Montreal Gazette

Canada vulnerable to cyber-attacks: auditor general

Slow response to 2011 breach cited in report

- JORDAN PRESS

OTTAWA — The federal government’s inability to protect its own networks and critical infrastruc­ture from cyberthrea­ts was laid bare Tuesday, after Canada’s auditor general pointed to holes in the country’s cyber-security strategy despite more than a decade of work and almost $1 billion spent.

The auditor’s fall 2012 report put a renewed focus on cyber-security at the federal level, as government­s around the world continue to face cyber-based attacks. With more of the federal government’s business going online, critics argued the report showed how far behind Canada is on cyber-security. Federal officials told the auditor general they feared the “cyber threat environmen­t is evolving more rapidly than the government’s ability to keep pace,” his report said.

Government­s are “starting to understand the nature of the threat” they face, said Nart Villeneuve, a senior threat researcher with TrendMicro in Toronto, but he added the federal government still has a way to go to prove it can keep sensitive informatio­n secure. It failed to do so, for instance, in a January 2011 cyber-attack on Treasury Board and Department of Finance systems.

“You have to have a plan in place because (hacks) probably will happen,” Villeneuve said. “Technology is important, but it’s not something you can plug in and forget about.”

Auditor general Michael Ferguson found that federal department­s and agencies are slow or loathe to share informatio­n to help each other fight cyber threats, while businesses don’t know they should report hacks to the government, or don’t trust the government to protect sensitive informatio­n about security breaches.

Department­s have also lost track of how $980 million was spent on cyber-security over the past decade, nor are there any benchmarks to determine whether the spending is having its intended effect, according to the audit.

Also missing is a detailed plan that lays out who is responsibl­e for what in terms of keeping federal systems safe and helping secure the vast private networks that control the country’s telephone, banking and transporta­tion systems.

“The only time you have a 100-per-cent-secure system is when you have a system with no users,” Ferguson said Tuesday, shortly after the release of his fall report. “That’s the case when you’re dealing with cyber-threats. You can’t eliminate it, but it’s important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible or at least be trying not to lose ground.”

Keeping up with everchangi­ng and never-ending cyber-attacks requires the government to act as an informatio­n “clearing house” for Canadians and the private sector, Ferguson said, but it has yet to fully meet that mandate, leaving gaps in knowledge about cyber-security. For instance, it took more than a week before the government’s cyber incident response centre learned of the successful 2011 cyber-attack against Treasury Board and Department of Finance systems, a violation of protocols.

The government said Tuesday it planned to improve communicat­ion and clearly lay out roles and responsibi­lities, although it didn’t say whether that plan would be made public. The previous plan, drafted about two-years ago, was never publicly released because of security concerns.

The audit only looked at the threats against critical infrastruc­ture, which U.S. Secretary of Defense Leon Panetta recently said could lead to a “cyber Pearl Harbor” with catastroph­ic consequenc­es for the United States. Auditors didn’t specifical­ly review defences against cyberespio­nage.

Public Safety Minister Vic Toews said Canada faces cyber-threats from hackers working on their own, for criminal organizati­ons, or for other nations, although the government was unable to tell auditors how threats have changed.

In the last decade, about $980 million in spending was approved for 13 department­s that asked for money for cyber-security. Of that, $780 million were for one-time requests from department­s, with a further $200 million set aside for ongoing costs.

Where the money went isn’t clear.

The audit said $570 million had gone to the Communicat­ions Security Establishm­ent (CSE), the super-secret agency charged with protecting key government systems from online threats, but that money was for a variety of programs, including cyber-security.

Of the remaining $210 million, only about $20.9 million was directed specifical­ly toward cyber-security between 2001 and 2011 — meaning about $190 million couldn’t be accounted for under the cyber-security umbrella itself; some of it may have been spent on general IT with cyber-security as part of the expenditur­e.

Overall, the audit team was unable to identify precisely how the $200 million in operationa­l costs was used for cyber-security.

“We’re spending enough money today. We have to be smarter with the money we’re spending,” said Tony Busseri, CEO of Torontobas­ed cyber-security firm Route1.

Ferguson’s report, he said, was “very high-level and (identified) things that should have been implemente­d a decade ago.”

This year, the government added $31 million for cyber-security to four federal department­al budgets, part of $155 million over five years made public last week. That funding was approved in April, and is in addition to the $90 million over five years the government committed to its cybersecur­ity strategy in 2010.

That money is supposed to help the Canadian Cyber Incident Response Centre provide informatio­n on cyber-threats, but the centre has yet to operate on a 24-7 basis as originally intended, auditors found. The government has committed to expanding hours of operation to 15 hours a day and having someone on call when the centre is closed.

Keeping the centre open 24 hours would allow a central office to evaluate the seriousnes­s of cyber-threats against Canadian systems, to “connect all of the dots” for federal agencies, average Canadians and businesses on cyber-threats, Ferguson said.

Sharing informatio­n within the government has been problemati­c with 11 department­s and agencies involved in cyber-security, including the CSE. Sharing informatio­n with the private sector has also been slow to materializ­e.

 ?? CHRIS WATTIE/ REUTERS ?? Auditor General Michael Ferguson said Monday Canada’s response to cyber threats has been slow and incomplete, citing bad communicat­ion and part-time monitoring as weaknesses.
CHRIS WATTIE/ REUTERS Auditor General Michael Ferguson said Monday Canada’s response to cyber threats has been slow and incomplete, citing bad communicat­ion and part-time monitoring as weaknesses.

Newspapers in English

Newspapers from Canada