News last week that a cyber attack at a third-party firm that performs background checks for U.S. government employees had compromised data of at least 25,000 bureaucrats is just the latest illustration of how attackers can gain tremendous information by going after contractors doing work for governments.
That’s one reason why, as Forbes.com reports, increasing security rules and regulations in Washington that contractors have to meet are straining IT and other outsourcing firms hired to do work for the federal government.
And it’s not only south of the border. John Proctor, vice-president of cyber-security at Montreal-based CGI Group Inc., one of the biggest IT consulting and integration companies in the world, to us it’s happening here too — but not on the same scale.
What it means is if you want to be hired by either government your firm better have a strong cyber security program. For example, Proctor said CGI — which does a lot of business in Washington — has to have an insider threat detection program to do be hired by Uncle Sam.
Given the number of foreign attacks Ottawa says it is undergoing, one question is whether Ottawa will follow Washington’s lead.
Next month, Forbes reports, the Pentagon will issue a new rule that requires U.S. defence contractors to report cybersecurity breaches, and give the department access to their networks to investigate attacks.
“Contractors must navigate a thicket of inconsistent rules and standards issued by different agencies that define key cybersecurity concepts in contradictory ways,” the article says. They also face compliance obligations even though the Federal Government does not always clarify what specific cybersecurity safeguards are actually required to meet them.”
Proctor, who is leads the Canadian security practice and is responsible for CGI’s nine managed security data centres around the world, said “there already is a fairly robust clearance process for contractors who are working on classified contracts” for Ottawa.
“Some of the issues the Forbes article talks about, like different departments having slightly different (security) systems we still see here in Canada. But this is because some government departments are more sensitive than others. But I haven’t seen any specific changes to that since the events in the U.S.” (meaning the 9/11 attack).
“The Canadian system is as robust but is more consistent, I get the impression, than the U.S. is.”
CGI hasn’t seen evidence yet of any attackers trying to get to its government customers through its systems, he added. That may be because often on contracts the staffer works at the government site and the CGI system isn’t involved.