With no front-lines in the battle against a global army of hackers, Canada’s sensitive infrastructure is vulnerable to assault. But we can’t forget that there are other enemies, quietly spying on us, who can do just as much damage, says a security analyst.
Clock is ticking
In Chapter 3 of the 2012 Fall Report of the Auditor General, released today, Canadians became privy to the government’s attempts to help secure infrastructure from cyber threats. But the report noted that one of the key agencies tasked with responding to these threats, Public Safety Canada, is spinning its wheels in some cases.
“In our opinion,” the authors wrote, “the lack of action plans since the 2001 commitments for cyber security were announced has contributed to the overall lack of measurable progress. We noted that the 2010 Cyber Security Strategy does not yet have an action plan to guide its implementation. The lack of a plan makes it difficult to determine whether progress is on schedule and whether its objectives have been met.”
In response, Public Safety Canada has promised to draft an interdepartmental plan, the report said.
The report also noted that government has been sluggish in its approach to building sector networks that would link together public and private sector entities that own and operate critical infrastructure. The report did say that some progress had been made and that by December 2013, Public Safety Canada will play an advisory role to departments who want to share information through such networks.
Meanwhile, the report said that the primary body tasked with keeping an eye on Canada-wide threats, the Canadian Cyber Incident Response Centre (CCIRC) has not been operating at 24/7 capacity, but rather on a work-week schedule with on-call personnel available outside business hours. While its operating hours are planned to be increased, there is no sign that the Centre is going to be open around the clock, something the report said could harm its ability to detect threats:
“Based on our discussions with officials, it is our opinion that operating 24 hours a day, seven days a week is important for the timely detection and notification of cyber threats, and for communicating with the computer emergency response teams of Canada’s foreign allies, which operate in different time zones.”
A little while ago, I remember speaking to David Black, manager of the RCMP technology crime branch’s cyber crime fusion team, who said that the CCIRC was going to become increasingly important in Canada’s cyber-defence strategy. He also citedinternational cooperation (through Interpol) as a vital component of the effort to combat threats that are invariably global in scope.
For more perspective on the current report, I spoke to two researchers fromTrend Micro Inc., Tom Moss and Nart Villeneuve, about how serious they see the risks to our infrastructure.The danger is certainly present, they said, and government, just like private businesses, has to realize that hackers cannot always be stopped at the gates of a network. Indeed, Trend Micro is a proponent of working under the assumption that enemies have already made their way inside and have to be located and destroyed wherever they turn up.
I asked Villeneuve if the Auditor General’s report had turned up any red flags. Not really, he said, but he would have liked to see the problem of cyber-espionage addressed to a greater degree. Cyber-spies in particular launch persistent “campaigns” that can remain undetected for years. These attacks may not be as spectacular as the “catastrophic” attacks that knock out a piece of key infrastructure, he said, but they’re a growing, if under-reported risk.
Villeneuve added that while government departments and competing private companies in Canada are naturally reticent about sharing sensitive information about security breaches, the extent of the threats are such that withholding information could be doing more harm than good.