Canadian businesses need better tools to report cybercrime

by Matt Malone. Originally published on Policy Options
October 12, 2021

Theft of trade secrets and confidential commercial information is a critical issue for Canadian businesses – and a critically under-reported one. This is largely because the country’s infrastructure for reporting cybercrimes is insufficient.

To understand why the reporting mechanisms are such a problem, imagine that one day a Canadian company discovers a foreign actor has stolen its trade secrets and confidential commercial information. The act is not just criminal; it also threatens the Canadian company’s future existence. The foreign actor will use this stolen subject matter to compete against it, undercutting millions of dollars of research and development investment. What should the Canadian company do?

The first reaction is probably to contact the police. Unfortunately, this isn’t an easy thing to do. A visit to the RCMP’s website for reporting such a crime, the RCMP’s National Cybercrime Coordination Unit, makes for a depressing and uninspiring one. The website informs users: “[W]e’re in the process of creating a new reporting system. Once fully in place, in 2022, any victim of or witness to a cybercrime or fraud will be able use this system to report the crime online.”

The website continues to say the National Cybercrime Coordination Unit (NC3) itself will only “reach full operating capability in 2023.” Hardly encouraging words for Canadian businesses that are being victimized.

Other law enforcement agencies in Canada are just as ineffectual as the RCMP. The Ontario Provincial Police online crime reporting tool doesn’t even mention cybercrime. The Sûreté du Québec doesn’t enable reporting crime online; it makes parties come in, in person. In British Columbia, for municipalities with their own police forces, most crimes can be reported online only if they involve sums less than $10,000.

Canada’s spy agencies are not doing great in this area either. Canada’s domestic spy agency, the Canadian Security Intelligence Service (CSIS), has often said it is “eager to help businesses protect themselves amid a challenging security landscape.” But it is not clear it has ever actually done so in a concrete way. For example, CSIS has an online tool for reporting tips concerning espionage, foreign interference and cyber-tampering affecting critical infrastructure.

But it’s not clear the tool is getting used for that. Based on an access to information request, CSIS confirmed that for the year 2020 it received 4,000 reports, of which 111 were deemed “relevant” and only two were actual “threats.” But CSIS declined to answer if any of these tips concerned espionage, foreign interference and cyber-tampering (as opposed to its other priorities, like terrorism). In any case, CSIS is not a law enforcement agency and has virtually no obligation to share the information it receives with law enforcement agencies.

Also serving as a possible first stop for reporting cybercrime are other online reporting tools from agencies like the Canadian Centre for Cyber Security (with its tool for reporting cyber incidents), the Canadian Anti-Fraud Centre (with its own online reporting tool), and the Canadian Digital Service (which has an email address on its reporting page). But these sites all make one thing clear: they do not engage in law enforcement.

While vast swathes of the Canadian workforce have transitioned to online work, the country’s law enforcement and intelligence communities, by comparison, seem like Luddites – incapable of keeping up with the evolving nature of the threat landscape for Canadian businesses and co-ordinating their efforts. The federal and provincial governments and their agencies’ reporting tools are also unnecessarily complex, offering many reporting tools that should all be doing one thing, which none of them are currently doing well.

These shortcomings show where Canada stands on reporting cybercrime in comparison to our closest allies (to say nothing of actually investigating or prosecuting it). Law enforcement in countries like the United States, the United Kingdom and Australia all have more robust mechanisms than ours.

Unfortunately, these types of crime are all too real for Canadian businesses. For example, in the early 2000s, Nortel’s servers were repeatedly hacked by Chinese agents siphoning off its IP and trade secrets. In 2017, Bombardier Aerospace saw much of its know-how for the certification of regional jets airlifted out of the country by Mitsubishi Heavy Industries. Last year, Halifax-based crypto startup Groundhog saw an American competitor release a mimic product the day before their own product was set to launch.

These experiences are terrifying for Canadian businesses, with economic consequences that can be painful to bear. They also hurt Canadian innovation. Yet overall, the Canadian approach to address the problem is to leave companies to fend for themselves.

Like a user receiving a pop-up for a software upgrade, the Canadian approach to this problem has been to click “later” or “remind me tomorrow.” Canadian businesses have paid a price for that. It is time to upgrade Canada’s cybercrime reporting infrastructure now.

This article first appeared on Policy Options and is republished here under a Creative Commons license.