Critical cybersecurity gaps remain, auditor general says
Agency monitoring cyberattacks not staffed 24/7, report finds
A new report from Canada's auditor general says the federal government has made only limited progress toward improving cybersecurity and protecting the country’s critical infrastructure.
Michael Ferguson says in his report released Tuesday in Ottawa that his investigators found weaknesses in the mechanisms Ottawa has set up to counter a cyberattack.
Ferguson says progress was slowest between 2001 and 2009, when threats to vital government and private-sector computer networks were rapidly evolving. He says the situation has improved since 2010, when the government announced a cybersecurity strategy and a plan to protect critical infrastructure.
Still, Ferguson warns, Ottawa's coverage is incomplete. He singles out the Canadian Cyber Incident Response Centre (CCIRC) for scrutiny. It was established in 2005 with a mandate to share information about cybersecurity and monitor more threats round the clock.
Ferguson says that never happened.
Key agency operates Monday to Friday
The centre today operates during business hours Monday to Friday, with a staff member on call after hours. The report notes the government plans to extend the centre's hours and keep it open seven days a week. But Ferguson’s report questions whether that will be sufficient.
"As CCIRC is not operating around the clock, there is a risk that there will be a delay in the sharing of critical information linked to newly discovered vulnerabilities or active cyber events reported to CCIRC after operating hours."
The report also points out that while CCIRC is supposed to share information about cyber threats across federal government departments as well as with the provinces and the private sector, there have been breakdowns in communication. When auditors interviewed owners and operators of private-sector infrastructure, they found some had never heard of CCIRC.
The report also found that in one case when federal government computers came under attack by hackers, "the CCIRC was not notified by the affected departments until more than one week after the intrusion was discovered, contrary to procedure."
And, it says, since CCIRC transferred responsibility for protecting government information systems to Communications Security Establishment Canada in 2011, CSEC has not been providing CCIRC with timely information about its findings.
Public Safety Minister Vic Toews said Tuesday the government has taken steps to beef up cybersecurity as it has become aware of the problem, and is already acting on the auditor general's recommendations.
"It wasn't until about, literally, 2010 that people simply became aware of the nature of cyber threats and that has been the task of government, to not only to detect this but to coordinate the response inside the government itself," Toews said outside the House of Commons.
Cybersecurity is just one of the areas the auditor general examined. Tuesday's seven-chapter report also takes the government to task for everything from its overly complex system of assisting injured veterans, to its reluctance to publish a long-term fiscal plan for the country’s finances. Among the findings:
- The move in the last budget to increase the age of eligibility for seniors' benefits could end up saving government more than $10 billion a year by the time it's fully implemented in 2029.
- Injured or ill military personnel face a clear lack of information on support programs, benefits and services as well as lengthy waits for support.
- The federal government has not followed through on a promise to make analyses of its long-term fiscal sustainability public.
- Industry Canada has not publicly reported on the results of its Strategic Aerospace and Defence Initiative, which has given hundreds of millions of dollars in assistance to the aerospace industry.
- National Defence has done some of the work needed to exercise sound stewardship over its $22-billion real property portfolio, including its 21 main bases, but much work remains.
- Government spent more than $8 billion dollars on professional and special services contracts in the 2010–2011 fiscal year.
- The government has fulfilled most of its committments to reform its grant and contribution programs, as recommended by a panel in 2006.
Supports for injured soldiers 'challenging'
On soldiers and veterans, Ferguson calls on Ottawa to improve the way it helps those who fall ill or suffer injury while serving their country. His report says more than 8,000 Forces members were released from the services between 2006 and 2011 because of health issues. According to the report, the government needs to do a better job helping these men and women.
"There are many support programs, benefits, and services in place to help ill and injured members of the military make the transition to civilian life," Ferguson says.
"However, we found that understanding and accessing these supports is often complex, lengthy and challenging."
In a statement Tuesday, a spokesman for Veterans Affairs Minister Steven Blaney said the minister accepted the auditor general's recommendations and will introduce a "robust" veterans transition action plan to address them directly.
In the final chapter of his report, Ferguson calls on Ottawa to be more open with Canadians about its long-term financial plan. He says the government has never followed through on its 2007 commitment to make public its analyses of the effects of government policy on the country’s finances.
Ferguson points out many OECD countries publish such analyses and challenges Ottawa to do the same.
"Analysis that provides a long-term budgetary perspective would help parliamentarians and Canadians better understand the fiscal challenges facing the federal government," Ferguson says.