Federal bureaucrats are once again warning that Canada’s government departments and agencies are vulnerable to cyberattacks.
Internal documents obtained by the Toronto Star’s Alex Boutilier this past week reveal a number of issues that put Canada at risk.
They include an IT “incident management plan” that is too complex and unclear on who is responsible for what. A lack of co-ordination between that plan and Ottawa’s overall Federal Emergency Response Plan. And a number of departments and agencies failing to use the government’s secure network.
That last point is particularly troubling after Canada accused China last week of carrying out a cyberattack on the National Research Council of Canada. The NRC had reportedly resisted joining the government’s secure Shared Services network, preferring its own.
The internal documents made public by the Star call for all government systems to be on the secure network by the end of the fiscal year.
Despite the negative assessment of the government’s ability to both fight off cyberattacks and effectively react to them, the assessments — like canaries in a coal mine — are helpful.
They are evidence that the government acted quickly to assess its vulnerabilities after the so-called Heartbleed virus breached the Canada Revenue Agency’s tax filing system in April.
Before it could be shut down, the tax information of 900 Canadians had been leaked.
Still, the problems the documents reveal are troubling in an age where cyberattacks on government departments and agencies can mean stolen personal information (as was the case at the CRA), the theft of high-tech scientific research (as the government is alleging took place at the NRC) or attacks on Canadian infrastructure.
That last one is particularly disturbing.
Two years ago then-U.S. defence secretary Leon Panetta described cyberattacks on infrastructure as a potential “cyber Pearl Harbor.” His fear was that computer hackers could dismantle the power grid, transportation system, financial networks and government services.
That was also an area that Auditor General Michael Ferguson singled out for action in his 2012 annual report.
Despite $980 million spent on cyber-security in the decade leading up to the audit, Ferguson noted there was no detailed plan for who is responsible for what in protecting not only federal systems, but the country’s telephone, banking and transportation systems.
More unwelcome news is contained in documents the Star obtained that indicate Canada is becoming an increasingly popular target for hackers.
In the first three months of 2013 Canada experienced a 25-per-cent increase in the number of websites hosing “malware” — software designed to damage or gain access to other computers — according to the Canadian Cyber Incident Response Centre, an agency of Public Safety Canada.
One reason for its increasing popularity? The “lack of takedowns” — Ottawa’s inability to act against cyber attackers.
Canada’s government is not alone in scrambling to stay ahead of cyberattack technology.
This spring the U.S. laid charges against five Chinese military officers, accusing them of stealing sensitive commercial information over the Internet to benefit state-owned companies.
And in the Pentagon’s annual report to Congress on China, the Chinese government and military were accused of mounting attacks on U.S. government and defence contractor computer systems in a systematic effort to steal intellectual property.
Still, in a world where one analyst noted cyberattacks are more likely than nuclear ones, quick action to prevent ongoing breaches of our government systems is imperative for our personal and collective security.
Ottawa has had frequent warnings of the risks – in the auditor general’s two-year-old report and in the new documents revealed by the Star. It needs to act on them without delay.