Shared Services Canada, the government agency that merged most federal data centres and networking to save money and make IT more efficient, has its critics – including the RCMP and Statistics Canada.
But its chief operating officer told a security conference in Toronto on Monday that its quick response in March to the discovery of an Apache Struts vulnerability that compromised a StatsCan Web site proves its worth.
“This was a textbook case of why this works so well,” John Glowacki, SSC’s chief operating officer told the RiskSec conference, “because you had multiple departments, everybody knew their swim lane, they co-operated well, we executed quickly.”
“You’re never perfect in this business but the fact we were able to contain it so fast was really quite something.”
The value proposition touted by supporters was “better, faster, cheaper,” he said. But “one of the biggest benefits has been security.”
That’s largely because after the merger SSC created a government-wide security operations centre for the 114 departments and agencies it is responsible for, he said.
“It’s practically unique in the world” because it pulls widely disparate departments including Defence and the RCMP fall under one operational control environment, he said. As a result “you can do a lot of things fast.”
But he also credited the Communications Security Establishment (CSE), the national agency responsible for protecting federal systems through encryption and monitoring global networks, for creating a Top 10 list of IT Security Actions departments and agencies should follow. The top recommendation is they should have their systems behind SSC’s Internet gateways. (Shared Services only protects end user devices from five departments. Departments also control their own applications.) In addition to the security the gateways provide SSC benefits from CSE’s global detection capabilities, Glowacki said, which apparently helped in the Struts vulnerability.
Struts is an open source framework for creating Java web applications and Web sites on Windows and Linux systems.
Statistics Canada’s website was hacked, but the government said only data that was already publicly available was exposed. But in addition, Canada Revenue’s servers were taken offline for a period so they could be patched.
In an interview Glowacki said private sector IT security leaders can benefit from following CSC’s Top 10 list for improving security (which is similar to the SANS Institute Top 20 security controls)– except for being behind the government’s gateway, of course.
The RCMP has reportedly not been impressed with SSC’s network performance. According to the CBC, the failure of routers supporting core network and IT functions in January that created an 11 hour outage prompted the head of the national police force to complain to Public Safety Minister Ralph Goodale that the “one-size fits all” shared IT strategy isn’t working.
Glowacki acknowledged that the 2011 creation of SSC by the Harper government was a ““cataclysmic” merger that was “grossly underfunded from day one.” More recently, he added, “the government has been pretty good about helping us take care of critical investments in cyber security. So we feel pretty good and the country should feel good.”
Meanwhile news reports led to a “misunderstanding” of the problem with RCMP service. While he said “they don’t suffer fools … the fact of the matter is we’ve improved their security environment, we have improved architecture on some of the things we inherited. Some of the things that came out of the press weren’t accurate in terms of incidents and why things occurred. We’ve made good investments, we’re going to make more investments … They (the Mounties) are a good customer. They chose to be a challenging customer because they challenge themselves that way.”
Glowacki is a former U.S. military technologist and chief technology officer at IT services supplier Computer Science Corp. (now DXC Technoogy) who moved north with his Canadian wife, Also during his comments to the conference. He became SSC’s operating officer at the end of 2014.
But from his background he’s seen IT procurement from the public and private sector. As part of his remarks to the conference he acknowledged that up here “there’s a certain amount of distrust with industry.” Part of that, he said, is that Ottawa hasn’t as much experience outsourcing IT as the U.S. and the U.K.
But also, he said, bureaucrats “look at industry and think, ‘All they want is our money.’” At the same time, he admitted, “the way we do procurement is a challenge:” Bureaucrats just aren’t making decisions fast enough, he said. “If nothing else my task is education,” of both sides he said.
In the interview he said government would benefit if some procurement offices worked in the private sector for a year to get experience from that side. Meanwhile, he noted, Ottawa has hired some experienced private sector buying officials.
RiskSec Toronto, formerly SC Canada, continues Tuesday.