Crucial government infrastructure and sensitive information remain vulnerable to cyber-attacks because the country鈥檚 online security hub is not equipped to deal with threats around the clock, Canada鈥檚 auditor general says in a new report.
Michael Ferguson鈥檚 latest audit says the Canadian Cyber Incident Response Centre, created in 2005, only operates between 8 a.m. and 4 p.m. ET and has made limited progress in protecting vital computer networks from cyber-attacks.
鈥淓qually concerning for us was the fact that some of the owners and operators of these critical systems either didn鈥檛 know that the response centre existed, or if they did, they weren鈥檛 sure what type of information they were supposed to share with it,鈥 Ferguson told Power Play.
After hackers tried to infiltrate computer systems at the Finance Department and Treasury Board in January 2011, it took officials a week to report the incident to the CCIRC, Ferguson said. The cyber-attack, which may have originated in China, cost taxpayers millions of dollars in repairs and lost productivity, Ferguson said in his report.
The attack revealed that sensitive data was being stored on unsafe networks and highlighted "ongoing vulnerabilities to government systems,鈥 the report noted.
When the CCIRC was first established, government officials said it would eventually become a 24/7 operation, but that never happened, Ferguson told Power Play. As a result, the security hub isn鈥檛 receiving information on a 鈥渢imely basis鈥 and threats can be missed.
Often, a single cyber security incident may not seem like a major issue, but when it鈥檚 connected to similar events, experts can recognize a serious threat, Ferguson said. It鈥檚 crucial that experts are on hand round-the-clock to be able to 鈥渃onnect the dots,鈥 he added.
Last week, Public Safety Minister Vic Toews announced an additional $155 million over five years to shore up protection of federal infrastructure and computer networks against cyber threats. The government has also said it plans to increase CCIRC鈥檚 hours to 9 p.m., five days a week.
Last year, the CCIRC transferred the responsibility for protecting government information to the Communications Security Establishment, which is supposed to provide timely information about threats.
But Ferguson said CSE has not been consistent with data sharing because of the classified nature of collected material.
The threat of cyber-attacks is a serious issue because Canada鈥檚 critical infrastructure, including the banking system and the energy grid, runs on computer-based systems, Ferguson said.
"Cyber-threats are real, cyber-threats are going to exist and you can't eliminate them," he told a news conference.
"But it's important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible. It's something that the government needs to be ever-vigilant about."
Ferguson鈥檚 report also found problems in other government sectors, such as National Defence and Veterans Affairs failing to tell injured and sick veterans about their rights to benefits. Ferguson also told Power Play that many injured ex-soldiers are finding it difficult to transition into the workforce once they鈥檝e returned home and that many of them are struggling to navigate the 鈥渃omplex鈥 bureaucracy.
With files from The Canadian Press
