While 60 per cent of G20 member countries give external security researchers a clear process to disclose vulnerabilities in government systems, Canada lacks a legal or policy framework for it, according to a Cybersecure Policy Exchange report. (The Logic)
Talking point: Researchers acting in good faith could be liable under the Criminal Code and the Copyright Act, the report reads. That policy gap could mean people fail to disclose security flaws or do so publicly before they’re remedied. It could enable attackers to “jeopardize the security of Canada’s computer systems and the people that they serve.” The report recommends Canada create a policy framework based on best practices, and keep the information from external actors separate from what the government’s defensive and offensive intelligence efforts discover. The report comes after several high-profile cyber attacks on critical companies and warnings over the outsized threat to Canada’s energy and utilities sector, as well as from China and Russia.