Bugs plague response to cyber-attacks: auditor

The federal government has been slow to boot up an effective response to the rapidly growing threat of cyber-attacks on crucial systems, says Canada’s auditor general. In his newly tabled report, Michael Ferguson reveals the government has made only limited progress in shoring up vital computer networks and has lagged in building partnerships with other players.

OTTAWA — The federal government has been slow to boot up an effective response to the rapidly growing threat of cyber-attacks on crucial systems, says Canada’s auditor general.

In his newly tabled report, Michael Ferguson reveals the government has made only limited progress in shoring up vital computer networks and has lagged in building partnerships with other players.

Ferguson points out the federal cyber-incident response centre doesn’t even operate around the clock.

The report says the shortcomings have left key networks — such as the one that ensures employment insurance benefits are delivered on time — exposed to attack.

Assaults that crippled computer systems at the Finance Department and Treasury Board in January 2011 have been linked to efforts — possibly originating in China — to gather data on the potential takeover of a Canadian potash company.

Ferguson says the cyber-attack cost taxpayers “several million dollars” in repairs, overtime and lost productivity.

A lessons-learned exercise after the intrusion revealed “ongoing vulnerabilities to government systems” and showed that restricted information was being stored on unsafe networks, adds his report.

Officials told the auditor general that the threat from malicious hackers was evolving more quickly than the government’s ability to keep pace.

Ferguson says the issue is important because computer-based systems form the backbone for much of Canada’s critical infrastructure, including the energy, finance, telecommunications and manufacturing sectors as well as government information systems.

“Cyber-threats are real, cyber-threats are going to exist and you can’t eliminate them,” he told a news conference.

“But it’s important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible.

“It’s something that the government needs to be ever-vigilant about.”

The government has acknowledged the dangers lurking in the online world for well over a decade, but a number of key initiatives and programs have fallen short, concludes the report.

Elsewhere in Tuesday’s report, Ferguson found:

— National Defence and Veterans Affairs failed to inform injured ex-soldiers about their rights to benefits.

— Finance Canada has not published long-term projections of the effect of budget decisions on government revenues and debt.

— Planned changes to the old age security system will save government about $10 billion a year by the time they’re fully implemented in 2029, the first time any such projection has been released.

— National Defence is falling perilously behind in the maintenance of its properties, including failures to meet fire-code regulations.

But the problems with cyber-security were the centrepiece of Ferguson’s fall report to Parliament.

The auditor general looked at the activities of 11 federal agencies, including Public Safety, Treasury Board, the RCMP, the Canadian Security Intelligence Service and the Communications Security Establishment, the secretive electronic spy organization that is supposed to help secure systems.

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were “still unclear” about the centre’s role and mandate, says the report.

“Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency.”

As a result, the centre “cannot fully monitor” Canada’s cyber-threat environment, hampering its ability to provide timely advice.

Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

The government plans to extend those hours to 9 p.m., seven days a week, but not round-the-clock.

Liberal public safety critic Francis Scarpaleggia wondered why convenience stores can stay open all night but not the government’s cyber incident centre. “This Conservative government is recklessly ill-prepared to protect sensitive information from cyber security threats,” he said in a statement.

In one case in which government systems were targeted by hackers, the centre was not notified by the affected departments until more than a week after the intrusion was detected, a violation of procedure.

Last year, the centre transferred the responsibility for protecting government information to the tech-savvy Communications Security Establishment. It was agreed that the CSE would provide the centre with timely and complete information about threats.

But Ferguson found the CSE was not consistently sharing data because of the classified nature of the material it collects.

In addition, 11 years after the government said it would establish partnerships with other levels of government and operators of essential grids and systems, not all of the relationships were fully up and running.

In 2010, the government rolled out a national Cyber Security Strategy, with $90 million in funding over five years and $18 million a year thereafter.

However, Ferguson noted the strategy did not yet have an action plan to guide its implementation. “The lack of a plan makes it difficult to determine whether progress is on schedule and whether its objectives have been met.”

Federal agencies agreed with the auditor’s various recommendations on digital security and spelled out plans to implement them.

Last week, on the eve of the report’s release, the government announced an additional $155 million over five years to bolster cyber-security.

New Democrat MP Jack Harris said Tuesday that Public Safety Minister Vic Toews has been scaremongering about cyber-threats but hasn’t backed it up with action. “Announcements about money don’t matter if you don’t have an action plan.”

Government and private-sector systems are attacked by hackers, organized crime and state actors on a “constant basis,” said Toews.

The challenge is in fact to create a robust and resilient system that responds to those threats, he added.

“I think we are making tremendous progress.”

Just Posted

Former Central Alberta MLA appealing fine for not protecting a list of 20,000 electors

List included names and addresses of voters in Rimbey-Rocky Mountain House-Sundre

Red Deer beginning two major construction projects

Ross Street’s 1935-era water main to be replaced and 67th Street roundabout landscaped

Lacombe firefighters on moose duty

Unfortunately, injured moose had to be put down by Fish and Wildlife officer

UPDATED: Spring craft sale attracts shoppers

Over 150 artisans at Red Deer craft sale

RCMP searching for man who may be armed

Citizens should not approach James Holley if spotted, says police.

WATCH: Fine wine and food at Red Deer College

The Red Deer College Alumni Association hosted its 14th annual Fine Wine… Continue reading

Doctors warn of cannabis risks for pregnant or breastfeeding users

OTTAWA — The Society of Obstetricians and Gynecologists is warning pregnant and… Continue reading

Avicii, DJ-producer who performed around the world, dies

NEW YORK — Avicii, the Grammy-nominated electronic dance DJ who performed sold-out… Continue reading

Red Deer filmmakers are among 2018 Rosie Awards nominees

Cache Productions, Ignition Films in the running for AMPIA Awards

Audit clears Facebook despite Cambridge Analytica leaks

NEW YORK — An audit of Facebook’s privacy practices for the Federal… Continue reading

Marijuana sector firms get marketing pushback as legalization looms

TORONTO — Some Canadian marijuana sector companies are getting pushback against their… Continue reading

Red Deer volleyball player Samantha Gagnon named athlete of the month

A high school volleyball player has been named the Alberta Sport Development… Continue reading

Sarah Jessica Parker calls Cynthia Nixon’s run ‘exciting’

NEW YORK — Cynthia Nixon’s quest for the governorship of New York… Continue reading

Lawyers for Russian player say FIFA ends anti-doping case

By Graham Dunbar THE ASSOCIATED PRESS GENEVA — Lawyers for Russia defender… Continue reading

Most Read

Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month