Vanessa Henri
Data Protection Strategist - Fasken
Part of the Spotlight on Montreal’s Cybersecurity Industry

Montreal’s Strengths in AI, VR and Games Growing its Cybersecurity Ecosystem

Listen via our AI text-to-speech service.

Takeaways

  1. Canada’s cybersecurity risk is high and the implementation of emerging technologies in government and industry will create immense opportunities for the cybersecurity sector.
  2. Montreal’s cybersecurity ecosystem is experiencing significant momentum and growth. It is receiving strong government support and attracting significant tech talent.
  3. Montreal’s tech specializations, such as AI, VR and video games, position the city to be a significant cybersecurity hub as they are the industries that will foster and rely on cybersecurity in the future.

Action

Federal alignment of cybersecurity standards across multiple industries will grow the cybersecurity sector and keep Canadians safe from cyber attacks. Businesses should also buy locally when investing in cybersecurity to keep the Canadian cybersecurity ecosystem strong and encourage business.


How would you define the current state of global cybersecurity risks? What opportunities exist for businesses to mitigate these risks?

The phenomenon of digital transformation is pushing companies to implement new technologies at an unprecedented rate, and many are subject to evolving laws, regulations and industry practices. This leads to an extension of the attack vectors for malicious parties, creating new risks that are not being properly assessed. By 2020, there will be more than 25 billion connected devices, which creates risks and opportunities for the cybersecurity industry. When implementing new technologies like AI and machine learning, organizations need to understand the risk associated with their algorithms and the privacy implications of their projects. We often view innovation and diligence as incompatible, but it’s the opposite. Privacy by design and other risk assessments are spurring innovation and forcing programmers to think outside of the box. Cybersecurity companies have a tremendous opportunity to support risk-based decision making while companies and governments implement emerging technologies.

“We often view innovation and diligence as incompatible, but it’s the opposite. Privacy by design and other risk assessments are spurring innovation and forcing programmers to think outside of the box. “

For every new risk we also have new opportunities, in both the service and product industries. In the service industry, we need risk assessments that are specialized, like algorithmic impact assessments. Are your algorithms functioning like you think they are? Are they discriminating? Do they have any risks? That industry is booming today and will continue to boom. On the product side we need to be competing with sophisticated attacks. We need more AI cybersecurity tools to manage vulnerabilities, and there are millions of them. The truth is we do not have enough people or time. 

A whitepaper was recently published in Quebec on how we can use blockchain in the context of cybersecurity and digital identity. Projects like these are very interesting. There are 25 companies that have shown they are interested in using these emerging technologies, but proper risk assessments will need to be done to provide them with security.


How do you rank Canada in terms of our preparedness to defend ourselves against cybersecurity attacks? What must be done to improve this?

When we compare Canada’s GDP and population to similar countries, we find that we are highly targeted for cyber attacks. We also find that data breaches in Canada are quite high, and that is in the absence of any legislation. However, we have to be careful because many factors can explain this including high access to credit cards, a digital economy worth $57.4 billion, a knowledge-based economy with R&D labs that may attract cyber espionage, and a high average salary per capita. We also spend more time online than any country in the world and have a financial system that is extremely stable. But yes, Canada is highly targeted.

Are we ready to face these threats? The threat vectors are moving faster and faster, so it is very hard to measure. However, we know from the first release of the Canadian Survey of Cyber Security and Cybercrime (CSCSC) which sectors in Canada experience the highest number of incidents: banking institutions (47%), universities (46%) and pipeline transportation (45%). Businesses in these sectors experience incidents where malicious actors demand payments or steal money.

Until recently there was no recourse for organizations that experienced data breaches because requirements were not being enforced. It will be interesting to view the data that we have after November 2018, when data breach notification laws came into force. But if we look behind the numbers, its clear that the sectors that are most at risk are those that store valuable personal information which can be resold online and leveraged for malicious use. We are looking at the financial and health sectors as the prime targets, but universities in Canada are also at risk. Similar to hospitals, universities are underfunded and have IP infrastructure that can be very old. They usually do not have duplication of their databases, which makes them very vulnerable.

The second type of industry under threat are our industrial control systems. These systems use a vast array of interdependent networks to support their operations. In Quebec we receive more than 500 cyber attacks each year, so it is not difficult to imagine that this critical infrastructure is being targeted at all times.

“In order for Canada to lead in the cybersecurity field, technologies need to be accessible to SMEs. We already have cybersecurity innovation, we just need to make it scalable.”

In terms of how these sectors can be more prepared, Canada has issued virtual risk analysis tools that provide expertise. But the enforcement of mandatory security measures remains non-existent in many sectors, and Canada does not have strong cybersecurity laws. This leaves the management of personal information and other critical information infrastructure outside of the law, where companies can be sued for negligence in the case of a data breach. What we need is a well-protected national standard for cybersecurity legislations.

