Canada’s cybersecurity talent shortage is making it more difficult to protect critical assets as large organizations and infrastructure become more vulnerable to online attacks, according to leading researchers in the area.

Dr. Uwe Glasser, a Simon Fraser University computer science professor, said thousands of Canadian cybersecurity jobs will need to be filled in coming years to deal with increasing ransomware and malware attacks as well as hijacks of small devices connected to the Internet of Things.

During ransomware attacks, culprits withhold data through encryption until victims pay a fee for its return. Malware — a shortened name for malicious software — exploits security defects and infects, disrupts or steals data.

In a cyberthreat bulletin, the federal Canadian Centre for Cyber Security (Cyber Centre), said it knows of 235 ransomware incidents committed against Canadians between Jan. 1 and Nov. 16 in 2021. More than half of the victims were critical infrastructure providers. The estimated average cost of a data breach, including but not limited to ransomware, was $6.35 million. But most ransomware attacks went unreported.

Canada could suffer cyber brain drain

Glasser worries that Canada will suffer a cybersecurity brain drain as trained personnel accept high-paying positions in the U.S.

"I know, working in computer science, that many of our graduates go south of the border [to] Silicon Valley, and they get paid two, three times the kind of money they can make here,” he said. “So I am concerned about this situation.”

Stephanie Carvin, an associate professor of international affairs and national security issues at Carleton University, said Canada can respond more nimbly to immediate threats than other countries because its cybersecurity system is relatively centralized.

The talent shortage, however, increases the challenge of protecting data and devices. Carvin, a former national security analyst, said the shortage is more acute on the federal government side because of the time needed to obtain security clearance for recruits and pandemic-related hiring pressures. Provinces and municipalities are also having trouble recruiting and hiring people.

“Some of the problem is that, even when towns and municipalities want to hire people, they can’t necessarily afford it,” said Carvin, who specializes in public-sector cybersecurity and other security issues.

Glasser and Carvin said large Canadian infrastructure and institutions, particularly power grids and universities, could be victimized by cyberattacks as the U.S.-based Colonial pipeline and IT firm SolarWinds were earlier this year.

Carvin pointed to an Oct. 30, 2021 cyberattack on Newfoundland and Labrador hospitals as an example of how large Canadian public facilities can be disrupted. Thousands of NL residents’ medical appointments were cancelled, while employee information was stolen from three of the province’s four regional health authorities.

Carvin said signs point to the breach being a ransomware attack, but Premier Andrew Furey has declined to confirm the exact nature of the incident.

‘Shortage continues to worsen’

Glasser said research from the International Information System Security Certification Consortium (ISC)2, Innovation Science and Economic Development Canada (ISED) and other groups confirms that the cybersecurity skills shortage “continues to worsen.”

According to (ISC)2’s 2021 Cybersecurity Workforce Study, Canada’s cybersecurity workforce has increased 47.3 percent to 123,696 this year from 84,000 in 2019. The gap between the number of Canadian workers and positions available here is 25,000. The services in most need globally were security provision, analysis and protection and defence, according to (ISC)2.

Glasser said demand for Canadian post-secondary cybersecurity education is rapidly growing, with commercial and government sectors facing a widening gap between their increasing need to hire in this field and the number of skilled workers available. To offset the problem, Glasser launched a new cybersecurity specialization within SFU’s computer science Master’s degree program.

Glasser said he is seeking B.C. government approval for a full Master’s in cybersecurity degree program. But negotiations, which began two years ago, have been slow.

ISED funds national network for cybersecurity

Glasser praised ISED for introducing a dollar-for-dollar $80-million cybersecurity matching grant program. Ottawa will invest the money over four years, helping to fund a national network composed of multiple centres of cybersecurity centres of expertise. Post-secondary institutions will partner with the private sector, not-for-profits and provincial, territorial and municipal governments as well as universities and colleges.

Grant applications closed July 25.

“Assessment of proposals is ongoing and a funding decision is anticipated to be made public in early 2022,” ISED told Research Money via email.

But Glasser would also like to see government invest more in cybersecurity talent development and future growth of the cybersecurity ecosystem through innovation in education, science, technology, successful startup companies and international collaborations.

“The [federal] government is working closely with Canadian post-secondary institutions, as well as training companies, as they continue to rise to the challenge to develop new programming that can help meet demand,” ISED told Research Money. “The government is committed to achieving the goals of the National Cyber Security Strategy and its vision for security and prosperity in the digital age.”

In 2010, Ottawa committed to spending $431.5 million as part of the strategy. In 2018, the federal government allocated $500 million for cybersecurity over five years. The 2018 funding created the Cyber Centre, a national coordination unit to expand the RCMP’s capacity to investigate nation-wide and international cybercrime.

But Carvin said the RCMP has been delayed in setting up the cybercrime unit until 2023, and doesn't currently have the computer science expertise that they need.

“How they set up this new unit is really going to play a role in how functional it is,” she said. “And unless they actually hire specialists, I don’t see how it’s going to work.”

Carvin said it will take more than money to overcome the talent shortage, adding recruiters must help more Canadians see themselves playing cybersecurity roles. That means appealing to women and visible minorities who are less likely to see cybersecurity careers as an option.

“To me, it's more of a social thing than it is a financial thing," Carvin said. "You can offer all the money in the world, but if people think they aren't suited for a role in cyber, then they won't do that [role]."

R$