Auditor General's Report - Cyber

Auditor General's Report - Cyber

It’s that time of the year again and the nice folks at the Auditor General’s Office have brought out their report on Protecting Canadian Critical Infrastructure Against Cyber Threats. This is a rather fascinating 36 page read and a serious condemnation of the work done by the federal government on four areas relating to the protection of critical infrastructure and cyber security.

From the report:

  • Between 2001 and 2009, the government made limited progress in its efforts to lead and coordinate the protection of Canada’s critical infrastructure from cyber threats as these threats were rapidly evolving. During this time, the government released several strategies and policies with recurring commitments and funding.
  • Since 2010, with the announcement of the Cyber Security Strategy and of the National strategy and action plan for critical infrastructure, the government has made progress in securing its systems against cyber threats, in improving communications, and in building partnerships with owners and operators of critical infrastructure.
  • Eleven years after the government said it would establish partnerships with other levels of government and with critical infrastructure owners and operators to help protect Canada’s critical infrastructure, not all of the sector networks that facilitate these partnerships are fully established, and coverage is incomplete. This lack of progress limits Public Safety Canada’s ability to communicate with critical infrastructure owners and operators.
  • Seven years after the Canadian Cyber Incident Response Centre (CCIRC) was created to collect, analyze, and share cyber threat information among federal departments, provincial and territorial governments, and the private sector, many stakeholders are still unclear about the Centre’s role and mandate. As a result, the CCIRC cannot fully monitor Canada’s cyber threat environment, which hinders the Centre’s ability to provide timely advice on defending against new cyber threats. Furthermore, the Centre is still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended. This restriction on operating hours can delay the detection of emerging threats and the sharing of related information among stakeholders.
  • The January 2011 intrusion on government systems identified weaknesses in protecting these systems. Incidents were not reported in a timely manner and cyber threat information was not properly shared with appropriate agencies. Also, good information technology (IT) security practices, such as how to store sensitive information, were not consistently followed. Lead security agencies are taking action by updating the government’s IT Incident Management Plan to clarify the roles and responsibilities of lead security agencies and to address the need for timely reporting of incidents. The government has allocated more funds to bolster its capacity to detect cyber threats, and is working to increase awareness of best practices for IT security across the government.
  • The entities have responded. The entities agree with all of the recommendations. Their detailed responses follow the recommendations throughout the chapter.

Each of these points taken alone is a crushing blow, together, they list nothing other than a complete failure.

And the response of the three main government agencies involved (CSIS, CSEC, Public Safety) amounts to “Oops, you caught us. We’ll have an answer for you in another year.”

It’s worth noting that the current leader of Public Safety Canada is Vic Toews. The same Vic Toews who sponsored the lawful access bill C-30 “The Protecting Children from Internet Predators Act” way back in February of 2012 and gave us a number of brilliant memes:

Because there is little reason to believe the Minister of Public Safety is capable of understanding the portfolio or doing anything even approaching useful with regards to the findings of the Auditor General, the Minister of Public Safety himself has made clear that Ben Sapiro’s call for a national CERT in July remains truly necessary despite the commitment of the government to spend an additional $13 million over the next 5 years to increase the coverage of the CCIRC from a 40 hour work week to 15 hours a day, 7 days a week.

If the government is going to spend $2.6 million to get 5460 hours of CCIRC coverage (that’s $476/hour) with the limited scope of the CCIRC, I’d like to see what an open community based organization like OpenCERT Canada could do with only $297/hour to provide full 24/7 coverage.

I’ll let you decide.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.