.Corp Comm Connects

Finance Department at risk of big-impact cyberattack: internal documents

Theglobeandmail.com
July 10, 2018
Andy Blatchford

The federal Finance Department is facing a medium risk of a cyberattack that could deliver a significant blow to its ability to carry out some crucial government operations, says a newly released internal analysis.

Finance, like other federal departments, publicly discloses a handful of its corporate risks – but a list obtained by The Canadian Press provides a deeper look at the key concerns for 2018-19 that had been left out of the public’s view.

Unlike the public report, the internal analysis gauges both the likelihood and severity for seven risks facing Finance Minister Bill Morneau’s department.

“Of the seven corporate risks... five are now considered key corporate risks because of their significant risk score (high and medium-high level) and their link to the departmental mandate,” said the document, prepared in late February for deputy finance minister Paul Rochon and restricted to “very limited distribution.”

The information and accompanying briefing note were obtained under the Access to Information Act.

The analysis says given the sensitivity of data under Finance’s control and the prevalence of security incidents in the public and private sectors, there’s a “medium” likelihood of a breach or disruption with a “significant” impact. Such an event would affect the department’s “capability to provide policy options and advice and to execute critical government operations,” it said.

Departmental systems have been targeted by cyberattacks in the past.

In 2011, assaults crippled computers at the Finance Department and Treasury Board. The attacks were later linked to efforts – possibly originating in China – to gather data on the potential takeover of a Canadian potash company.

To address each risk, the department laid out mitigation strategies. For instance, its plan to boost IT security includes specific measures such as more collaboration with Shared Services Canada, the agency responsible for the centralized federal e-mail system and data consolidation.

In an e-mail Tuesday, department spokesman Jack Aubry said Finance has taken several steps to improve cybersecurity, including segregating the IT network that holds budget information, making changes to ensure the safe exchange of sensitive information within government and raising awareness of security issues.

Finance’s IT infrastructure is overseen by Shared Services Canada, Aubry added.

“Threats in cyberspace are complex and rapidly evolving; now more than ever, cybersecurity is of paramount importance,” he said. “Evolving cyberthreats to IT security require constant vigilance and continue to be rigorously monitored.”

The internal list of risks also features four additional threats that were not made public in the spring. Here’s a rundown of corporate risks that didn’t make the cut, and their ratings:

These risks come in addition to the three that were flagged publicly by the Finance Department in the spring. Here are the previously released risks and their ratings, which were contained in the internal document: