Canadian Critical Infrastructure Security
As many of you know, the US National Institute on Standards and Technology (NIST) recently published its Framework on Critical Infrastructure Security. Here is one of many articles about it that gives a good summary.
Does Canada need something similar? If so, who would be the appropriate authority to issue it? Will the US framework spill over in any event to Canada, to set a civil standard of care for cybersecurity practices?
A number of American lawyers are advising that boards of directors of ‘critical infrastructure’ operations — a very broad class — have to be aware of these guidelines, because they will set the scope of what is considered foreseeable in the event of an incident. In other words, once you have seen the NIST material, you may be negligent if you don’t respond — even though the guidelines have no formal legal effect.
Do Canadian companies (and law firms) ‘get’ cybersecurity? Is anyone here doing anything because of the NIST standard or other events? Should they be?
If the US is setting the standards and in light of the Snowden revelations being a little pragmatic and a little paranoid one might ask who do these standards serve and for what purpose? To use an old phrase are we putting the fox in control of the chicken coop? Couple this with the criminalization of dissent on nearly every level I must ask what is the macro agenda?