October 23, 2012
Feds fumbling response to cyber threats: AG
By Jessica Murphy, Parliamentary Bureau
OTTAWA — The federal government's slow response to rapidly growing cybersecurity threats has left Canada vulnerable to hacker attacks by organized crime, terrorists and foreign states, the auditor general's latest report says.
The report found that despite over a decade of commitments and hundreds of millions of dollars in spending, the government is scrambling to keep up with the threat and has failed to make measurable progress in its ability to defend and protect Canada's critical infrastructure.
That leaves everything vulnerable to hackers, including banking and telecommunications systems, the power grid and government agencies.
"Officials are concerned that cyber threats are evolving faster than the government can keep pace," Auditor General Michael Ferguson said.
Among the problems the auditor highlighted is that the Canadian Cyber Incident Response Centre (CCIRC) — an information hub created in 2005 — is out of the loop and unable to share critical information with governments, the private sector and foreign allies on new cyber threats.
Originally intended to operate around the clock, it's open only during Ottawa business hours, five days a week — a problem when cyber threats are global and attacks can spread rapidly.
The feds have since promised to extend CCIRC's hours, but the centre still won't operate 24 hours a day as recommended.
Federal agencies are also failing to pass critical information to CCIRC, as is Communications Security Establishment Canada, the government's IT intelligence unit.
"You need somebody who will connect all of the dots," Ferguson said of CCIRC.
Some progress has been made since 2010, when the federal government implemented a cybersecurity strategy, but the audit notes a plan to guide its implementation has yet to be written.
Auditors also point out it took a significant — and internationally embarrassing — cyber attack on the Treasury Board and Finance Canada networks in January 2011 to push the feds to take action.
The attack — linked to servers based in China — was an attempt to steal sensitive information. It cost several million dollars and left government workers at those agencies without full Internet access for some eight months.
Public Safety Minister Vic Toews said the government is taking the challenge of building a "robust and resilient system" seriously.
"The dynamic nature of the cyber threat is one thing that governments have had to learn to respond to," he said. "The attacks aren't simply one or two a year. This is on a constant basis."
Last week, the Conservative government announced it is boosting its cybersecurity funding from $90 million to $155 million over five years.