Canadian government departments are doing a better job at protecting federal IT networks, but perhaps dozens of attempts a week are still getting through defences.
“While cyber incidents and breaches still occur, they are becoming less frequent,” says Public Safety Canada’s latest evaluation of the effectiveness of the government’s 2010 cyber security strategy. The government will shortly announce an updated cyber strategy after conducting a national consultation.
The report, completed in September, estimated federal systems block on average 600 million attempts each day to identify or exploit vulnerabilities in its systems and networks
The Communications Security Establishment (CSE), the country’s electronic spy agency which is responsible for defending the majority of government departments and agencies from cyber threats, estimated that between 2013 and 2015, government of Canada detected, on average a year, more than 2,500 state-sponsored cyber activities against its networks – or about 50 a week.
“Although more than six percent of these attempts breached the Government of Canada’s systems in 2013, this number had fallen to less than two percent in 2015,” says the report.
The report doesn’t detail whether all these breaches are caught before data is stolen.
The report is called a horizontal evaluation of Canada’s cyber security strategy, meaning it looked at the governance structure put in place to oversee the implementation of the strategy across a number of departments.
When the strategy was initially released by the Harper government it was applauded by cyber security experts. The goals are to ensure federal IT systems are secure; systems of importance to the government (critical infrastructure) are secure; and that Canadians are safe and secure online. In short, the strategy created an enterprise-wide approach to cyber security.
However, a year later the auditor-general slammed the government for not having created an action plan to actually implement what was proposed. That was rectified.
Not everyone interviewed for the report was happy with the government’s efforts since then. Some complained the spending on securing critical infrastructure systems – such as the electric grid, telecom, transportation and financial systems – has been “inadequate.” It also isn’t clear to the private sector who to report cyber incidents, the CSE or the Canadian Cyber Incident Response Centre.
The report also says there has been “limited progress” in the ability of the government and the private sector to share threat and breach information. “Private sector companies seem to lack trust in the public sector’s ability to safeguard their information,” says the report.
Nor is there a clear policy on how to engage with companies that hold sensitive government information but are not critical infrastructure owners and operators.
What this latest report – which covers 2010 to 2016 – found was in some ways a mixed bag: It concluded the governance structure facilitated collaboration, co-ordination, and information-sharing among the many departments covered by the plan, including CSE, Shared Services Canada (which is consolidating IT infrastructure of many departments), Justice, the Defence department, the Canadian Security and Intelligence Service (CSIS) and Public Safety.
However, due to lack of documentation – including no minutes of some meetings — the evaluation was unable to determine the extent to which the oversight committees fulfilled their stated purposes.
While some roles and responsibilities of departments were set, things aren’t always clear. That has led to private sector confusion on who to report incidents to: CSE, which is supposed to address issues related to systems of importance to Canada, or the Canadian Cyber Incident Response Centre (CIRC) a branch of Public Safety, which puts out public alerts is supposed co-ordinate public-private information-sharing and incident management.
In addition, says the report, some government agencies developed software or other tools to address a cyber-related issue other department was working on the same thing.
Also, while there is a Federal/Provincial/Territorial Deputy Ministers’ Table on cyber security for information sharing, “expected results proved elusive. For various reasons, it was found to be challenging to hold policy discussions among stakeholders and to agree how to proceed on given issues, including information-sharing. Those involved found, in practice, classified information-sharing is extremely limited, declassifying information is difficult, and establishing efficient systems to share information requires investment from the recipient as much as from the Government of Canada.”
Across federal agencies information sharing “was done on an ad hoc and selective basis. There was no clear policy as to what should be shared, with whom and when. It was mostly the individual organizations that decide on their own terms what to share with others.
Usually organizations lacked the time, not the will, to share information, says the report. But it also adds that one problem is a lack of interoperability between several classified networks.
The report also notes the RCMP was supposed to publish an annual report on cyber crime. However, the most recent report was released in 2014. The report notes the RCMP explained that, in line with the advancing the second phase of the cyber security strategy, the force now focuses on operational criminal intelligence rather than public reports of cyber crime trends.
In looking at the effectiveness of securing federal IT systems, the report lists a range of accomplishments including
–the creation of a single, enterprise-wide round the clock security operations centre;
–a government-wide incident management process and a security event management plan;
–the creation of a mobile cyber recovery team to help rapid restoration of services following a compromise;
–deployment of “advanced detection and deterrence capabilities to a significant number of departments;”
–a comprehensive supply chain integrity program that has completed over 16,000 reviews of suppliers of hardware, software and services;
–an enterprise security architecture that provides a standardized approach for departmental IT security architectures. It has been used in the government’s new cloud adoption strategy;
–a better disaster recovery regime, including allowing a single entity to control the recovery process;
–a federal IT strategic plan for 2016-2020, which outlines future initiatives to improve the cyber security posture.
As an example of the improvements, the report praises Canada Revenue Agency’s quick recovery from the Heartbleed bug in 2014.
However, the report said there are still problems to be fixed:
• developing of an enterprise Government of Canada security information and event monitoring toolset and a development, testing and integration lab;
• dedicating money for classified infrastructure to support secure department to department information sharing and processing;
• creating a cyber foreign policy to encourage countries to develop international norms for cyber behavior;
•and, perhaps most importantly, there should be broader implementation by departments of CSE’s “Top 10” cyber mitigation measures. These measures, some told the report’s authors “would eliminate the vast majority of cyber threats to the Government of Canada’s systems.
Number one of the 10 is using Shared Services Canada’s secure Internet gateways. Some interviewed by the report’s authors blamed the massive 2014 attack on the National Research Council on that body’s decision not to use those gateways.
Finally, the report authors were unable to determine if Public Safety’s campaign to raise general public cyber awareness is effective.
Public Safety Canada has accepted all of the recommendations for strengthening oversight and has planned actions over the next 12 months.