Governments are collecting increasing amounts of data about their citizens, and the need to handle all of it in a secure way is motivating ministries, departments and agencies to improve their IT security infrastructures. Although some are embracing the new defence imperative willingly and quickly, others are finding it a much tougher challenge.
It was the sort of episode CIOs – and CEOs for that matter – have nightmares about. A visitor to a Web site discovered he could view personal information about others who had used the site. The site had to be shut down temporarily, and the story was all over the press.
There have been many such stories, but this particular one didn’t involve a private-sector business. It was Passport Canada’s online application system where, late last year, Huntsville, Ont., resident Jamie Laning browsed other people’s personal data by altering the URL displaying the data he had entered himself.
Passport Canada did not respond to requests for comment, but more may be known about what went wrong when the federal privacy commissioner’s office completes an audit of the department – which was already in progress when the incident occurred. The audit report is due some time this spring. The privacy commissioner’s office did not respond to requests for further comment.
Was this breach an isolated incident, or a symptom of broader problems with the security of personal data? Maybe some of each. David Senf, director of Canadian security and software research at International Data Corp. (Canada) Ltd., says governments probably do a better job than many businesses when it comes to security. “The public sector is up there with finance as an industry that understands the importance of security,” Senf says.
That said, he adds, everyone has work to do in the area of online applications security. “Web application security as a focus is on the increase, so we are seeing more attention being paid to that.”
“Seventy-five per cent of new attacks now exploit software vulnerabilities, and most of the IT security dollars are spent bolstering up the security on the perimeter of the network,” says Brian O’Higgins, chief technology officer at Third Brigade Inc., an Ottawa-based intrusion prevention system provider.
And for governments, a comparatively good job of security may not be enough. “We’re dealing with the government here,” says Derek Manky, security research engineer at Fortinet Inc. in Vancouver. “We’re dealing with a very high level of sensitive information.”
According to Manky, the Passport Canada breach shouldn’t have happened. There wasn’t even a deliberate attempt to penetrate the database, he points out. “This was simply a matter of private information being made available to the public.”
The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa’s law faculty, recently called for a centralized electronic registry of data breaches, to which private-sector companies would be required to report unauthorized data access.
CIPPIC is focusing on the private sector because of current consultations on reforming a data protection law that applies to business, says Philippa Lawson, director of CIPPIC, but “there’s no reason why the same rules shouldn’t apply to the public sector.”
Lawson says it appears the government is receptive to creating a compulsory registry of private-sector data breaches. Yet there is currently no such requirement for the public sector in Canada, with the exception of Ontario’s Personal Health Information Protection Act.
Like Senf, Lawson has some good things to say about governments’ efforts to secure citizen data. She applauds Ottawa’s decision to create separate databases for different online government services rather than throwing everything together in one master database of citizen information – an approach that she says would undoubtedly have been quicker and easier but also a greater privacy risk. “The larger the database, the bigger the attraction to criminals is.”
The federal government’s best-known security initiative is Secure Channel, which combines a secure network, secure message routing and public-key infrastructure (PKI) user authentication technology called epass. Initiated by Treasury Board Secretariat, it is run by Public Works and Government Services Canada.
In e-mail responses to questions for this article, representatives from both departments said all government departments use the secure network and all departments will use the other Secure Channel components by 2011.
Secure Channel only deals with authentication and secure data transfer, though. It does not affect the security of individual Web applications.
That’s the responsibility of individual departments, according to the prepared answers, although the Treasury Board issues directives and provides support to ensure proper security measures are taken.
The federal government’s security efforts have met with mixed reviews. Secure Channel received a silver award for customer care in the 2005 Canadian Information Productivity Awards, yet in the same year the federal auditor-general said that, overall, the government had made “unsatisfactory progress in strengthening information technology security since our audit in 2002.”
There are some encouraging stories in public-sector information security in Canada, though.
Service New Brunswick, a Canadian pioneer in electronic government services when it launched in 1996, addresses security on a number of levels, ranging from determining how long data is retained on a case-by-case basis to scanning Web applications for vulnerability to exploits such as SQL injection attacks.
Every time Service New Brunswick adds a new service it goes through a risk analysis, says Dorothea Foley, director of information technology for SNB. That analysis addresses security, privacy and data retention issues.
“Typically, we only keep it for as long as we need,” Foley says. Service New Brunswick’s privacy officer reviews data to be collected, and if she considers it to