Canadian Auditor General’s Report on Cyber Threats

It’s that time of the year again and the nice folks at the Auditor General’s Office have brought out their report on Protecting Canadian Critical Infrastructure Against Cyber Threats. This is a rather fascinating 36 page read and a serious condemnation of the work done by the federal government on four areas relating to the protection of critical infrastructure and cyber security.

From the report:

• Between 2001 and 2009, the government made limited progress in its efforts to lead and coordinate the protection of Canada’s critical infrastructure from cyber threats as these threats were rapidly evolving. During this time, the government released several strategies and policies with recurring commitments and funding.
• Since 2010, with the announcement of the Cyber Security Strategy and of the National strategy and action plan for critical infrastructure, the government has made progress in securing its systems against cyber threats, in improving communications, and in building partnerships with owners and operators of critical infrastructure.
• Eleven years after the government said it would establish partnerships with other levels of government and with critical infrastructure owners and operators to help protect Canada’s critical infrastructure, not all of the sector networks that facilitate these partnerships are fully established, and coverage is incomplete. This lack of progress limits Public Safety Canada’s ability to communicate with critical infrastructure owners and operators.
• Seven years after the Canadian Cyber Incident Response Centre (CCIRC) was created to collect, analyze, and share cyber threat information among federal departments, provincial and territorial governments, and the private sector, many stakeholders are still unclear about the Centre’s role and mandate. As a result, the CCIRC cannot fully monitor Canada’s cyber threat environment, which hinders the Centre’s ability to provide timely advice on defending against new cyber threats. Furthermore, the Centre is still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended. This restriction on operating hours can delay the detection of emerging threats and the sharing of related information among stakeholders.
• The January 2011 intrusion on government systems identified weaknesses in protecting these systems. Incidents were not reported in a timely manner and cyber threat information was not properly shared with appropriate agencies. Also, good information technology (IT) security practices, such as how to store sensitive information, were not consistently followed. Lead security agencies are taking action by updating the government’s IT Incident Management Plan to clarify the roles and responsibilities of lead security agencies and to address the need for timely reporting of incidents. The government has allocated more funds to bolster its capacity to detect cyber threats, and is working to increase awareness of best practices for IT security across the government.
• The entities have responded. The entities agree with all of the recommendations. Their detailed responses follow the recommendations throughout the chapter.

Each of these points taken alone is a crushing blow, together, they list nothing other than a complete failure.

And the response of the three main government agencies involved (CSIS, CSEC, Public Safety) amounts to “Oops, you caught us. We’ll have an answer for you in another year.”

It’s worth noting that the current leader of Public Safety Canada is Vic Toews. The same Vic Toews who sponsored the lawful access bill C-30 “The Protecting Children from Internet Predators Act” way back in February of 2012 and gave us a number of brilliant memes:

• Starting with the name, “Protecting Children from Internet Predators Act”, the bill has nothing else to say on the topic of children or internet predators but rather discusses all criminal uses of electronic communications.
• In 2012-02-13’s Parliamentary Question Period, Vic Toews responded to Liberal MP Francis Scarpaleggia’s concerns about the proposed legislation with this wonderful quote: “He can either stand with us or with the child pornographers.”
• He then attempted to parse his words during an interview with CTV.
• When that wouldn’t work, he just went straight to denying his own words during an interview with the CBC.
• The public response to Vic Toews was best summarized in the #TellVicEverything online protest.
• During another discussion in Parliament, an opposition member (Charlie Angus, NDP) made the point that Vic Toews changed the name of the bill after there was such public outrage against the bill.
• And just when you thought that incompetence knows no bounds in the magical land of the Public Safety Ministry, Vic Toews publicly admits that he is not familiar with the content of the bill.

Because there is little reason to believe the Minister of Public Safety is capable of understanding the portfolio or doing anything even approaching useful with regards to the findings of the Auditor General, the Minister of Public Safety himself has made clear that Ben Sapiro’s call for a national CERT in July remains truly necessary despite the commitment of the government to spend an additional $13 million over the next 5 years to increase the coverage of the CCIRC from a 40 hour work week to 15 hours a day, 7 days a week.

If the government is going to spend $2.6 million to get 5460 hours of CCIRC coverage (that’s $476/hour) with the limited scope of the CCIRC, I’d like to see what an open community based organization like OpenCERT Canada could do with only $297/hour to provide full 24/7 coverage.

I’ll let you decide.