Cyber-threats loom for Canada.
Government falling behind in fight against cyber-threats
OTTAWA – The federal government’s inability to protect its own networks and critical infrastructure from cyberthreats was laid bare Tuesday, after Canada’s auditor general pointed to holes in the country’s cyber-security strategy despite more than a decade of work and almost $1 billion spent.
The auditor’s fall 2012 report put a renewed focus on cybersecurity at the federal level, as governments around the world continue to face cyberbased attacks. With more of the federal government’s business going online, critics argued the report showed how far behind Canada is on cyber-security. Federal officials told the auditor general they feared the “cyber threat environment is evolving more rapidly than the government’s ability to keep pace,” his report said.
Governments are “starting to understand the nature of the threat” they face, said Nart Villeneuve, a senior threat researcher with TrendMicro in Toronto, but he added the federal government still has a way to go to prove it can keep sensitive information secure. It failed to do so, for instance, in a January 2011 cyber-attack on Treasury Board and Department of Finance systems.
“You have to have a plan in place because (hacks) probably will happen,” Villeneuve said. “Technology is important, but it’s not something you can plug in and forget about.”
Auditor General Michael Ferguson found that federal departments and agencies are slow or loathe to share information to help each other fight cyber threats, while businesses don’t know they should report hacks to the government, or don’t trust the government to protect sensitive information about security breaches.
Departments have also lost track of how $980 million was spent on cyber-security over the past decade, nor are there any benchmarks to determine whether the spending is having its intended effect, according to the audit.
Also missing is a detailed plan that lays out who is responsible for what in terms of keeping federal systems safe and helping secure the vast private networks that control the country’s telephone, banking and transportation systems.
“The only time you have a 100-per-cent-secure system is when you have a system with no users,” Ferguson said Tuesday, shortly after the release of his fall report.
“That’s the case when you’re dealing with cyber-threats. You can’t eliminate it, but it’s important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible or at least be trying not to lose ground.”
Keeping up with everchanging and never-ending cyber-attacks requires the government to act as an information “clearing house” for Canadians and the private sector, Ferguson said, but it has yet to fully meet that mandate, leaving gaps in knowledge about cyber-security. For instance, it took more than a week before the government’s cyber incident response centre learned of the successful 2011 cyber-attack against Treasury Board and Department of Finance systems, a violation of protocols.
The government said Tuesday it planned to improve communication and clearly lay out roles and responsibilities, although it didn’t say whether that plan would be public.
The previous plan, drafted about two years ago, was never publicly released because of security concerns, adding to the confusion that has dogged the government’s approach to cyber-security.
The audit only looked at the threats against critical infrastructure, which U.S. Secretary of Defense Leon Panetta recently said could lead to a “cyber Pearl Harbor” with catastrophic consequences for the United States. Auditors didn’t specifically review defences against cyber-espionage.
Public Safety Minister Vic Toews said Canada faces cyberthreats from hackers working on their own, for criminal organizations, or for other nations, although the government was unable to tell auditors how threats have changed.
“What I do know is that the threats are constant, that the infrastructure our government is creating is responding to these threats,” Toews said.
In the last decade, about $980 million in spending was approved for 13 departments that asked for money for cybersecurity. Of that, $780 million was for one-time requests from departments, with a further $200 million set aside for ongoing costs. Overall, the audit team was unable to identify precisely how the $200 million in operational costs was used for cyber-security.