10/25/12

Canada f alling behind on cy ber-security , auditor general f inds

Canada falling behind on cyber-security, auditor general finds

BY JORDAN PRESS, POSTMEDIA NEWS OCTOBER 23, 2012

OTTAWA The federal governments ability to protect its own networks and critical infrastructure from cyber-threats was laid bare Tuesday, after Canadas auditor general pointed out holes in the countrys cyber-security strategy, despite more than a decade of work and almost $1 billion spent. The audit put a renewed focus on cyber-security at the federal level at a time when governments around the world continue to face cyber-based attacks. With more of the governments business going online, critics argued the report showed how far behind the government was on cyber-security with officials telling auditors they feared the cyber threat environment is evolving more rapidly than the governments ability to keep pace. Governments are starting to understand the nature of the threat they face, said one cyber-security expert, but still had a way to go prove t it could keep sensitive information secure, which it couldnt in a January 2011 cyber-attack on Treasury Board and Department of Finance systems. People are starting realize now is that you have to be prepared for a compromise, said Nart Villeneuve, a senior threat researcher with TrendMicro.You have to have a plan in place because (hacks) probably will happen. In addition to technology, those things are key. Technology is important, but its not something you can plug in and forget about. The governments two-year old plan to protect its systems needed plugging of its own after Auditor General Michael Ferguson found that federal departments and agencies are slow or loathe to share information, while businesses dont know they should report hacks to the government, or they dont trust the government to protect sensitive information about security compromises. Departments have also lost track of how $980 million in approved spending was on cyber-security over the past decade, nor are there any benchmarks to determine whether the money spent is having its intended effect. Also missing is a detailed plan that lays out who is responsible for what in terms of keeping federal systems safe, and helping to secure vast private networks that control the countrys telephone, banking and transportation systems. Combined, it impedes the governments ability to protect its own systems from cyber-threats, and help Canadians protect the critical infrastructure that runs the country, according to the audit. The only time you have a 100 per cent secure system is when you have a system with no users, Ferguson said Tuesday, shortly after the release of his fall report. Thats the case when youre dealing with cyber-threats. You cant eliminate it, but its important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible or at least be trying not to lose ground.
www.v ancouv ersun.com/story _print.html?id=7432490&sponsor= 1/3

10/25/12

Canada f alling behind on cy ber-security , auditor general f inds

Keeping up with ever-changing and never-ending cyber-attacks requires the government to act as a clearinghouse for Canadians and the private sector, Ferguson said, but it has yet to fully meet that mandate, leaving gaps in knowledge about cyber-security. For instance, it took more than a week before the governments cyber incident response centre learned of a successful cyber-attack against Treasury Board and Department of Finance systems in January 2011, a violation of protocols. The government said Tuesday it planned to improve communication and have a clear plan laying out roles and responsibilities, although it didnt say whether that plan would be made public. The previous plan, drafted about two years ago, was never publicly released because of security concerns, adding to the confusion that has dogged the governments approach to cyber-security. The audit only looked at the threats against critical infrastructure, which U.S. Secretary of Defense Leon Panetta said could lead to a cyber Pearl Harbor with catastrophic consequences for the United States, and didnt specifically review defenses against cyber-espionage. Public Safety Minister Vic Toews said Canada faces cyber-threats from hackers working on their own, for criminal organizations or other nations, although the government was unable to tell auditors how threats have changed. What I do know is that the threats are constant, that the infrastructure our government is creating is responding to these threats is I think moving in the right direction, Toews said. At this point I can say that I dont see that abating in any way. In the last decade, about $980 million in spending was approved for 13 departments that asked for money for cyber-security. Of that, $780 million were for one-time requests from departments with a further $200 million set aside for ongoing costs. Where the money went isnt clear. The audit said $570 million had gone to the Communications Security Establishment (CSE), the super-secret agency charged with protecting key government systems from online threats, but that money was for a variety of programs, including cyber-security. Overall, the audit team was unable to identify precisely how the $200 million in operational costs was used for cyber-security. And of the remaining $210 million, only about $20.9 million was directed towards cyber-security between 2001 and 2011 meaning about $190 million couldnt be accounted for under the cyber-security umbrella itself; for example, some of it may have been spent on general IT with cyber-security being part of the expenditure. Were spending enough money today. We have to be smarter with the money were spending, said Tony Busseri, CEO of Toronto-based cyber-security firm Route1. Fergusons report, he said, was very high level and (identified) things that should have been implemented a decade ago. Were not putting up the defences and following through.

www.v ancouv ersun.com/story _print.html?id=7432490&sponsor=

2/3

10/25/12

Canada f alling behind on cy ber-security , auditor general f inds

This year, the government added $31 million for cyber-security to four departmental budgets, part of $155 million over five years made public last week. That funding was approved in April, and is in addition to the $90 million over five years the government committed to its cyber-security strategy in 2010. That money is supposed to help the Canadian Cyber Incident Response Centre provide information on cyber-threats, but the centre has yet to operate on a 24/7 basis as originally intended, auditors found. The government has committed to expanding hours of operation to 15 hours a day and have someone on call when the centre is closed. Keeping the centre open 24 hours would allow a central office to evaluate the seriousness of cyberthreats against Canadian systems, to connect all of the dots for federal agencies, average Canadians and businesses on cyber-threats, Ferguson said. Its important to have one place that can then take all of that information, figure out whether the threat is greater than the sum of the incidents, Ferguson said. Really, the governments role in this is not to be the ones that actually protect each and every piece of infrastructure their role is to be that information clearinghouse. Sharing information within the government has been problematic with so 11 departments and agencies involved in cyber-security, including the CSE, which for security concerns hasnt been sharing information with the cyber incident response centre. That is expected to change by the end of November. Sharing information with the private sector has also been slow to materialize. The government identified 10 industry sectors as being at high risk of cyber-attacks, such as energy, telecommunications and finance, and intends to share information and best practices with them. Auditors found that six of the sector working groups had incomplete memberships and only half had talked about cyber-security. The governments approach to implementing its Cyber Security Strategy was to use sector networks with critical infrastructure owners and operators to build the partnerships needed to secure systems, auditors wrote. However, since sector networks are only now starting to develop and are incomplete in coverage, one of the principal mechanisms for implementing the Cyber Security Strategy has been missing.
Copyright (c) Postmedia News

www.v ancouv ersun.com/story _print.html?id=7432490&sponsor=

3/3