OTTAWA — Three years after hackers were found snooping around Treasury Board systems, a successful cyber-attack remains the biggest risk facing the department, according to a new report to Parliament.
And Treasury Board is not alone. IT security risks are mentioned in planning and priority reports for multiple departments as the federal government closes old data centres and modernizes an aging IT system that may not meet current security requirements.
Meanwhile, heavily censored incident reports give a glimpse of the environment departments are facing in the coming year. The reports, released under the access to information law to the Ottawa Citizen, show four instances between March 1 and July 31, 2013 in which hackers overwhelmed government servers with what’s called a “denial of service” attack.
In one case, an undisclosed government website was taken down. In another, a website was “intermittently inaccessible,” but no data were compromised. And in a July attack, public servants were cut off from their cloud computer.
Yet “there’s very much a mentality in Ottawa that we can keep things secret … and protect against this new generation of challengers,” said Christian Leuprecht, a security researcher from the Royal Military College and Queen’s University in Kingston, Ont. “We just need to learn to live in a compromised environment.”
There are fears from departments, such as The Privy Council Office and FINTRAC that the government will lose data because of security problems. The planning report for Employment and Social Development Canada speaks of potential “loss, or inappropriate disclosure or having one of (our) online tools breached.”
That could happen as a result of a careless bureaucrat who misplaces a USB key, or someone who unwittingly downloads malware that invites hackers into government systems, Leuprecht said.
“The greatest risk that we face is from people who are careless with their own computers,” he said. “We just need people who are vigilant.”
The Treasury Board hacking incident in 2011 was the highest-profile data breach known to-date, and the hackers could have been inside for weeks, or months. The department says in its latest planning report that it intends to update security polices, including developing security “tools” for all departments to better protect information.
Employment and Social Development Canada, which lost personal information on more than 588,000 Canadians in two data losses in 2012, plans to look at where and how data are stored to prevent another breach from damaging the department’s reputation.
Leuprecht said such actions could include parceling information across the network — in essence breaking up one file into chunks. Government workers would be able to put the information back together, but someone stealing one parcel of data wouldn’t find the information very useful.
“Even if we keep the data more secure, we have to be prepared for more Edward Snowdens and Bradley Mannings,” Leuprecht said.
Snowden and Chelsea Manning, formerly known as Bradley Manning, have attracted fame and scorn for leaking secret American government documents. Manning pleaded guilty last year for leaking secret diplomatic cables and Afghanistan battlefield reports; Snowden is in Russia and wanted by the U.S. for leaking secret NSA documents.
“These are the breaches we’re just going to have to learn to live with,” Leuprecht said.
jpress@ottawacitizen.com
Twitter.com/jordan_press
Electronic spy agency watchdog wants to rebuild public trust
The watchdog for the country’s cyber-spy agency says a key task for him in the coming year is to convince Canadians the agency isn’t violating their privacy. The issue is identified as a key risk by the commissioner for the Communications Security Establishment Canada in his annual report on plans and priorities for the coming fiscal year.
The CSEC watchdog, retired judge Jean-Pierre Plouffe, faces a tough battle after revelations from leaked National Security Agency documents in the United States indicated that CSEC collected metadata on Canadians – details of a call, such as the time, duration and location, but not the contents of the conversation — from airports, that it could use to track a person over time.
The agency has said it is operating within the law, but critics question how that’s possible given that the office of the CSEC commissioner doesn’t have the capacity to review every aspect of the agency’s activities.
The commissioner’s report argues that having such reach “would not be a reasonable approach.” Reviews, the commissioner says, will be focused on CSEC’s work that poses the “greatest risk to non-compliance with the laws of Canada and to the privacy of Canadians.”
Plouffe’s report also says he faces the risk of a deteriorating relationship with CSEC. The report says that should the relationship sour, the oversight process would fail and the watchdog wouldn’t be able to assure Parliament or Canadians that CSEC was acting lawfully.