Greg Weston: Ottawa's blind eye to cybersecurity

Successive Canadian governments have never really taken the threat of online espionage seriously, the auditor general reported on Tuesday. Why should we think anything will change?

Auditor general decries lack of urgency within federal government

By any measure, it was the worst ever cyberattack on Canada, a massive digital assault from somewhere in China in January 2011 that penetrated the confidential computer files of seven Bay Street law firms, siphoned top secret data from three federal agencies, and forced them off the internet for almost 18 months. 

Yet, the auditor general now reports it took federal security officials a full week to notify the government's own emergency cyber-response agency that there had even been an attack. 

In fairness, maybe the officials were having trouble getting anyone on the phone at the Cyber Incident Response Centre. 

The expensive government agency set up to be the nerve centre of Canada's response to online hacking was only open weekdays, 8 a.m. to 4 p.m. 

The response centre is supposed to collect and analyze information on the latest cyber threats to government and the private sector. 

It is also supposed to disseminate that information to public and private operators of critical infrastructure such as power facilities, electrical grids, banking and transportation systems. 

But as Auditor General Michael Ferguson reported on Tuesday, many of those operators don't even know the federal cybersecurity agency exists.

No action

If nothing else, the organization's performance, as it kept bankers' hours, has resulted in many of its most important functions being hived off to other federal agencies.

Auditor General Michael Ferguson, setting out the federal government's seemingly casual response to cyber-attacks. (Chris Wattie / Reuters)

Still, the auditor general reports that successive federal governments have spent more than $780 million of taxpayers' money over the past decade writing reports on cybersecurity, and generally achieving little of lasting value. 

The trail of blame in this long-running boondoggle leads directly to both the Liberal and now Conservative governments.

"There has been a total lack of any sense of urgency," one official from the auditor general's office told CBC, with no little understatement. "Basically, there have been strategies and discussion papers, but no action plans for more than 10 years."

China's hackers

The auditor general reports that the current government has now begun to make progress, especially since its own computers were attacked in early 2011. 

Public Safety Minister Vic Toews recently announced an additional $115 million in funding for cybersecurity programs. 

And today, Toews told reporters that the cyber response centre would soon be operating 15 hours a day, instead of the current eight, albeit still not around the clock. 

But beyond the obvious damage control in the face of Ferguson's scathing report, the Harper government's commitment to cybersecurity continues to draw criticism, especially when it collides with Canada-China trade. 

Case in point: the controversy over Chinese telecom giant Huawei and its growing involvement in large telecommunications projects in Canada. 

The U.S. and Australia have both blocked Huawei from bidding on infrastructure projects in those countries for reasons of national security — in other words, cybersecurity. 

But in Canada it has been a different story. 

The public safety minister has publicly refused to say that the government would bar Huawei from any projects in this country. And the Harper government won't criticize China for what many security experts have called a long record of cyber-espionage. 

Chief among them: the Canadian spy service, CSIS, which has been privately warning corporations of the clear and present danger of commercial cyber-spying from China.

No laughing matter

Were the issue not so serious, the auditor general's excoriation of the great Canadian cyber strategy would make perfect fodder for a sitcom of government bungling. 

But this is no laugh. Canada's intelligence service puts the threat of cyberattacks on a par with terrorism. 

Experts say commercial cyber-espionage costs the Canadian economy billions of dollars a year in stolen technologies and other trade secrets. 

And a former Nortel senior executive recently told CBC that the once mighty Canadian tech giant, which collapsed in 2009, may have been literally hacked to death, its technologies stolen and duplicated by Chinese cyber-spies over a period of years. 

Some attacks have potential ramifications beyond financial loss. Earlier this month, for example, hackers penetrated the computers of a Calgary company that supplies digital control systems for most of North America's oil and gas pipelines.

Taxpayers were stung when the 2011 hack-attack on the federal government caused a huge disruption of operations at three key federal departments. 

Even now, no one in this country knows how much highly classified information was stolen, nor the impact of it likely having fallen into the wrong hands. 

In his latest report to Parliament, the auditor general says federal officials are worried that "the cyber-threat environment is evolving more rapidly than the government's ability to keep pace." 

His findings give ample reason to worry.


Greg Weston was an investigative reporter for CBC News and a regular political commentator on CBC Radio and Television from 2010 to 2015.