Skip to main content

Serious flaws in Ottawa’s defence against cyber attacks: auditor general

Canada's Auditor General Michael Ferguson speaks during a news conference on the release of his report in Ottawa October 23, 2012.

Chris Wattie/REUTERS

After foreign hackers launched a cyber attack on Treasury Board and Finance Canada in January 2011, it took officials more than a week to alert a federal office that's in charge of spreading the word about the latest intelligence on cyber threats.

Ottawa has always been tight-lipped about the cyber attack, which led the government to shut down Internet access inside key departments for months.

A new report from the Auditor General gives a good sense of why.

Story continues below advertisement

Tuesday's report by Auditor General Michael Ferguson includes a chapter on protecting Canadian critical infrastructure against cyber threats. Critical infrastructure means more than just government departments. It's pipelines, nuclear power plants, private sector broadcasters and other institutions that could be targeted by hackers.

This chapter focuses on a small office at Public Safety Canada that is supposed to be the country's nerve centre on cyber security; a hub where information on cyber risks is gathered and shared between government and the private sector.

Created in 2005, the Canadian Cyber Incident Response Centre (CCIRC) has 30 staff in a nondescript Ottawa office building. The problem, according to the Auditor General, is some in the private sector have never heard of them, other government departments keep them in the dark – and they work government hours.

"These are serious concerns," Mr. Ferguson told reporters Tuesday, who said the government's cyber security centre simply isn't acting as the fast-acting nerve centre that it was intended to be.

"That needs to be fixed," he said.

Even though a nasty piece of malware can wreak havoc in a matter of minutes, CCIRC never became the 24/7 operation Ottawa promised it would be when it was created.

The office opens at 8 a.m. and closes at 4 p.m., Ottawa time. If something comes up after hours, there's an employee on call who can be reached on a pager.

Story continues below advertisement

The federal government, which receives advance copies of Auditor General's reports, announced last week that it will spend an additional $155-million over five years on cyber security. The hours of CCIRC will be expanded next month to 15 hours a day, seven days a week.

NDP MP Jack Harris said hackers don't limit their work to 8 to 4 government hours and neither should the federal nerve centre responsible for monitoring cyber attacks.

"I think that's rather disturbing," he said, calling it an example of "clear incompetence."

"If 7-Eleven and Couche-Tard can stay open all night, why can't the Incident Response Centre?" said Liberal public safety critic Francis Scarpaleggia in a statement.

The Auditor General's office received classified briefings on the 2011 attacks and provides some new detail in the report as to what happened. However the office agreed to keep a lot of the details secret. For instance, auditors will not confirm that Treasury Board and Finance Canada were attacked, even though it was widely reported at the time that their employees were being denied Internet access because of the attack.

What auditors did find was that as soon as the attack was detected, steps were taken to prevent further damage, such as blocking staff access to the Internet.

Story continues below advertisement

Still, auditors found public servants were not prepared for this kind of attack. They were not storing sensitive information properly.

"As a result, some of this sensitive information that was not appropriately protected against unauthorized access was vulnerable to compromise," states the report, which does not say whether or not sensitive information was stolen.

Though the attack occurred in January 2011, the report says full Internet access inside government was not restored until September 2011.

Overall, the audit report found that over the past decade, plans and promises to improve cyber security have come and gone with little success.

"Despite several past strategies and funding, we found that progress in achieving these commitments has been slow," it states, adding that there has been more success in implementing the latest cyber security strategy announced in 2010.

Public Safety Canada and Treasury Board responded on behalf of the government and agreed with all of the Auditor General's recommendations.

Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter