After foreign hackers launched a cyber attack on Treasury Board and Finance Canada in January 2011, it took officials more than a week to alert a federal office that’s in charge of spreading the word about the latest intelligence on cyber threats.
Ottawa has always been tight-lipped about the cyber attack, which led the government to shut down Internet access inside key departments for months.
A new report from the Auditor General gives a good sense of why.
Tuesday’s report by Auditor General Michael Ferguson includes a chapter on protecting Canadian critical infrastructure against cyber threats. Critical infrastructure means more than just government departments. It’s pipelines, nuclear power plants, private sector broadcasters and other institutions that could be targeted by hackers.
This chapter focuses on a small office at Public Safety Canada that is supposed to be the country’s nerve centre on cyber security; a hub where information on cyber risks is gathered and shared between government and the private sector.
Created in 2005, the Canadian Cyber Incident Response Centre (CCIRC) has 30 staff in a nondescript Ottawa office building. The problem, according to the Auditor General, is some in the private sector have never heard of them, other government departments keep them in the dark – and they work government hours.
"These are serious concerns," Mr. Ferguson told reporters Tuesday, who said the government's cyber security centre simply isn't acting as the fast-acting nerve centre that it was intended to be.
"That needs to be fixed," he said.
Even though a nasty piece of malware can wreak havoc in a matter of minutes, CCIRC never became the 24/7 operation Ottawa promised it would be when it was created.
The office opens at 8 a.m. and closes at 4 p.m., Ottawa time. If something comes up after hours, there’s an employee on call who can be reached on a pager.
The federal government, which receives advance copies of Auditor General’s reports, announced last week that it will spend an additional $155-million over five years on cyber security. The hours of CCIRC will be expanded next month to 15 hours a day, seven days a week.
NDP MP Jack Harris said hackers don't limit their work to 8 to 4 government hours and neither should the federal nerve centre responsible for monitoring cyber attacks.
"I think that's rather disturbing," he said, calling it an example of "clear incompetence."
"If 7-Eleven and Couche-Tard can stay open all night, why can't the Incident Response Centre?" said Liberal public safety critic Francis Scarpaleggia in a statement.
The Auditor General’s office received classified briefings on the 2011 attacks and provides some new detail in the report as to what happened. However the office agreed to keep a lot of the details secret. For instance, auditors will not confirm that Treasury Board and Finance Canada were attacked, even though it was widely reported at the time that their employees were being denied Internet access because of the attack.
What auditors did find was that as soon as the attack was detected, steps were taken to prevent further damage, such as blocking staff access to the Internet.
Still, auditors found public servants were not prepared for this kind of attack. They were not storing sensitive information properly.
“As a result, some of this sensitive information that was not appropriately protected against unauthorized access was vulnerable to compromise,” states the report, which does not say whether or not sensitive information was stolen.
Though the attack occurred in January 2011, the report says full Internet access inside government was not restored until September 2011.
Overall, the audit report found that over the past decade, plans and promises to improve cyber security have come and gone with little success.
“Despite several past strategies and funding, we found that progress in achieving these commitments has been slow,” it states, adding that there has been more success in implementing the latest cyber security strategy announced in 2010.
Public Safety Canada and Treasury Board responded on behalf of the government and agreed with all of the Auditor General’s recommendations.