Corp Comm Connects
 
Ottawa warned about its vulnerability to hackers, lack of strategy
Internal documents prepared in the wake of the Heartbleed vulnerability warn that the feds need a widespread government cyber-attack plan

thestar.com
July 31, 2014
By Alex Boutilier

Federal bureaucrats are warning that some departments and agencies lack sufficient network security and that Ottawa needs a more coherent plan to address large-scale cyber attacks, according to internal documents obtained by the Star.

The documents reveal that even as the government accused Chinese-backed hackers of infiltrating the National Research Council’s network on Tuesday, senior bureaucrats warned of deficiencies in Ottawa’s response to threats to federal networks.

The documents - part of a presentation to the chief information officer on Monday — state control of the government’s IT “incident management plan” was too complex, with overlapping roles and unclear “accountabilities.”

The plan is not aligned with the larger Federal Emergency Response Plan, which co-ordinates response efforts between different levels of government and does not include a consideration of “wide-spread government cyber (incidents).”

The documents also suggest a number of departments and agencies are not using the government’s secure network, but are using “unauthorized” Internet connections to conduct their business. It’s not clear how many government institutions are using unauthorized connections.

“In order to maximize protection of (government) systems and information, all corporate Internet access points... should be migrated to (the secured network) by end of fiscal year,” the presentation reads, underlining the proposed timeline for emphasis.

The presentation was prepared in response to Ottawa’s handling of the Heartbleed exploit, a software vulnerability that forced the shutdown of Canada Revenue Agency’s electronic tax filing system in April. Stephen Arthuro Solis-Reyes, a 19-year old computer science student from London, Ont., was arrested on April 15 for allegedly using Heartbleed to obtain the tax information of 900 Canadians.

Two days later, Treasury Board began assembling a working group from multiple law enforcement and government agencies tasked with finding the “lessons learned” from the Heartbleed incident. The group included representatives from Canada’s spy organizations, CSEC and CSIS, as well as the Department of National Defence, the RCMP and Shared Services Canada, Ottawa’s new integrated IT department.

The working group praised parts of the government’s response - including “good teamwork” between agencies and a timely response from CRA - but identified a number of deficiencies.

The Star requested an interview with Treasury Board officials on the vulnerabilities detailed in the working group’s presentation. In response, the department sent a written statement describing the document.

“The Government of Canada has robust systems and tools in place to monitor, detect and investigate potential threats and takes decisive measures to address and neutralize them,” wrote Kelly James, a spokeswoman for the department.

On Tuesday, the federal government accused the Chinese government of sponsoring hackers that were able to infiltrate the network at the National Research Council of Canada (NRC), one of the federal government’s research and development arms. Chinese officials have flatly denied the allegations.

NRC has refused to divulge details about the nature of the attack, what the hackers were able to find. But the incident has once again brought Canada’s information security measures into the headlines.

“Either this is an almost unsolvable problem, or the government has a pretty blase approach to it,” Liberal deputy leader Ralph Goodale said Wednesday.

“(Prime Minister Stephen) Harper has constantly said don’t worry, Canadians are safe. That’s been his line... This rhetoric is one thing, about getting tough and doing everything they can and protecting Canadians against cyber threats and so forth, but they don’t seem to quite get around to it.”

Goodale pointed to the 2012 report from the auditor general, which found that despite the “lessons learned” exercises in the wake of January 2011 hacks to government systems - also allegedly connected to China - federal systems remained vulnerable.

Under the banner of Shared Services Canada, Ottawa has hoped to change that by bringing all departments and agencies under a unified, more secure network. But documents released by the Ottawa Citizen on Wednesday show Shared Services having a difficult time bringing institutions on board - particularly science and research organizations, such as NRC.

The Citizen reported that national security and science organizations - in addition to being some of the most complex IT infrastructures in government - are “very cautious” in partnering with Shared Services.

Debi Daviau, the president of the Professional Institute of the Public Service of Canada, said Shared Services had been working at NRC for about a month before the attack.

“I can’t tell you this is related to Shared Services and ongoing outsourcing initiatives, but I can tell you that Shared Services has been in NRC for about a month or so and the timing is certainly suspect,” Daviau said Tuesday.

NRC refused to respond to questions Wednesday.