Kitchener-Waterloo

Federal cybersecurity bill may be 'Band-Aid on a bigger problem,' Waterloo, Ont., expert says

The federal government introduced a cyber security bill that would make it mandatory for businesses to report cyber attacks. A cyber security expert in Waterloo, Ont., has concerns about it, though.

Waterloo cybersecurity expert points to EU, which fines companies that don't protect user data

Eldon Sprickerhoff, the chief innovation officer and founder of eSentire says if the new federal bill would improve end-user data security, he's 'catiously in favour of it.' (Kacper Pempel/Reuters)

A new federal bill would make it mandatory for businesses to report cyberattacks.

Eldon Sprickerhoff, the chief innovation officer and founder of eSentire, a Waterloo, Ont.-based provider of cybersecurity, thinks the proposed bill might be a Band-aid on a bigger problem.

"If this proposed bill helps to improve the rigour of end-user data security, I am cautiously in favour of it, though the devil is in the details," Sprickerhoff said.

"I have broad concerns about the reporting process — to whom are you reporting this information, do we have some privacy regarding with whom the data is shared, where this data is stored."

Public Safety Minister Marco Mendicino said the Liberals legislation would take additional steps to protect Canada's telecommunications, finance, energy and transport sectors. 

After the government banned Huawei and Z-T-E from Canada's 5-G network last month, it signaled new legislation would be coming to safeguard critical infrastructure.

Attacks on companies, universities, municipalities and even hospitals by cybercriminals who hold data hostage in return for a ransom have become alarmingly common. Some targeted organizations have preferred to pay the fee demanded to try to make the problem go away quietly. 

In 2019, after a cyberattack on his city, Stratford, Ont., Mayor Dan Mathieson called for a national strategy..

Federal framework needed

Sprickerhoff thinks Canada should implement a federal framework on reporting incidents regarding data loss similar to the European Union's General Data Protection Regulation (GDPR). 

Companies in the EU have to follow "a set of standards and requirements if they collect or process data from users in the European Union," he said.

The regulation is designed to protect the privacy and data security of all EU residents. Companies that don't comply face heavy penalties.

He noted eSentire protects the critical data of 1,200 customers in more than 75 countries. 

What do you do when you're hacked?

When Woodstock, Ont., was targeted by ransomware in 2019, they decided not to pay.

David Creery, the chief administrative officer for the city says they spent over $600,000 to rebuild their system and try to find out how the virus entered their computers. OPP's cyber crimes unit were notified but were limited in what they could do.

Since then, the city has made significant investments in both hardware and software and in training staff.

"You need to regularly provide training to your staff and users of your network on cybersecurity issues," Creery said.

"You have to keep cybersecurity in the top of their mind and provide them with ongoing training just so that they know they should maybe look at something a little more closely before they click that link."

The cyberattack in 2019 blocked access to email and most of the files involved in the operation of the municipal government for up to eight weeks.

Since then Creery says the city has not experienced an attack on its network but he thinks Woodstock and a number of municipal networks experience attacks on a daily basis, but they just don't know it.

"It's the reality of the IT world that we live in now that we are all constantly under attack," Creery said.

"I can fairly confidently say to you that they are trying to get into our network with password crackers beating at the firewalls. And that's not unique to us, that's a message that all municipal councillors, all hospital administrators, all boards need to hear that cybersecurity is a very important thing to be taken seriously."

The federal government introduced a new cyber security bill this week that makes it mandatory for businesses to report cyber attacks. Eldon Sprickerhoff, the Chief Information Officer and founder of Waterloo based cyber security company eSentire says the government solution is a bandaid to a bigger problem.

ABOUT THE AUTHOR

Joe Pavia

Reporter/Editor

Joe Pavia is a Reporter/Editor with CBC K-W 89.1 FM. He's normally heard weekdays on The Morning Edition but also covers a wide range of news and feature stories for both radio and web. If you have a story idea, email Joe at Joseph.Pavia@cbc.ca Follow him on twitter @PaviaJoe1964

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?

now