Security Policy

EDWARD R. MYERS

Dec 15, 2010

Today’s changing and complex environment of national security and public safety has underlined the role that innovation plays in battling terrorism and mitigating the effects of large scale national disasters. The need for cooperation and the coordination of resources is required if the world is to be effective in battling sustained terrorist threats or to mitigate major disasters.

Police officers conduct roadside safety checks.

In Canada, the Auditor General (AG) has often criticized as inadequate our own efforts at national emergency management development. Last year, the AG released a report that indicated the money that was given to Public Safety Canada had gone mostly unspent. The result, as the report states, is that the department has been “unable to develop its capacity for emergency management.”

Since the AG’s Report, Public Safety Canada has released key documents in the areas of Emergency Management and Critical Infrastructure Protection. Plans have indeed been coming out since the Government passed the Emergency Management Act. Major policy and action plan documents, such as the Federal Policy for Emergency Management and the Federal Emergency Response Plan of March 2010, have been released. More recently, the department announced the National Strategy and Action Plan for Critical Infrastructure. This strategy proposes: “to establish sector networks, at the national level, for each of the critical infrastructure sectors. This approach will build […] upon existing coordination and consultation mechanisms, [while enabling] governments and critical infrastructure sectors to undertake the range of activities (e.g. risk assessments, plans to address risks, exercises) unique to each sector.”

Public Safety Network
One sector that needs more focus is the public safety network. This group encompasses heroic yet ordinary people who assist fellow citizens in all manner of hazards and emergencies. All responder groups – from fire, police, paramedic, and other municipal, provincial or federal security and emergency response personnel – are included in this sector. Safety and security planners and operators in public and private institutions, often described as Emergency Management (EM) or Business Continuity (BC) managers, also constitute an important part of this Public Safety sector. They deserve the support needed to excel at their jobs … for our good. Support and leadership should come from Government.

Canada’s national security depends greatly on federal level policy leadership and funded program development of EM. This leadership should define our strategic direction on important public safety policy and governance issues. The programs themselves should focus on developing security infrastructure, broadly defined. For true infrastructure security, policies should ensure that the necessary development programs are resilient, sustainable and easily funded.

The recent changes to policy formation elements related to the Emergency Management Act, announced by Public Safety Minister Vic Toews, are significant. The provisions deal with fundamental requirements for a resilient critical infrastructure by stressing standards and best practices. Parliament passed the Consolidation to The Emergency Management Act on 6 October 2010. Specifically, Section 3(o), the Act states:

“The Minister is responsible for exercising leadership relating to emergency management in Canada by coordinating, among government institutions and in cooperation with the provinces and other entities, emergency management activities…[by]… promoting a common approach to emergency management, including the adoption of standards and best practices.”

This is very significant to overall public safety in Canada. It means that we can become proactive and build resiliency as a systematic effort across government jurisdictions and private sector disciplines. It means being able and obliged to integrate necessary security solutions and protection systems within the very architecture of designated Critical Infrastructure.

Public Safety seems to be getting the point, but other key areas of our CIP strategy need to assist; Cyber Security, for example, is the purview of the Treasury Board Secretariat. Public Safety Minister Toews announced in October 2010 that TBS will support and strengthen cyber incident management capabilities across Government, through the development of policies, standards and assessment tools.

When we see national standards being recognized and deemed essential to long term success, we can rest assured that Canada’s approach to national security is maturing. When standards are applied, it becomes easier to develop and rely upon the required solutions and systems that may come into play should we face any disaster. With standards, we assure the systems being developed to ensure our safety will talk to each other. We are also reassured by the fact that the resultant operating procedures will have been developed with input from subject matter experts.

If we assume that Public Safety Canada is “getting it” with respect to policy development, are they also “getting it” with respect to programming? The answer here is a guarded “yes.” Minister Toews recently announced that the Partnership Towards Safer Communities (a program of the Canadian Association of Fire Chiefs), would be supported by the Department. This ties in the standards promotion for Emergency Management (policy), with development of on-line resources for professionals across Canada (program).

Standards are very important in developing resiliency in Critical Infrastructure. The vital interdependency related to the security of Canada’s 10 critical infrastructure components demands common standards for effective protection.

It is well known that 85% of Canada’s Critical Infrastructure is in the hands of private enterprise. The energy grid, the telecommunications networks, and the big banks are all a part of Canada’s CI foundation – and their interdependence is self-evident. But the fact is, large components of our CIP strategy are also in the hands of the Small and Medium Sized Enterprises (SME). It is therefore important to consider the SME role in CIP which, in turn, demands broadly adopted standards such as CSA Z1600 (see article by Ron Meyers). The same applies to some not-for-profit agencies that are beginning to follow similar procedures and standards on their own.

Cyber Clarity
Nowhere today is the requirement for standards and good governance more prevalent than in cyberspace. Appropriately enough, Public Safety Canada announced the Cyber Security Strategy on October 3rd of this year. We were hoping for something like the Chinese cyber offense strategy: “win victory before the first battle and do it with a borrowed sword.” Instead, we got another “framework” oriented directive with perhaps just a bit more bravado baked in: “With a subject as critical as cyber security, there is no room for ambiguity in terms of who does what. This Strategy sets out the required clarity.” Alas, the “clarity” part may be a bit of a stretch.

In view of recent threats, the Cyber Security Strategy is a key component to the work of emergency managers and business continuity professionals in all Critical Infrastructure components. Front-line workers in the public safety sector are highly dependent on technology – including communications technology – to excel at their jobs. They understand the benefits of standards-based procedures, and the need for the government to support them, both in learning and applying those standards. They also rightly expect that the Government will do the same in its own shop.

The Future
Based on the fact that the public safety sector in Canada is comprised of so many moving parts and overlapping responsibilities, applying and imposing standards like CSA Z1600 must form part of government policy. Public Safety Canada is now well positioned to build on its nascent efforts to partner with the other segments of the public safety community in order to achieve the resiliency and capability all Canadians and the Emergency Management and Business Continuity professionals expect and count on for their protection.