Finance Department at risk of big impact cyberattack, say internal documents
An internal analysis released by the federal Finance Department shows threats that were not made public in the department's annual report
OTTAWA – A newly released internal analysis says the federal Finance Department faces a moderate risk of a cyberattack that could deliver a significant blow to its ability to carry out some crucial government operations.
Finance, like other federal departments, publicly discloses a handful of its corporate risks – but a list obtained by The Canadian Press provides a deeper look at the key concerns for 2018-19 that had been left out of the public’s view.
Unlike the public document, the internal analysis gauges both the likelihood and severity for seven corporate risks facing Finance Minister Bill Morneau’s department.
The analysis says given the sensitivity of data under Finance’s control and the prevalence of security incidents in the public and private sectors, there’s a medium risk of a breach or disruption that delivers a significant hit to the department’s reputation and ability to provide policy advice and execute critical government operations.
The internal list, obtained under the Access to Information Act, also features four additional threats that were not made public in the department’s annual report, released in the spring.
They range from the risk the department will be unable to attract and retain skilled staff for key positions, to the lack of a formal, consistent structure to store and manage information.
“Of the seven corporate risks… five are now considered key corporate risks because of their significant risk score (high and medium-high level) and their link to the departmental mandate,” said the document, prepared in late February for deputy finance minister Paul Rochon and restricted to “very limited distribution.”
For each risk, the department laid out strategies to mitigate them.
Departmental systems have been targeted by cyberattacks in the past.
In 2011, assaults crippled computers at the Finance Department and Treasury Board. The attacks were later linked to efforts – possibly originating in China – to gather data on the potential takeover of a Canadian potash company.