Jad Saliba is a former constable with Waterloo Regional Police Service. Neil Desai served in senior roles with the federal government. They now serve as executives with Canadian cyber-investigation firm Magnet Forensics.
Public Safety Minister Marco Mendicino recently tabled legislation that would mandate that businesses in four federally-regulated industries report cyberbreaches. It makes sense for the government to try to tackle this growing global challenge given that it’s estimated that an attack occurs ever 11 seconds and the cost of cybercrime to the global economy will top US$10.5 trillion annually by 2025.
However, without wider applicability and a thoughtful implementation strategy that includes training and technology solutions for police agencies, the legislation may do little to actually protect Canadians, especially the most vulnerable among us.
Policing has gone through a challenging number of years. This has limited police leaders’ ability to prepare their agencies for the tectonic public safety shifts. Chief among those has been the global proliferation of cybercrime. Beyond the cost and frequency of incidents, there have been catastrophic attacks that have put the health and safety of Canadians at risk.
In 2021, Newfoundland’s health care system was hit with ransomware that delayed important cancer screenings and other procedures. A police service in Northern Ontario also had to contend with a bout of ransomware, taking attention away from community safety priorities.
At present, national police agencies with the capabilities, talent and connections to other agencies to allow them to investigate complex, multinational cybercrime have to prioritize the limited number of cases they take on given the volume and complexity of such crimes. Many do so by setting a dollar threshold, often in the millions of dollars.
While this approach is understandable, it calls in to question the equality of victims. For example, $2,000 extorted online from a senior citizen or $12,000 from a small business may be more material to their wellbeing than $2-million to a bank.
The natural tendency would be to have municipal agencies respond to lower-threshold cybercrimes. However, most struggle to keep pace with the volume of cyber-enabled crimes, such as child sexual exploitation, in their communities.
The greatest barrier to addressing this challenge is the dearth of talented professionals available. Beyond the technical skills and certifications required, there is a global cybersecurity talent shortage. It has been estimated that there were 3.5 million unfilled cyber jobs worldwide in 2021. This leaves police in a precarious position even when they have funding for such technical roles.
If the talent crunch and the sheer volume of attacks wasn’t enough of a challenge for police agencies investigating cybercrime, there is the rapidly evolving nature of the crimes and the elusive, multinational nature of the perpetrators.
Under these circumstances, it’s understandable that political pressure is mounting. Last year, four federal cabinet ministers wrote an open letter to Canadians on ransomware. Among their messages, they wanted to see more police collaboration to pursue criminals. Around the same time, an RCMP memo to Commissioner Brenda Lucki sounded the alarm on the force’s limited capacity to address the growing cybercrime challenge in Canada.
Our police services are woefully under-resourced to address this challenge, which will be magnified by the increasing requirement to report cybercrime. Failing to tackle it in a meaningful way will create a new nexus for the erosion of the public’s trust in policing.
The most vulnerable citizens and businesses who cannot afford expensive cybersecurity solutions to protect themselves or incident response services to mitigate a breach should be able to rely on police services.
However, officers today have limited tools available to address the majority of cybercrimes, beyond directing victims to a reporting portal or generating a report and referring the matter to a provincial police service or the RCMP.
While these reports may assist in understanding broad cybercrime statistics, they will likely be of little investigative value. To truly understand the nature of a breach, officers need tools and training to capture intelligence and centralized platforms managed by national and international cyber-investigation teams.
Government has an important role beyond funding the development of such solutions and the broad-based training of officers. It also has an opportunity to create the enabling public policy and governance to ensure standardized evidence, intelligence and statistics are gathered and lawfully leveraged.
Ultimately, there isn’t a silver bullet available to address the cybercrime challenge. Individual police agencies can’t tackle this challenge alone. Greater success in cyber-investigations will require better intelligence enabled by co-ordination across agencies and underpinned by purpose-driven policy, governance and technology development.
Conversely, a failure to act in thoughtful manner could result in a generational erosion of the public’s trust in policing.
Keep your Opinions sharp and informed. Get the Opinion newsletter. Sign up today.