Crucial government infrastructure and sensitive information remain vulnerable to cyber-attacks because the countryâs online security hub is not equipped to deal with threats around the clock, Canadaâs auditor general says in a new report.
Michael Fergusonâs latest audit says the Canadian Cyber Incident Response Centre, created in 2005, only operates between 8 a.m. and 4 p.m. ET and has made limited progress in protecting vital computer networks from cyber-attacks.
âEqually concerning for us was the fact that some of the owners and operators of these critical systems either didnât know that the response centre existed, or if they did, they werenât sure what type of information they were supposed to share with it,â Ferguson told Power Play.
After hackers tried to infiltrate computer systems at the Finance Department and Treasury Board in January 2011, it took officials a week to report the incident to the CCIRC, Ferguson said. The cyber-attack, which may have originated in China, cost taxpayers millions of dollars in repairs and lost productivity, Ferguson said in his report.
The attack revealed that sensitive data was being stored on unsafe networks and highlighted "ongoing vulnerabilities to government systems,â the report noted.
When the CCIRC was first established, government officials said it would eventually become a 24/7 operation, but that never happened, Ferguson told Power Play. As a result, the security hub isnât receiving information on a âtimely basisâ and threats can be missed.
Often, a single cyber security incident may not seem like a major issue, but when itâs connected to similar events, experts can recognize a serious threat, Ferguson said. Itâs crucial that experts are on hand round-the-clock to be able to âconnect the dots,â he added.
Last week, Public Safety Minister Vic Toews announced an additional $155 million over five years to shore up protection of federal infrastructure and computer networks against cyber threats. The government has also said it plans to increase CCIRCâs hours to 9 p.m., five days a week.
Last year, the CCIRC transferred the responsibility for protecting government information to the Communications Security Establishment, which is supposed to provide timely information about threats.
But Ferguson said CSE has not been consistent with data sharing because of the classified nature of collected material.
The threat of cyber-attacks is a serious issue because Canadaâs critical infrastructure, including the banking system and the energy grid, runs on computer-based systems, Ferguson said.
"Cyber-threats are real, cyber-threats are going to exist and you can't eliminate them," he told a news conference.
"But it's important for the government, in terms of its own systems, to make sure that they understand the types of threats and that they can be in front of them as far as possible. It's something that the government needs to be ever-vigilant about."
Fergusonâs report also found problems in other government sectors, such as National Defence and Veterans Affairs failing to tell injured and sick veterans about their rights to benefits. Ferguson also told Power Play that many injured ex-soldiers are finding it difficult to transition into the workforce once theyâve returned home and that many of them are struggling to navigate the âcomplexâ bureaucracy.
With files from The Canadian Press