration in cybersecurity, including in education and user outreach, is more obvious than ever as the Ukraine conflict continues.  One day Canada will be in the crosshairs, will we be ready?  Or will we have dozens of competing interests all producing redundant content?