Even bankers no longer observe bankers’ hours. So it is disconcerting to learn from Canada’s Auditor General that employees at a centre in Ottawa responsible for monitoring cyber risks and alerting the government and private sector to threats to critical infrastructure adhere to an 8 a.m. to 4 p.m. weekdays-only routine. Were it only the case that cyber criminals, spies and hackers kept such a predictable schedule.
The Canadian Cyber Incident Response Centre (CCIRC) is so low profile that many businesses are unaware of its very existence. In fact, apparently some federal government departments are too. When hackers traced to China succeeded in penetrating Treasury Board and Finance Canada’s systems in January, 2011, the centre was not even notified by the affected departments until more than a week later, according to the report released Tuesday.
Despite a decade of plans and promises to do better, the report found that only “limited progress” has been made in improving security of crucial networks. Ottawa announced last week it would add $155-million over five years to strengthen the centre’s capacity – and this is welcome news. Last year, it made the Communications Security Establishment Canada officially responsible for reducing cyber threats against the government. Clearly more vigorous safeguards are needed, not least of them an evening shift at the CCIRC, but also better coordination among government agencies, and a higher level of rigour and surveillance around information technology security.
The A-G’s report was released, coincidentally, the same month as details about the trial of Sub-Lieutenant Jeffrey Delisle. The two matters are unrelated except both speak to a blase attitude towards the safeguarding of sensitive information. The naval officer confessed to downloading intelligence files onto a floppy disc, transferring them to a memory stick on a second computer and breezily selling them to the Russian Embassy for $3,000 a month. How could such an unsophisticated security breach go unnoticed for four years inside an intelligence centre in Canadian Forces Base Halifax? “It’s unbelievable,” notes Wesley Wark, a security expert at the University of Toronto. “All the security safeguards broke down.” The two episodes this week portray federal officials as hayseeds when it comes to protecting sensitive information, including that of our allies. Canada needs to do a better job fending off outside attempts to penetrate its networks and understand that cyber espionage can be as serious a problem as terrorism.