Isaac Straley, a cybersecurity expert and the University of Toronto's chief information security officer, was recently appointed to a new expert panel established by the Ontario government to improve cybersecurity and digital resilience among broader public sector organizations.
The Broader Public Sector Cyber Security Expert Panel will see experts and leaders in information technology, cybersecurity and public sector service delivery come together to address pressing challenges in cybersecurity, provide feedback on the provincial government’s existing efforts in that realm and create a comprehensive cybersecurity strategy.
Created by the Ministry of Government and Consumer Services as part of Ontario’s Cyber Security Strategy, the 10-person panel will examine broad and sector-specific cybersecurity risks faced by organizations such as universities, colleges, hospitals and school boards. The panel will be chaired by Robert Wong, executive vice-president and chief information officer at Toronto Hydro and a U of T alumnus.
Several broader public sector agencies and their service delivery partners have been targeted by cyberattacks in recent years, according to the ministry, resulting in the loss of sensitive personal and health data, sabotaging of organizations’ operations and forced payment of ransom to regain data access.
In a conversation with U of T News, Straley – who was appointed U of T’s first ever chief information security officer in 2018 – discussed the panel’s mandate, the range of cybersecurity threats faced by universities and other broader public sector organizations, and the importance of working collaboratively to boost information security across the province.
How vulnerable are broader public sector organizations to cyberattacks, and how has the threat evolved in recent years?
What’s challenging for the broader public sector is we are very visible organisations, and the attacks we’re seeing are often motivated by opportunity. While there are attacks that are designed to steal specific data and target big companies, the reality is that a lot of the activity we see is opportunistic, and they try to get whoever they can.
A lot of what what’s out there is criminal activity with attacks like ransomware – software that encrypts your data and asks you to pay money to get it back. This has become, especially during the pandemic, even more acute because criminal organizations can make a lot of money. When you look at the organizations in the broader public sector – hospitals, utilities, universities, etc. – they are ripe for targeting because they provide critical services.
What are the specific cybersecurity and information security threats faced by universities?
The attacks we face are themselves not unique, but the scope of attacks that we face is. We have administrative cores with institutional information; we have our teaching component which, especially during a pandemic, has a global reach and impact; we have physical infrastructure – we run power plants and building systems; we have athletic facilities and sports camps; we run food service and bookstores and we take credit cards.
We’ve got researchers who are working on the most innovative research, which are intellectual property that somebody – like another country – want to access. We also have research we’re working on that someone might want to disrupt, for economic or even geopolitical reasons.
How do you see this panel helping to solve these issues?
For me, it’s about having a common framework and vision to work on resolving these problems. The broader public sector is in this together. It might also be able to help us garner resources that we might not individually have to tackle these problems.
One of the angles of security is economic – if it’s more expensive for the attacker to attack you, then they’re not going to. Maybe they’ll go somewhere else or maybe they just won’t be incentivized to do it. My hope is the latter – that we can de-incentivize attacking in the first place.
Information security is a big problem that costs money. We have to work together or else there will continue to be an economic advantage for the attackers.
What is U of T’s role to help boost information security?
My approach to this is to bring U of T’s expertise to the table and solve these problems collectively. And that’s not just me as an individual. What I can represent is the expertise we have across the university, whether that’s operational professionals like myself or consulting with experts in our faculty.
One of the things that I am doing in U of T’s security program is helping tackle problems at the community level, provincial level, national level and even, in some ways, the international level. U of T can – and needs to – play a role moving us forward.
Is there anything else you’d like to tell the U of T community, or the public for that matter, about this panel and its work?
I’m really excited about the opportunity and humbled to be appointed to a panel like this.
For me, collaboration is critical. I applaud our government for bringing together a panel like this, and we need more such platforms and conversations to solve problems together on cybersecurity because this is a collective problem.
Security done in isolation is generally building barriers. I think security done in collaboration is enabling what we’re trying to do. At the end of the day, the university is trying to teach, it’s trying to do research, it’s trying to improve the world and better its community.
Hospitals and all of the other broader public sector organizations each have similar mandates with critical services. We have a shared fate. We’re in this together and we have to work on this together. When we do security right, especially in this inter-connected age, we can enable so much more. When you do it by yourself, you just build walls. We’re not trying to build walls – we’re trying to move forward securely.