Louis Vachon is chief executive officer of National Bank of Canada.
Business finds itself on the front lines of global conflict these days like never before. Consider the high-tech assault on Turkey's banking system, which disrupted credit card transactions and online services last December in the midst of tensions with Russia. Or the computer systems breach at the Warsaw Stock Exchange in October, 2014, claimed by Islamic State. When there is geopolitical tension – it does not have to be a declared conflict – cyberattacks by state or state-sponsored organizations are now inevitable.
These attacks have two main purposes. The first is to inflict immediate damage, by disrupting services and stealing information. The second, more pernicious, is to intimidate. And enterprises are not the only targets. There have been countless intrusions into the systems of government defence organizations and other departments in Europe and the United States in recent years.
Canadian businesses generally take this threat seriously and are investing significant resources to safeguard the integrity of their data. However, should we come under attack from foreign states, we expect our own government to have some role in protecting us against such attacks. It is imperative that Canada step up its game.
Prime Minister Justin Trudeau's government has stated its intention to conduct an in-depth review of Canada's defence strategy by the end of 2016. In light of the growing number of geopolitically motivated cyberattacks around the world, this important policy exercise must include cybersecurity as an integral component of defence strategy.
Canada needs a clear cybersecurity strategy. And it has to be accompanied by adequate funding to achieve our national objectives. The strategy must provide for strong co-ordination between Canadian government and business – there has been significant progress on this front – and an effective structure for marshalling the efforts of government agencies. Taking a cue from many countries, including non-militaristic ones such as Denmark and the Netherlands, we must not only harden our defences for better protection but also build an offensive capability that gives our government the ability to deter potential intruders. We also need to work closely with allies and, if appropriate, create new cyberalliances, an area in which Canada can take a leadership role.
We must not use scarce defence resources to spy on allies or target our own citizens. A robust control and governance structure is needed to ensure that efforts are focused, money is well spent and citizens' privacy rights are respected.
The best cybersecurity strategy will protect Canadian interests only if supported by adequate means for execution, and this is admittedly a challenge in the current economic and budget environment. The defence review must, therefore, look at the allocation of funds between traditional defence systems and new threats. For example, hard questions need to be asked about whether the maintenance of a submarine fleet is still a judicious use of funds. The government should also assess the role that military reserve units can play in cybersecurity by attracting cybertalent, a category of recruit that may not be considered an appropriate fit under traditional military organizational culture.
The bottom line is that cybersecurity must be a strategic priority for Canada and we have to build the necessary capability to repel and deter cyberattacks. For this reason, the defence policy review is also the right forum to debate a related fundamental question: Who will be responsible for overall cybersecurity strategy at the government level going forward – Public Safety Canada or the Department of National Defence?
Historically, our geographic location has been a blessing, helping to keep Canada out of harm's way. But this natural barrier cannot keep us safe in a digital world. Our defence strategy for the 21st century must absolutely take this stark reality into account.