You are on page 1of 3

10/25/12

Canada f alling behind on cy ber-security , auditor general f inds

Canada falling behind on cyber-security, auditor general finds
BY JORDAN PRESS, POSTMEDIA NEWS OCTOBER 23, 2012

OTTAWA — The federal government’s ability to protect its own networks and critical infrastructure from cyber-threats was laid bare Tuesday, after Canada’s auditor general pointed out holes in the country’s cyber-security strategy, despite more than a decade of work and almost $1 billion spent. The audit put a renewed focus on cyber-security at the federal level at a time when governments around the world continue to face cyber-based attacks. With more of the government’s business going online, critics argued the report showed how far behind the government was on cyber-security with officials telling auditors they feared the “cyber threat environment is evolving more rapidly than the government’s ability to keep pace.” Governments are “starting to understand the nature of the threat” they face, said one cyber-security expert, but still had a way to go prove t it could keep sensitive information secure, which it couldn’t in a January 2011 cyber-attack on Treasury Board and Department of Finance systems. “People are starting realize now is that you have to be prepared for a compromise,” said Nart Villeneuve, a senior threat researcher with TrendMicro.“You have to have a plan in place because (hacks) probably will happen. In addition to technology, those things are key. Technology is important, but it’s not something you can plug in and forget about.” The government’s two-year old plan to protect its systems needed plugging of its own after Auditor General Michael Ferguson found that federal departments and agencies are slow or loathe to share information, while businesses don’t know they should report hacks to the government, or they don’t trust the government to protect sensitive information about security compromises. Departments have also lost track of how $980 million in approved spending was on cyber-security over the past decade, nor are there any benchmarks to determine whether the money spent is having its intended effect. Also missing is a detailed plan that lays out who is responsible for what in terms of keeping federal systems safe, and helping to secure vast private networks that control the country’s telephone, banking and transportation systems. Combined, it impedes the government’s ability to protect its own systems from cyber-threats, and help Canadians protect the critical infrastructure that runs the country, according to the audit. “The only time you have a 100 per cent secure system is when you have a system with no users,” Ferguson said Tuesday, shortly after the release of his fall report. “That’s the case when you’re dealing with cyber-threats. You can’t eliminate it, but it’s important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible or at least be trying not to lose ground.”
www.v ancouv ersun.com/story _print.html?id=7432490&sponsor= 1/3

CEO of Toronto-based cyber-security firm Route1. Public Safety Minister Vic Toews said Canada faces cyber-threats from hackers working on their own.v ancouv ersun. but it has yet to fully meet that mandate. the super-secret agency charged with protecting key government systems from online threats.html?id=7432490&sponsor= 2/3 . for example.” In the last decade. it took more than a week before the government’s cyber incident response centre learned of a successful cyber-attack against Treasury Board and Department of Finance systems in January 2011. And of the remaining $210 million. For instance.” www.10/25/12 Canada f alling behind on cy ber-security . Ferguson’s report. for criminal organizations or other nations. Overall. although the government was unable to tell auditors how threats have changed. was “very high level and (identified) things that should have been implemented a decade ago. but that money was for a variety of programs. although it didn’t say whether that plan would be made public. a violation of protocols. about $980 million in spending was approved for 13 departments that asked for money for cyber-security. The previous plan.” Toews said. including cyber-security. The audit said $570 million had gone to the Communications Security Establishment (CSE). drafted about two years ago. the audit team was unable to identify precisely how the $200 million in operational costs was used for cyber-security. We have to be smarter with the money we’re spending. adding to the confusion that has dogged the government’s approach to cyber-security. was never publicly released because of security concerns. Secretary of Defense Leon Panetta said could lead to a “cyber Pearl Harbor” with catastrophic consequences for the United States. Ferguson said. that the infrastructure our government is creating is responding to these threats is I think moving in the right direction.com/story _print. which U. Where the money went isn’t clear. The government said Tuesday it planned to improve communication and have a clear plan laying out roles and responsibilities. $780 million were for one-time requests from departments with a further $200 million set aside for ongoing costs. some of it may have been spent on general IT with cyber-security being part of the expenditure.9 million was directed towards cyber-security between 2001 and 2011 — meaning about $190 million couldn’t be accounted for under the cyber-security umbrella itself.” said Tony Busseri. auditor general f inds Keeping up with ever-changing and never-ending cyber-attacks requires the government to act as a “clearinghouse” for Canadians and the private sector.” “We’re not putting up the defences and following through. “What I do know is that the threats are constant. The audit only looked at the threats against critical infrastructure.S. he said. and didn’t specifically review defenses against cyber-espionage. leaving gaps in knowledge about cyber-security. only about $20. Of that. “At this point I can say that I don’t see that abating in any way. “We’re spending enough money today.

to “connect all of the dots” for federal agencies.com/story _print. auditors found.v ancouv ersun.10/25/12 Canada f alling behind on cy ber-security . That funding was approved in April. “The government’s approach to implementing its Cyber Security Strategy was to use sector networks with critical infrastructure owners and operators to build the partnerships needed to secure systems. telecommunications and finance. The government has committed to expanding hours of operation to 15 hours a day and have someone on call when the centre is closed.” © Copyright (c) Postmedia News www. Keeping the centre open 24 hours would allow a central office to evaluate the seriousness of cyberthreats against Canadian systems. part of $155 million over five years made public last week. “However. “Really. figure out whether the threat is greater than the sum of the incidents. That money is supposed to help the Canadian Cyber Incident Response Centre provide information on cyber-threats. since sector networks are only now starting to develop and are incomplete in coverage. and is in addition to the $90 million over five years the government committed to its cyber-security strategy in 2010. one of the principal mechanisms for implementing the Cyber Security Strategy has been missing. “It’s important to have one place that can then take all of that information. average Canadians and businesses on cyber-threats. which for security concerns hasn’t been sharing information with the cyber incident response centre. and intends to share information and best practices with them. the government added $31 million for cyber-security to four departmental budgets. including the CSE. That is expected to change by the end of November. auditor general f inds This year. Sharing information with the private sector has also been slow to materialize.html?id=7432490&sponsor= 3/3 .” Sharing information within the government has been problematic with so 11 departments and agencies involved in cyber-security. the government’s role in this is not to be the ones that actually protect each and every piece of infrastructure — their role is to be that information clearinghouse. Ferguson said.” auditors wrote. but the centre has yet to operate on a 24/7 basis as originally intended.” Ferguson said. such as energy. The government identified 10 industry sectors as being at high risk of cyber-attacks. Auditors found that six of the sector working groups had incomplete memberships and only half had talked about cyber-security.