New security ratings platform selected by Canadian government - misses the mark but may provide some direction

The Canadian Centre for Cyber Security recently announced that they are adopting SecurityScorecard’s security ratings platform. As per Howard Solomon’s IT World Canada article, under “the arrangement with the company, the scoring will help the Cyber Centre educate critical infrastructure owner-operators on the risks facing their organizations, assisting them in remediating and measuring cybersecurity risks”.

But recent discussions in the Canadian Cybersecurity Network LinkedIn group, Canada’s largest technology group, identifies the concern of cybersecurity professionals, from across the country.

Members raised significant concerns with the government’s decision. Why did Canada decide to purchase a solution from yet again another foreign company? Instead of looking internally in leveraging a Canadian solution and potentially leveraging future intellectual property, Canada has yet again shown that it truly, is not invested nor interested in developing and showcasing Canadian technology. What is their rationale?

Where will data reside? What about data privacy and how will that data be used by SecurityScorecard moving forward as collates all their data from Canada and other companies. Does this create a potential unfair disadvantage for Canadian companies to compete? As we know, data and IP are the new business currencies, helping to create massive economies of scale.

There was also much discussion and thoughts on how the scorecard will be used. Will there be repercussions for a low grade? What will be the follow up, and will it be backed by laws and regulations with teeth?

A senior government official stated in the group that “at the Cyber Centre, we have a broad set of capabilities and always looking for new ideas and tools to add to our toolset. Access to this rating platform is meant to complement what we have, help us look at sectors, appreciate the overall risk landscape and focus our advice and guidance in areas that need particular attention. we don't intend on publishing the individual scorecards or calling out the letter grades assigned by the platform to companies”.

But many members remained very skeptical, as there was a clear feeling that there will misrepresentation of data and a lack of standardization across sectors (apples vs oranges), subjectivity in assessments, data quality issues and more. Also, many wanted to know if this standard will then become part of other standards that already exist or simply be used separately.

Many pointed to the use of letter grade systems in other industries like restaurants and hotels, but the complexity of cybersecurity is not the same as these service-oriented industries and cybersecurity, is changing at a rate that is truly astonishing with AI, quantum, and the rise of cybersecurity as a tool of war and amassing capital by global threat rings that are organized like corporations.

Moving the security yardsticks is critical, so the new approach has some charm, but the real challenge is in putting in place a process where this relatively simple “letter grade” ties in to a procedural and policy system that allows Canada and the population it supports to better understand the risks, challenges, and opportunities that it brings. More glaring to many of our members is the selection of yet again a non-Canadian company to manage activities that are more and more tied to national security and productivity.