Cybersecurity 101: Common Sense Can Make All the Difference

The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.

As you may notice, a lot of this is basically common sense, as applied in the digital age:

  • Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
  • Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
  • Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
  • Stop allowing or using weak passwords and force everyone to use a solid password manager;
  • Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
  • Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
    • The risks associated with using passwords (such as weak or reused ones);
    • Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
    • The dangers of activating, opening or clicking on attachments;
    • The concept of social engineering and its role in many attacks;
  • Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
  • Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.

With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!

Québec’s Own French Language Open Source Licenses

While doing some work as to open source, I recently came across a section of the list of officially accredited open source license and that includes 3 licenses Made in Québec. These were apparently created by Québec authorities for its own purposes. Not too surprisingly, the original version of these 3 open source licenses is in French, contrary to most others of this kind.

The official site www.opensource.org now lists these 3 licenses, which I’m linking below to a micro-site created by the Centre de services partagés du Québec called Forge gouvernementale”. The presentation of the documents on this site is much easier to read than the version posted on opensource.org (that presents the text of each license in a single block of text):

The OSS licenses at issue were created with the government’s software development efforts in mind and (initially) presented in French, though an English translation is available. As with other open source licenses, the goal here is to free source code in the manner that maximizes the users’ rights and the ease with which it may be used and redistributed down the line. If you’re curious (I was), the Québec government published the following FAQ about these licenses.

The first license (LiLiQ-P) is akin to the Apache open source license and, thus fairly permissive. The code released under this license may be included in other software that is then distributed without having to make it available with the source code and without being required to distribute it through an open source license.

The other 2 licenses (LiLiQ-R and LiLiQ-R+) are relatively similar to somewhat more restrictive licenses such as the MPL license and the LGPL license, requiring that resulting software be made available, including as source code, through a LiLiQ-type license. Another feature of the licenses at issue resides in their reciprocity provisions, generally allowing the combination of LiLiQ code with code made available pursuant to most other open source licenses.

Is anyone really surprised that Québec would want to express how different it is from the rest of Canada (and the world) by creating its own version of an open source license? Eh, why not?

Canadian Government Angling to Control Content Placed Online, including UGC and Even Apps

As you may recall, since last fall, the Canadian government has been working toward getting its bill C-10 enacted. The bill aims to allow taxing streaming services such as Netflix. Though this may have been the initial impetus behind the introduction of the bill, we’re now seeing that C-10 may also go so far as to allow the regulation of content placed online, including user-generated content, computer games and apps of all kinds. Yes, Canada seems to have decided to shed its laissez-faire attitude toward what’s placed on the Internet.

Indeed, it would now seem that the Liberal government may be trying to broaden bill C-10 so as to grant the CRTC additional powers to regulate whatever is placed online, including (the latest twist in this little legislative soap opera), apps—yes, you read this right: apps. This story is being disseminated by Michael Geist, further to a statement seemingly made by mistake by an MP while commenting on an amendment that has yet to be formally introduced. Apparently, the government may be in the process of making changes to C-10 that would allow the CRTC to regulate not only streaming services, but also some content itself, such as apps made available on the Internet.

Though the government stated it did not intend to try and regulate computer games, it now appears C-10 may, on the contrary, end up allowing the CRTC to regulate software made available through the Internet, a prospect that has many cringing.

From a bill initially justified as a way to simply allow the taxation of streaming services (such as Netflix) in Canada (to level the playing field vs. other ways of making content available to Canadians), we’re now faced with a bill that seems to be transmogrifying into a bill meant to empower the government (through the CRTC) to control what is placed or made available by and to Canadians online. This may end up being extended and/or applied to computer games, content placed on social networks, blog posts, podcasts, etc. Hmm, so much for the CRTC’s 2000 position that it wouldn’t mess with the Internet.

Is it just me or are we faced with a slight drift in the federal government’s recent efforts to try and better control the Internet in Canada? Hmmm—to be continued, unfortunately.