Some big news in the last 24 hours. An entire new minister for cybersecurity!
I can’t wait to see what my colleagues will be saying about this news.
I do see some issues. After all, that is what security professionals do, we look, we find weaknesses and we talk about these weaknesses hoping that someone will listen and take charge.
Overall, this is hopefully great news. Having an entire minister assigned to cyber should change some things.
The current changes target only government entities, and the depth still needs some work.
I have two concrete issues following my analysis of the 28 page document.
MUNICIPAL ELECTIONS
Quebec is entering an election period across all municipalities. Historically, elections bring out some unethical people. People that will go door to door making up stories and lies to gather support and votes to push out the other candidates. These ethically and morally challenged individuals only require 5 signatures to get their names on the list for most municipalities across Quebec (for example Cities of less then 10,000) and guess what they all get…. a full list of all registered voteres INCLUDING their full birthdates !
Wait…. did you just read that correctly….. the same issue with data leakage that we blame everyone for is taking place again at the end of 2021 across all cities in the province ! YES !
So in Montreal, an excel spreadsheet of over 1 million names is being shared by various candidates, staff and interns and it holds your full birthdate even though there really is no use or need for it.
I think this should be looked at by a futur minister of cybersecurity
IDENTITY THEFT
The second example is the banking, Equifax and finance sector that remains clearly out of scope since this initiative targets government entities only.
Banks and their senior managers need to be personally liable if they give credit or open an account to the wrong person. Relying on birthdates and social insurance numbers that have literally fallen from the sky over the last few years is ludicrous.
We need a digital ID for all important services and that means banking and finance should be a priority. This is where identify theft strikes the most.
The cyber security industry has proven that we can get the ear of the government, we need to keep pushing. As it stands, this new announcement does not actually change much since most things that impact the citizen is related to identity theft and this is not addressed outside of the government entities covered in the current announcement.
A part of me feels more like this 4 billion dollar investment is more a cleanup of the current disaster that is Information Technology within the government. Regardless, it needs to get done, the government does need to clean their information technology hygiene
Minister Eric Caire, excellent first step, do not stop now.
Related interviews (French):
RADIO CANADA: https://ici.radio-canada.ca/util/postier/suggerer-go.asp?nID=4733866
QUB RADIO: https://www.qub.ca/radio/balado/genevieve-pettersen?track=1059632448
_______________________________________________
Eric Parent is a senior security expert, specialized in coaching senior executives. He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.
Follow Eric on:
Twitter @ericparent
LinkedIn : EVA-Technologies