Battling the Cyber Threat

According to Interpol, the world's largest police organization, cybercrime is one of the fastest growing areas of crime. Attacks against computer data and systems, identity theft, intellectual property theft, child pornography, and the perpetuation of online financial fraud are just a handful of the ways cybercrime is committed each day, at a global estimated cost of between $70 and $400 billion a year according to new data recently released by the Centre for Strategic & International Studies.

Indeed, the issue of cyber risk has risen to the top of the political agenda of world leaders. President Obama recently declared cyber threat "one of the most serious economic and national security challenges" the US faces as a nation, directing the US Federal Government to conduct a top to bottom review of its information and communications infrastructure.

"We are dealing with both an immense and highly complex issue that is quite literally mushrooming out of control," says Doug Blakey, CEO and founder of Waterloo Security, a Waterloo-based company focused on helping organizations manage cyber risk through a combination of training, technology and insurance. "In the Internet of Things, everything is connected. There is a proliferation of technology in our society. From the smart phones in our hands, to the computers on our desktops, to wireless access in coffee shops, and even embedded microprocessors in our home appliances, vehicles and the industrial process control systems supporting our public infrastructure, we are increasingly technology reliant and at the same time, facing an increased risk of exposure. As a society we bring awareness to the issue of cyber risk, and work collectively to develop solutions that mitigate risk today, and ideally, prevent risk in the future."

Blakey recently returned from Washington DC where he attended an invitation only two day conference on cybersecurity withattended by representatives from the White House, the US Military and US Navy. "The message I took home from this summit was that we needed to start yesterday in finding answers to this challenge," says Blakey. "We are facing a real shortage of individuals trained to address the problem of cyber threat. Starting now, all new military and naval recruits in the US will receive cyber training. Cyber is considered to be the new theatre of war."

Blakey returned home from his DC trip convinced there was a role he could play in raising awareness around cyber risk. He began reaching out to counterparts in the Waterloo Region tech start–up space, and other business colleagues with the idea of forming a centre of cyber excellence and expertise based in Waterloo Region where representatives from business, academia, and government could come together to exchange knowledge, advocate awareness, and ideally, collaborate on finding new answers to the complex problems cyber presents to society.

Support was quick to come. Only months after its formation, the C3RM boasts an impressive roster of founding members including cyber and security experts from Affiliated Brokers Exchange (ABEX), Automated Tooling Systems, Crawford and Company Insurance, eSentire, Ernst & Young, Miller Thomson LLP, Waterloo Security (WatSec) and the University of Waterloo. The fledgling organization has also caught the eye of Ontario's Privacy Commissioner, researchers from the University of British Columbia, and the Canadian Embassy in Washington.

"We are extremely excited to be involved with a consortium of players representing various subsectors — each with expertise in the field of cyber," says Professor Vic DiCiccio, of the University of Waterloo's Cheriton School of Computer Science. I can see C3RM being an instructive and exciting microcosm that has the potential to expand far beyond this region."

Professor DiCiccio lists numerous compelling reasons for the University to join C3RM as a founding member. "C3RM's mission to elevate awareness around cyber risk plays directly into our research strengths at the University of Waterloo. We have a long history and an extensive research track record in cryptography (which relies on the mathematics of functions not easily reversed) a discipline that directly relates to security. We are internationally recognized for our work in elliptical curve cryptography (ECC), a public key encryption algorithm widely used in mobile applications such as the BlackBerry. We are also actively conducting research on privacy enhancing technologies to protect anonymity and overcome censorship, and researching algorithms for location based systems that provide utility without sacrificing individual privacy."

DiCiccio goes on to explain that C3RM's connection to UW is further cemented due to the University's renowned work in the field of actuarial science. "As people seek to be insured against cyber risk, we can easily anticipate our research expanding to look at methods for evaluating, assessing and mitigating this form of risk to business and to individuals," he says.

The C3RM initiative has also won early support from Ontario's Information and Privacy Commissioner, who sees a direct tie into the principles of Privacy by Design, an initiative being advanced by her office to proactively embed privacy into the design specifications of information technologies, organizational practices and networked systems.

"When planning and implementing organizational cybersecurity, it is critical that you avoid false trade-offs, such as the dated zero-sum view that privacy must be sacrificed for security. Such thinking is inherently flawed," says Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario. "Security and privacy can easily co-exist to deliver a positive-sum, a win-win solution. This is one of the key principles of Privacy by Design, the international standard for privacy protection. C3RM recognizes this standard and clearly understands the importance of respecting an individual's right to privacy in the design of cybersecurity. It is truly gratifying to see this organization develop into a Canadian thought leader and vital resource."

Doug Blakey has broad ambitions for C3RM. "We are still in the early days of our formation, but interest in what we are doing is growing rapidly. There is much we can do in terms of educating our citizens about cyber risks, and there's significant potential for our members to collaborate in developing solutions". For instance, Blakey hopes the consortium will take a leadership role in providing guidance to software and hardware engineers on "Privacy by Design" where system design and requirements address security and privacy up front versus as an after thought. Blakey also hopes that one day that C3RM becomes an independent certifying body for organizations developing policies and good governance around cybersecurity, working with like minded organizations such as the Information Systems Audit and Control Association (ISACA). "Unfortunately, data privacy and protecting intellectual property is simply not top of mind for most organizations today, which leaves organizations and individuals very vulnerable. People need to understand security is a governance and risk management issue, not an IT problem," says Blakey. "We're looking forward to changing that viewpoint."