'Never punish somebody for making a mistake': Canadian cybersecurity head on online dangers
With rising concerns about abuse of our personal data, cyber espionage, and interference in election campaigns, cybersecurity experts have a lot on their plates.
Just ask Scott Jones. He's the head of the new Canadian Centre for Cyber Security, part of the Communications Security Establishment.
The Centre is responsible for cybersecurity on a national level, and as Jones put it, the Centre's "real target is the critical infrastructure sector, and that does include governments, but it includes the infrastructure we rely on in our day-to-day lives."
As part of that focus on our day-to-day lives, they run a program called Get Cybersafe, with practical tips for Canadians.
Jones delivered a keynote address at the 20th anniversary Privacy and Security Conference in Victoria, B.C. earlier this month. The annual event brings together experts in all facets of digital privacy and security, from privacy commissioners to information security experts.
Spark host Nora Young caught up with Scott Jones at the conference to talk about his perspective on the cybersecurity landscape in 2019.
Here is part of their conversation.
This feels like a very intense period for cyber espionage. Are we in some kind of a new era for cyber espionage?
I would say our awareness is higher now. We're talking about online manipulation and mass media, and we're becoming more aware of social media and what its effects are. And so now we're talking about the nation state side of things. Have they changed? Has it increased? Not increased, but certainly we're talking about it more.
Ten years ago, it was the realm of secrecy. Now it's the realm of "let's talk about this and let's start saying what's acceptable, what's not" as we understand more and more about cyber security.
Are there things that are on your mind as we lead up to the next federal election in terms of cybersecurity?
We're certainly part of the advisory group; we've been working with Elections Canada, for example. The election itself is paper-based. It is extremely well-designed from a security perspective—especially from a cybersecurity perspective. We've said quite publicly we don't feel any worry about the actual process of voting.
We are vigilant about doing our part to help people raise awareness. Part of this is actually the conversation media is having about the use of social media, and how it can be used to direct information to us.
From our perspective, we want to help people be more secure and provide advice that anybody can implement to make themselves more secure. That includes Elections Canada, political parties or any citizen who would like to kind of look at this and say, "OK, I can take some simple actions to make myself more secure online."
And yet within that, in cybersecurity, to what extent is the weak link still the human being in the sense that social engineering is a big part of the problem?
That is the number one way, whether you're looking at cybercriminals or even nation states [that] are trying to take advantage of our vulnerabilities.
"Click on this link. You read something really interesting and then fill out your username and password" type of thing. People are going to make mistakes. The first thing I always tell people is never punish somebody for making a mistake. So the first thing is we have to stop victimizing the victims of cybercrime or malicious cyberactivities and say, "How can we make it harder for them to make a mistake?"
I've said publicly that this is my business and it's very possible that I could be duped into clicking, they're just that good. So we need to actually also improve our technical security side. People should be allowed to make a mistake and it not be disastrous for their life. So that's what some of our tips are for. How do you make yourself just a little more secure against cybercriminals?
And the thing is, it's just like in our homes. If your home is is better than the one next door, they move on. Same thing with cybercrime. If your level of security is just a little higher than the average around the world, they're going to move on.
One of the concerns that's come up at this conference is about what happens security-wise when we start moving into increasingly an Internet of Things world, and a smart city world, and we're starting to see the digital braided together with the physical. How are you thinking about this as you go forward?
There's many different ways. There's the devices themselves that could be actually turned against the network they're in. So we see things like denial-of-service attacks, that's where you just basically flood a network with enough information that it overwhelms it. It's not a great description, but it's good enough.
How do you secure the data when you're making decisions? Are you making those decisions on the right data? If you're making decisions, for example, on the traffic patterns in a city, you want to know that you're making it on the real traffic patterns and not something that's false or manipulatable.
And so we need to to take into account security from the very beginning and by design. Not security by applying some sort of wall around our networks afterwards. It is time for us to start talking about security as one of the base functional requirements, not as an afterthought that we apply later. And that's what I think the key thing for Internet of Things is going to be.
The fact is, though, these devices are cheap, they're becoming more prevalent and we're putting everything online for good or for bad reasons. So one of the things I always tell people is before you put it online, what do you want to get out of it being online? Is it really the right thing to do or is it just a cool feature that you're never going to use? And in some cases, the answer to that is usually yes.
This interview has been edited for length and clarity. Click the listen button above to hear the full conversation.