Crucial government infrastructure and sensitive information remain vulnerable to cyber-attacks because the country’s online security hub is not equipped to deal with threats around the clock, Canada’s auditor general says in a new report.
Michael Ferguson’s latest audit says the Canadian Cyber Incident Response Centre, created in 2005, only operates between 8 a.m. and 4 p.m. ET and has made limited progress in protecting vital computer networks from cyber-attacks.
“Equally concerning for us was the fact that some of the owners and operators of these critical systems either didn’t know that the response centre existed, or if they did, they weren’t sure what type of information they were supposed to share with it,” Ferguson told Power Play.
After hackers tried to infiltrate computer systems at the Finance Department and Treasury Board in January 2011, it took officials a week to report the incident to the CCIRC, Ferguson said. The cyber-attack, which may have originated in China, cost taxpayers millions of dollars in repairs and lost productivity, Ferguson said in his report.
The attack revealed that sensitive data was being stored on unsafe networks and highlighted "ongoing vulnerabilities to government systems,” the report noted.
When the CCIRC was first established, government officials said it would eventually become a 24/7 operation, but that never happened, Ferguson told Power Play. As a result, the security hub isn’t receiving information on a “timely basis” and threats can be missed.
Often, a single cyber security incident may not seem like a major issue, but when it’s connected to similar events, experts can recognize a serious threat, Ferguson said. It’s crucial that experts are on hand round-the-clock to be able to “connect the dots,” he added.
Last week, Public Safety Minister Vic Toews announced an additional $155 million over five years to shore up protection of federal infrastructure and computer networks against cyber threats. The government has also said it plans to increase CCIRC’s hours to 9 p.m., five days a week.
Last year, the CCIRC transferred the responsibility for protecting government information to the Communications Security Establishment, which is supposed to provide timely information about threats.
But Ferguson said CSE has not been consistent with data sharing because of the classified nature of collected material.
The threat of cyber-attacks is a serious issue because Canada’s critical infrastructure, including the banking system and the energy grid, runs on computer-based systems, Ferguson said.
"Cyber-threats are real, cyber-threats are going to exist and you can't eliminate them," he told a news conference.
"But it's important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible. It's something that the government needs to be ever-vigilant about."
Ferguson’s report also found problems in other government sectors, such as National Defence and Veterans Affairs failing to tell injured and sick veterans about their rights to benefits. Ferguson also told Power Play that many injured ex-soldiers are finding it difficult to transition into the workforce once they’ve returned home and that many of them are struggling to navigate the “complex” bureaucracy.
With files from The Canadian Press
