Heartbleed bug delay begs explanation from Revenue Canada

Even with the arrest last week of an alleged culprit in the theft of the private data of about 900 Canadians, the taxman is still unwilling or unable to say why it didn't act faster to prevent an attack on its web servers that exploited the Heartbleed software bug. Was ignorance, a failure to act or braggadocio to blame?
The Canada Revenue Agency blocked partial access to its website and online tax-filing services late on April 8 due to the discovery of a security vulnerability known as the Heartbleed bug - more than a day after the threat was made public. (Mark Blinch/Reuters)

Even with the arrest last week of an alleged culprit in the theft of the private data of about 900 Canadians, the Canada Revenue Agency is still unwilling or unable to say why it didn't act faster to prevent an attack on its web servers that exploited the Heartbleed software bug.

Now, a tale is emerging of ignorance and perhaps even government nonfeasance, with the CRA admitting Wednesday it found out about the Heartbleed vulnerability one full day after the rest of the global web security world was advised there was a problem.

The CRA buried that news in the middle of an awkward sentence that suggested action, but in fact revealed trouble: "After learning that the Canada Revenue Agency (CRA) systems were vulnerable to the Heartbleed bug on April 8, 2014, the CRA acted quickly to protect taxpayer information by removing public access to its online services on the same day," spokesman Philippe Brideau wrote in an e-mail.

Over the course of two weeks, CBC News has been trying to identify why, when warnings about the devastating Heartbleed bug first emerged in professional IT security circles Monday, April 7, the government apparently did not shut down its vulnerable CRA systems until about 36 hours later, on the evening of April 8.

It turns out those hours were critical.

The RCMP allegations and CRA comments suggest it was during that 36-hour gap a 19-year old London, Ont. university student allegedly exploited the Heartbleed web weakness to access the Social Insurance Numbers of 900 Canadians.

The CRA has acknowledged fragments of other data pertaining to business accounts were accessed too, but it has not clarified whether that loss was comprehensive enough to constitute a breach of privacy.

The entire web world was taken aback by news of the Heartbleed bug, which was termed "devastating" and recognized as one of the most significant global threats to online security.

The CRA is certainly not the only organization to have been exposed by the vulnerability.

But, in retrospect, the issue that emerges is whether CRA — and indeed the government in general — did enough to protect the private tax information of Canadians once word of the Heartbleed bug started to circulate in security circles.

Several departments involved in security

Was the inability to heed the global warning a problem at CRA, or was it the fault of others in the government's IT security apparatus?

That's a lengthy and twisting chain of accountability that weaves from secret security teams at Communications Security Establishment Canada, through the Treasury Board's Chief Information Officer branch, Public Safety's Canadian Cyber Incident Response Centre, Shared Services IT teams and finally to the CRA.

"Shared Services Canada has played a major role, along with the Treasury Board Secretariat, and other government departments and agencies, in resolving the problem and administering the patch to all vulnerable software," the CRA said in an e-mailed response to CBC News this week.

The Communications Security Establishment Canada told CBC News last week it learned of the bug "at the same time as the global IT security community." That presumably means Monday, April 7, when a global security alert went out.

A look back at what Revenue Minister Kerry-Lynne Findlay told reporters on Wednesday of that week reveals the CRA only learned on the Tuesday night it was running the vulnerable software.

"We know there is a systems vulnerability," Findlay told reporters. "We have identified that so we shut down those systems right away as a precautionary measure only."

That assessment, in retrospect, belies the reality that the private data of Canadians was stolen before that "precautionary measure" was taken. CRA maintains that, at the time of the shutdown, it had not yet learned of the alleged theft.

"Regrettably, the CRA was notified by Government of Canada security agencies of the criminal breach after online systems were shut down," Brideau said in an email Wednesday, emphasizing the word "criminal" in all capital letters.

"CRA worked diligently to apply the patch and test all systems to ensure they were safe and secure prior to restoring online access."

Who didn't tell CRA?

The timeline that has now been revealed suggests key government online security actors did know about the vulnerability in time to prevent an attack, but the CRA did not. 

Almost any way that's evaluated it presents the probability of failure: Either CRA should have known about Heartbleed the day the world was told and did not, or someone else who did know that same day didn't warn the CRA to shut the proverbial barn door until after the horses were loose.

What is known is that up until noon the day CRA was told of its vulnerability, the tax agency's top bureaucrats apparently thought the system was too robust to break.

That very day, the department's assistant commissioner and chief privacy officer told Parliament the CRA had "one of the — if not the — strongest security regimes around our technological systems of any government department."

Susan Gardner-Barclay bragged about CRA's cyber-security to MPs at a Commons committee meeting on identity theft.

"We are obviously very cognizant of the fact that security and the security of those portals is instrumental to Canadians having confidence in sharing their information with us, so we have a very rigorous security system around the CRA system," she said.

According to CRA staff, as Gardner-Barclay spoke, "she was unequivocally unaware of the Heartbleed bug vulnerability."

But that might not even matter. As we now know, much of what she said about CRA's security was, according to the RCMP, being proved wrong.

The Heartbleed bug is a "zero-day" vulnerability problem — that’s to say, it existed from the very day the software was released about two years ago. That means the CRA was in fact at risk of anonymous and nearly untraceable theft of data for as long as it had been using the affected software.

It just never knew it.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.