Canada needs to address risks of aging IT to fend off threats that come with digital government

Requiring all departments to do a detailed cybersecurity analysis would help address the reality that while digital government has big potential benefits, it also paints a bigger target on Canada's aging federal IT systems, writes Alexander Rudolph.

A comprehensive cybersecurity analysis would help government identify vulnerabilities of aging systems

Prime Minister Justin Trudeau poses with Joyce Murray after she was sworn-in as Canada's Minister of Digital Government during a cabinet shuffle in Ottawa on March 18, 2019. The government has been warned about the poor state of some of its aging computer systems. (Chris Wattie/Reuters)

This column is an opinion by Alexander Rudolph, a PhD student in the Department of Political Science at Carleton University where he researches cyberdefence and cyberwarfare. Outside of his research, he also works as an independent consultant and policy analyst. For more information about CBC's Opinion section, please see the FAQ.

Official documents recently obtained by The Canadian Press describe "mission-critical" Government of Canada computer systems and applications as "rusting out and at risk of failure." Such statements are alarming for a host of reasons, particularly when considering the potential loss of critical systems that support the nation's social services.

However, while these systems are integral to providing digital services, there does not appear to be an urgent acknowledgement of the security risks these old systems also pose.

While the Government of Canada released a National Cyber Security Strategy in 2016, it expresses little concern for the specific threats posed by legacy systems. The strategy also offers few concrete plans in terms of what the government will do to achieve its stated goals.

In an article about the government's aging IT infrastructure, Andre Leduc, vice-president of government relations and policy with the Information Technology Association of Canada, says that many officials didn't seek to upgrade these old systems because they still worked. That approach seems to be based on the adage that "if it isn't broken, don't fix it."

But at least as worrying as a potential failure of these archaic systems is the risk that government and public information could be stolen, or hijacked and held hostage.

A recent 800-page federal government response to an order paper question filed by Conservative MP Dean Allison reveals that federal departments or agencies mishandled personal information belonging to at least 144,000 Canadians over the past two years alone, a figure that includes incidents ranging from misdirected mail to technology-related breaches. And as Canada moves towards "digital government" while relying on decaying infrastructure, the risks are likely to increase.

Governments and private sector companies are often slow to update computer and communications systems due to the complexity and cost of upgrading. (Sean Gallup/Getty)

Using old technology is commonplace in both the government and private sectors due to the costs associated with upgrading. However, in a 21st-century security environment, these systems are ticking bombs. 

Old systems are vulnerable largely due to a loss of technical support by developers, which dramatically increases the chance of a successful attack. 

As new systems and applications are created, developers phase out support for older ones — and we're not just talking about decades-old mainframes. Microsoft ended support for its Windows 7 operating system on Jan. 15, for example, which means the company won't provide any new security updates. This creates significant security risks for these systems and the applications running on them, as they become more prone to malware and hacking.

Ransomware-based cyberattacks, which can lock down computers until a ransom is paid, are just one type of exploit being used by criminals and countries alike. In October last year, the Canadian Centre For Cyber Security issued a warning about ransomware called Ryuk that it said was, "affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad."

Cyberattacks can be costly. Court documents recently revealed that a Canadian insurance company's data was held hostage until criminals who took over its computer systems were paid nearly $1 million US. That may seem like a large sum, but it pales in comparison to the cost of other ransomware attacks.

In 2017, for example, the ransomware WannaCry is estimated to have infected more than 230,000 systems in 150 countries, costing upwards of $4 billion in losses. Among those targeted was the United Kingdom's National Health Service (NHS), which was using outdated IT systems — the attack cost $159 million in ransom and cleanup costs. (The United States arrested a North Korean national in connection with WannaCry, alleging the North Korean government sponsored the attacks.)

In this 2017 file photo, employees watch electronic boards to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea, during the WannaCry attack. (Yun Dong-jin/Yonhap via The Associated Press)

If the revelations by the Canadian press about the woeful state of our nation's aging IT systems are correct, then hackers are likely salivating at the thought of extracting similar payouts from the Canadian government.

Considering this, is the Government of Canada aggressively addressing the security risks that come with continuing to use these old systems?

For an answer, look at the mandate letters of the government's cabinet ministers, which outline the policy objectives each is tasked with by the Prime Minister.

The Ministers of Public Safety and National Defence are those chiefly in charge of protecting Canada from threats. The mandate letter expects the Minister of Public Safety to, "identify and prepare for threats to public security, including national security, cyber security and increasingly frequent climate-related emergencies," but addressing cyber security is not among the specific priority tasks given to the minister. The Minister of National Defence mandate letter doesn't give any cybersecurity instructions.

The mandate letter of the Minister of Digital Government, who is specifically tasked with the nation's transition to technology-driven services that make government "more agile, open and user-focused," does mention cybersecurity, but it is lumped in with a long list of other priorities. The minister is told to, "Lead work to analyze and improve the delivery of information technology (IT) within government. This work will include identifying all core and at-risk IT systems and platforms. You will lead the renewal of SSC so that it is properly resourced and aligned to deliver common IT infrastructure that is reliable and secure." However, there's no specific timeframe for this work.

A programmer shows a sample of a ransomware cyberattack on a laptop. (Ritchie B. Tongo/EPA)

Even if federal ministers are told to prioritize cybersecurity, is there an appropriate amount of funding being allocated to quickly upgrade Canada's aging government systems?

Well, things don't look too good on that front.

Maintaining safe and secure computer systems cannot be solved with a single expenditure in one year. It's an active process that requires ongoing yearly funding.

Through its 2018 budget, the Government of Canada committed $507.7 million over five years — approximately $101.5 million a year or 0.03 per cent of its annual revenue — "to protect against cyberattacks" and implement the National Cyber Security Strategy. Consider that Statistics Canada reported that in 2017 alone Canadian businesses spent approximately $8 billion on salaries for employees, consultants and contractors who worked on cyber security, along with another $4 billion on cyber security software and related hardware.

With the critical state the Government's aging IT infrastructure is reportedly in, the amount budgeted federally is a drop in the bucket.

The mandate of Minister of Digital Government Joyce Murray is to oversee the nation’s transition to technology-driven services that make government 'more agile, open and user-focused.' (Justin Tang/Canadian Press)

The efforts of one Minister of Digital Government alone cannot fix the chronic inaction that has led to the government's current IT crisis. To fix a systemic problem requires a systemic approach.

A whole-of-government strategy should be taken to properly address the threats that accompany modern digital government. This is about more than the funding of services, it requires a change in thinking that understands that with any computer system comes inherent risks, and that a digital government cannot afford to take a casual approach to aging technology and IT security.

Just as all federal departments of the Canadian government must conduct a gender-based analysis to understand the role of gender in their activities, so too should a comprehensive cybersecurity analysis be conducted.

The study that described the Government of Canada computer systems as being at risk of failure is an example of what a cybersecurity analysis could look like. It needs to incorporate an understanding that all computer systems, new or old, have the potential to be entry points that can be attacked and exploited.

Requiring all departments to conduct a detailed cybersecurity analysis would force the government to address the reality that while a digital government has big potential benefits, it also paints a bigger target on Canada.


Alexander Rudolph is a PhD student in the Department of Political Science at Carleton University, where he researches cyber defence and cyber warfare. Outside of his research, he also works as an independent consultant and policy analyst.