In order for Canada to lead in the cybersecurity field, technologies need to be accessible to SMEs. We already have cybersecurity innovation, we just need to make it scalable. I would encourage the top 500 Canadian companies to buy local when it comes to cybersecurity. They may only need your business to scale up. There are valuable suppliers to be considered, and those purchases will be investments into the Canadian economy. Many companies feel they need an American name brand in cybersecurity, but there is no logical justification for this. We need to come together to create a secure network and grow the Canadian cybersecurity sector.


How strong is the cybersecurity ecosystem in Canada, and in Montreal in particular? How can we strengthen the industry further?

We have several key organizations that came to be known as the Canadian Cyber Trade Exchange (CCTX), which is an independent, non-profit organization whose mission is to share trade information, conduct analysis and make recommendations. The organization has competitors on its board of directors that are willing to work together and exchange critical information to ensure Canada is secure. Canada also has many initiatives to foster innovation including In-Sec-M, a cyber cluster that attracts new cyber talent companies and investments to grow the economy and increase competitiveness.

There is strong leadership in Canada – both in companies and at the government level – to build the cybersecurity ecosystem and support companies of all sizes. This also demonstrates the strength of the vibrant startup community in Canada. We are very supportive of new companies creating cybersecurity products, and the federal government has committed $70 million over two years to support innovation in the sector. There is momentum in both Canada and Montreal, and we are seeing big companies coming into the ecosystem.

“We are very supportive of new companies creating cybersecurity products, and the federal government has committed $70 million over two years to support innovation in the sector. There is momentum in both Canada and Montreal, and we are seeing big companies coming into the ecosystem.”

Montreal is developing its strengths as an important cybersecurity hub. We have Cyber Eco, a collective focused on driving Quebec’s cybersecurity talent and expertise. And we have Montreal International working on similar projects as well. 

Montreal offers many advantages for cybersecurity firms. With $861 million in 2018, there is plenty of VC financing. There are many research chairs, privacy preservation and technical analysts, many students, many universities and a huge AI ecosystem – all of which are very important in the field of cybersecurity. However, we can improve by helping startups to scale. The number of patents in Canada has doubled from 18% to 45% in 2017, so there is plenty of innovation here, but it is sent elsewhere to scale up. We need to keep innovations and patents in Canada.


What excites you most about Montreal’s cybersecurity ecosystem? What potential challenges exist going forward?

The overall feeling is that Montreal is becoming a tech hub that is fostering industries, like VR and video gaming, which will need to rely on cybersecurity in the future. The fact that we have so many students that are qualified in tech is very exciting. Montreal continues to play a central role in the tech industry, and there are still many parties coming together from government, industry, and not-for-profits saying, “We have an opportunity, let’s seize it.” And the government is spending on cybersecurity. It looks like the sector has a very bright future, and there is a lot of momentum now.

“Montreal is becoming a tech hub that is fostering industries, like VR and video gaming, which will need to rely on cybersecurity in the future.”

In terms of challenges, Montreal is going to be dependent on the government’s capacity to take startups and turn them into sustainable companies that will provide jobs. Are we going to have an industry of cybersecurity innovation in R&D, or are we going to have a full-scale industry in Montreal? Also, although we have great tech talent in Montreal, the government’s immigration policy going forward is also relevant. We need to attract the right talent and loosen requirements related to the French language to continue drawing in the many impressive candidates coming to Montreal. We should also ensure we are providing the right programs and support for this talent so we don’t impede innovation.


What can governments do to help grow Canada’s cybersecurity industry and attract foreign investment?

We are very lucky in both Canada and Montreal to have a good tax credit system and ample support for R&D and innovation, which increases the potential for foreign innovation.

Canada’s national cybersecurity strategy aims to foster innovation and economic growth. The federal government launched a cybersecurity cooperation program, which makes $10.2 million available to support initiatives over five years. Quebec also has a cybersecurity innovation program for funding and development, which assists firms with the ability to scale. There are further resources for startups within the government and the private sector. So there are many options available to fund cybersecurity projects and entrepreneurship.

“The federal government launched a cybersecurity cooperation program, which makes $10.2 million available to support initiatives over five years. Quebec also has a cybersecurity innovation program for funding and development, which assists firms with the ability to scale.”

However, one thing that will attract more foreign investment in cybersecurity is legislation to encourage the growth of the market. The federal government has jurisdiction over the banking system, which is important from a cybersecurity standpoint because it’s a big market. But the federal government needs to figure out how to align laws on national security, banking, telecommunication, labour and transport, which are all fields where cybersecurity is important. If we do not have alignment at the federal level, we remain vulnerable as a country.