The proponents behind a new east-end Ottawa cyber security centre want to turn the nation’s capital into an exporter of technical tools with which to fight online criminals.
By Jacob Serebrin.
The Virtual Environment for Networks of Ubiquitous Security – or VENUS – Cybersecurity Corp. is a public-private partnership operating out of the old Cumberland Town Hall that’s expected to employ 25 people when it opens in the first quarter of 2014.
Canada currently imports many of the cyber security systems used to protect computers and networks across the country, according to Tony Bailetti, the organization’s acting executive director and a business and computer engineering professor at Carleton University.
“We’re paying a lot of money to outsiders that have know-how.”
That’s something he hopes VENUS will change.
The organization’s business model focuses on performing research and development for large companies.
The idea, he said, is to help a company solve its own cyber security needs and then export that solution to similar companies worldwide.
For instance, he said VENUS could work with a hydro company, helping it to develop security systems to protect its infrastructure. The resulting solution could then be commercialized.
The private sector is expected to drive the initiative – once VENUS is up and running, Mr. Bailetti said he plans to step away and focus on his work at the university.
“Carleton took a leadership role to create VENUS,” he said, but “I don’t want the university to lead it.”
VENUS’s academic pedigree, its support from the private sector and all three levels of government mean it will be particularly well-positioned to do this high-tech research.
“The infrastructure for testing is small in Canada,” he said, noting that this is an opportunity that isn’t often presented to educational organizations. “Universities don’t have the money to invest in world-class testbeds.”
Selling internationally will be a major focus for the companies emerging from VENUS, Mr. Bailetti said. “The companies coming out of the incubators have to be able to sell globally on day one,” he said.
It’s not just about business though. VENUS – which is supported by the National Research Council and the government’s electronic spy agency, the Communications Security Establishment Canada – will also do R&D for the federal government.
“People in government have been looking at their requirements,” said Mr. Bailetti, “the R&D program is going to be driven by real needs.”
Members of Ottawa’s online security industry are cautiously optimistic about the new initiative.
“This is what we need, the marriage of public and private sectors,” said Keith Murphy, the CEO of local information security company Defence Intelligence.
While Mr. Murphy acknowledged VENUS has assembled a strong team of supporters, he noted there could be concerns over CSEC’s involvement. The agency has faced controversy due to its close association with the National Security Agency in the United States and recent media reports that CSEC ventured outside its mandate by spying on Canadians.
Working with CSEC is unavoidable, Mr. Bailetti said, noting the large role the agency plays in the protecting the federal government’s digital infrastructure. He also stressed that “VENUS is fiercely independent.”
Meanwhile, like VENUS, Defence Intelligence is also looking internationally. Mr. Murphy said 80 per cent of his business now comes from the U.S.
The company was founded in 2008 and traditionally focused on selling to the federal government. But recently, that’s become a challenge.
“A sales cycle of 12 months is too long for a small company that needs cash flow,” he said. Furthermore, Public Works’s ongoing efforts to consolidate the bureaucracy’s network infrastructure means selling to government has gone from difficult to almost impossible for his team of fewer than 25 people. Because cyber security firms now need to be able to service the whole government, “there’s only so many companies that can bid on it.”
Phirelight, another local IT security company, is also increasing its sales focus on the private sector.
While the federal government has been the company’s largest customer to date, the company has been increasing its work in the private sector over the past year with a particular focus on Toronto, said Robert Koblovsky, Phirelight’s vice-president of sales and marketing,
Keeping up with the increasing sophistication of hackers also remains a challenge.
“We’ve seen a real evolution of cyber threats,” said Mr. Koblovsky. “The days when firewalls and (virtual private networks) would protect you are gone.”
Unfortunately, he continued, many organizations have a lackadaisical approach to digital security – thinking, for example, that one’s current systems are “good enough” – that’s compounded by a reluctance on the part of senior managers to spend money on cyber security.
“Until CEOs or senior people are held responsible, there’s little incentive,” he said, adding that he thinks cyber security should be seen as part of good corporate governance and as protection against risk.
Mr. Murphy said he’s seen the same thing.
“It’s hard to pry money out of executive leadership because it’s not sexy,” he said. “There’s more risks but not more spending.”
Sidebar: Cyber security primer
Who are the attackers?
According to Defence Intelligence CEO Keith Murphy, many cyber attacks are initiated by organized crime organizations looking to steal money and information.
“It’s a multinational, multibillion-dollar business,” he said. Launching attacks has also become easier, he said, as special skills are no longer required – hacking software can now be downloaded on the Internet.
“If you can work a browser, it’s very easy,” he said.
What are the risks?
It varies from organization to organization and Phirelight’s Robert Koblovsky warns that the increasing use of mobile technology – especially personal devices that employees bring from home – has “a whole host of challenges” when it comes to security.
It “opens new threat vectors,” he said. It’s not just a question of internal security, he noted. With the growing use of software-as-a-service, companies have to be aware of how SaaS providers are protecting themselves.
“If you’re outsourcing, you have to ask what kind of security (these companies) have,” he said. Partners on a supply chain can also open up security holes, according to Mr. Koblovsky, with hackers attacking a company with weaker security and leveraging that breach to launch wider attacks.
Who gets hacked?
Anyone can. Both Mr. Koblovsky and Mr. Murphy mentioned the recent theft of 40 million credit and debit card numbers from retailer Target. High-tech companies aren’t immune to cyber threats, Mr. Murphy said. He points to the recent hacking of social messaging app Snapchat.
“You’d imagine these small mobile companies would be aware,” he said, but a small startup that gets big fast might not have the proper security built in from the beginning. “It’s hard to go back once it’s big and re-engineer.”
What can you do right now?
Not using common passwords is one easy measure. Some hacking programs have lists of the most common passwords that can be used in random attacks, said Mr. Murphy. They “throw it and see what sticks,” he said. He also warns against using the same passwords across multiple websites – if one is compromised, information on other sites could be accessed.