Woeful cyber security a threat to Canada’s critical systems: Auditor General

OTTAWA—The federal auditor general says the Harper Government has been slow to boot up an effective response to the growing threat of cyber-attacks on crucial systems.

In his newly tabled report, Michael Ferguson says the government has made only limited progress in shoring up vital computer networks and has lagged in building partnerships with other players.

He points out the federal cyber-incident response centre doesn’t even operate around the clock, yet computer-based systems form the backbone for much of Canada’s critical infrastructure, including the energy, finance, telecommunications and manufacturing sectors as well as government information systems.

The report says the shortcomings have left key networks exposed to attack.

Assaults that crippled computer systems at the Finance Department and Treasury Board two years ago have been linked to efforts—possibly originating in China—to gather data on the potential takeover of a Canadian potash company.

Ferguson says the cyber-attack cost taxpayers several million dollars in repairs, overtime and lost productivity and revealed “ongoing vulnerabilities to government systems,” showing that restricted information was being stored on unsafe networks.

The government has acknowledged the dangers lurking in the online world for well over a decade, but a number of key initiatives and programs have fallen short, concludes the report.

The auditor general looked at the activities of 11 federal agencies, including Public Safety, Treasury Board, the RCMP, the Canadian Security Intelligence Service and the Communications Security Establishment, the secretive electronic spy organization that is supposed to help secure systems.

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

In one case in which government systems were targeted by hackers, the centre was not notified by the affected departments until more than a week after the intrusion was detected, a violation of procedure.

Last year, the centre transferred the responsibility for protecting government information to the tech-savvy Communications Security Establishment. It was agreed that the CSE would provide the centre with timely and complete information about threats.

But Ferguson found the CSE was not consistently sharing data because of the “sensitive nature” of the material it collects.

In 2010, the government rolled out a national Cyber Security Strategy, with $90 million in funding over five years and $18 million a year thereafter.

However, Ferguson noted the strategy did not yet have an action plan to guide its implementation. “The lack of a plan makes it difficult to determine whether progress is on schedule and whether its objectives have been met.”

Federal agencies agreed with the auditor’s various recommendations and spelled out plans to implement them.

Last week, on the eve of the report’s release, the government announced an additional $155 million over five years to bolster cyber-security.