Canada vulnerable to cyber-attacks: auditor general
Slow response to 2011 breach cited in report
OTTAWA — The federal government’s inability to protect its own networks and critical infrastructure from cyberthreats was laid bare Tuesday, after Canada’s auditor general pointed to holes in the country’s cyber-security strategy despite more than a decade of work and almost $1 billion spent.
The auditor’s fall 2012 report put a renewed focus on cyber-security at the federal level, as governments around the world continue to face cyber-based attacks. With more of the federal government’s business going online, critics argued the report showed how far behind Canada is on cyber-security. Federal officials told the auditor general they feared the “cyber threat environment is evolving more rapidly than the government’s ability to keep pace,” his report said.
Governments are “starting to understand the nature of the threat” they face, said Nart Villeneuve, a senior threat researcher with TrendMicro in Toronto, but he added the federal government still has a way to go to prove it can keep sensitive information secure. It failed to do so, for instance, in a January 2011 cyber-attack on Treasury Board and Department of Finance systems.
“You have to have a plan in place because (hacks) probably will happen,” Villeneuve said. “Technology is important, but it’s not something you can plug in and forget about.”
Auditor general Michael Ferguson found that federal departments and agencies are slow or loathe to share information to help each other fight cyber threats, while businesses don’t know they should report hacks to the government, or don’t trust the government to protect sensitive information about security breaches.
Departments have also lost track of how $980 million was spent on cyber-security over the past decade, nor are there any benchmarks to determine whether the spending is having its intended effect, according to the audit.
Also missing is a detailed plan that lays out who is responsible for what in terms of keeping federal systems safe and helping secure the vast private networks that control the country’s telephone, banking and transportation systems.
“The only time you have a 100-per-cent-secure system is when you have a system with no users,” Ferguson said Tuesday, shortly after the release of his fall report. “That’s the case when you’re dealing with cyber-threats. You can’t eliminate it, but it’s important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible or at least be trying not to lose ground.”
Keeping up with everchanging and never-ending cyber-attacks requires the government to act as an information “clearing house” for Canadians and the private sector, Ferguson said, but it has yet to fully meet that mandate, leaving gaps in knowledge about cyber-security. For instance, it took more than a week before the government’s cyber incident response centre learned of the successful 2011 cyber-attack against Treasury Board and Department of Finance systems, a violation of protocols.
The government said Tuesday it planned to improve communication and clearly lay out roles and responsibilities, although it didn’t say whether that plan would be made public. The previous plan, drafted about two-years ago, was never publicly released because of security concerns.
The audit only looked at the threats against critical infrastructure, which U.S. Secretary of Defense Leon Panetta recently said could lead to a “cyber Pearl Harbor” with catastrophic consequences for the United States. Auditors didn’t specifically review defences against cyberespionage.
Public Safety Minister Vic Toews said Canada faces cyber-threats from hackers working on their own, for criminal organizations, or for other nations, although the government was unable to tell auditors how threats have changed.
In the last decade, about $980 million in spending was approved for 13 departments that asked for money for cyber-security. Of that, $780 million were for one-time requests from departments, with a further $200 million set aside for ongoing costs.
Where the money went isn’t clear.
The audit said $570 million had gone to the Communications Security Establishment (CSE), the super-secret agency charged with protecting key government systems from online threats, but that money was for a variety of programs, including cyber-security.
Of the remaining $210 million, only about $20.9 million was directed specifically toward cyber-security between 2001 and 2011 — meaning about $190 million couldn’t be accounted for under the cyber-security umbrella itself; some of it may have been spent on general IT with cyber-security as part of the expenditure.
Overall, the audit team was unable to identify precisely how the $200 million in operational costs was used for cyber-security.
“We’re spending enough money today. We have to be smarter with the money we’re spending,” said Tony Busseri, CEO of Torontobased cyber-security firm Route1.
Ferguson’s report, he said, was “very high-level and (identified) things that should have been implemented a decade ago.”
This year, the government added $31 million for cyber-security to four federal departmental budgets, part of $155 million over five years made public last week. That funding was approved in April, and is in addition to the $90 million over five years the government committed to its cybersecurity strategy in 2010.
That money is supposed to help the Canadian Cyber Incident Response Centre provide information on cyber-threats, but the centre has yet to operate on a 24-7 basis as originally intended, auditors found. The government has committed to expanding hours of operation to 15 hours a day and having someone on call when the centre is closed.
Keeping the centre open 24 hours would allow a central office to evaluate the seriousness of cyber-threats against Canadian systems, to “connect all of the dots” for federal agencies, average Canadians and businesses on cyber-threats, Ferguson said.
Sharing information within the government has been problematic with 11 departments and agencies involved in cyber-security, including the CSE. Sharing information with the private sector has also been slow to materialize.