Hackers hit Nova Scotia computer network 5 times last year
Government says no personal information stolen; critics warn system is vulnerable
The provincial computer network in Nova Scotia was attacked by hackers five times last year, a CBC News investigation has learned.
Details on the attacks were provided to CBC News through a Freedom of Information and Protection of Privacy Act.
Sandra Cascadden, the province's Chief Information Officer, said in all five instances the hackers did not make it through the government's firewall.
"There was no access to information as a result of the activities that we shared with you," said Cascadden.
Cascadden said she's not aware of any attacks resulting in the release of personal information. The hackers did, however, create havoc. In several cases, they prompted government sites to send out spam emails. As many as 13 sites were affected in one attack.
The government will not say which sites were breached, but CBC News has learned one of them belonged to the Nova Scotia Pension Agency, which administers public sector pension plans. It has since become the Nova Scotia Pension Services Corporation.
Alan Tottman, the director of information management and technology for the corporation, told CBC News no personal data was kept on the site. The organization is no longer part of the provincial data network.
In another attack known as a dedicated denial of service, the entire government internet was knocked out for 10 minutes in April 2013 after it became clogged with nuisance traffic.
That attack happened when the group known as Anonymous — a network of internet-based activists and hackers — was upset at the government for its handling of the Rehteah Parsons case. The 17-year-old girl took her own life after months of relentless cyberbullying. She told her family she had been raped and then bullied for months.
'How many do they not know about?'
The government won't comment on whether it suspected Anonymous was behind any of the attacks, but one of the emails released to the CBC News suggests the group was at least on the province's radar.
The email has the word Anonymous in the subject line. The rest of the email was redacted.
Travis Barlow, an internet security expert, said the province may not be aware of every attack.
"How many do they not know about? That's my biggest concern because I don't believe there's many provincial governments that have full visibility into what's going on on their networks," he said.
Barlow said government networks are often easy and attractive targets.
"Typically they fall back to the old standard of security: firewalls, antivirus and so forth. They don't go above and beyond that just due to cost," he said.
Summary of attacks:
1. January 17-18, 2013: A public-facing web server was attacked and some government websites sent out attacker-generated spam.
2. January 30, 2013: A similar attack occurred on a smaller scale.
3. April 10, 2013: An even smaller similar attack occurred that was not widely noticed.
4. April 11, 2013: The provincial data network's connection to the internet was attacked. The province's internet connection became clogged with in/out traffic for 10 minutes through a dedicated denial of service attack.
5. April 23, 2013: The provincial data network's connection to the internet was subject to another small dedicated denial of service attack. No malicious traffic got through or disrupted the connection.
Cascadden said the province has set aside money for system upgrades and security safeguards.
"We've actually been able to create that pot of money that will allow us to move faster than if we had to go through a traditional budget cycle," she said.
'Two-factor authentication' urged
Cascadden said on a scale of one to 10, the five attacks rank about a four or five. She said the hackers didn't get close to any personal information.
"One of them is outside of the official government networks. They're in a place where the public can access the service but they're not where the public can access the internal workings of the government networks." she said.
"There are a lot people out there, like I say, who have a lot of time on their hands to try different things to either get access to information or even just to create a nuisance factor for an organization or just to demonstrate they can do something."
Last fall, Auditor General Jacques Lapointe recommended "the Chief Information Office should ensure all computers issued to government employees are configured to encrypt their data."
Barlow said governments should also consider a feature called two-factor authentication. It offers two levels of security — typically a password as well as a random code generated by a device, such as a key fob, which is carried by the employee.
Cascadden said that's something the province is considering.
"We don't have that second factor authentication within the government at this time," she said.
"It provides additional security and it is something we are looking into."