The Sept. 11 terrorist attacks have changed priorities at all levels of Canadian government – federal, provincial and municipal. Physical security aside, the spectre of 9/11 has also created clouds of concern over the safety and security of Canada’s IT infrastructure.
Such concerns quickly turned into increased security and privacy controls, as reflected in both Bill C-36, the new package of federal anti-terrorism legislation, and the security-centred federal budget last December.
The power of Bill C-36 to override parts of the Personal Information Protection and Electronic Documents Act, the Privacy Act and the Access to Information Act could affect the way Canadian citizens interact with their government. Changes to privacy and security laws, for example, could generate more pressure on government departments and thus affect the electronic services they can offer.
On the other hand, various levels of government contend that 9/11 may have caught them by surprise – but not off guard. In that sense, it doesn’t appear that much has changed. Or has it? Is now the time to review online and network
security?
“Is there a heightened sense of awareness? I would say yes,” said Jill Velenosi, deputy Chief Information Officer for the federal government. Velenosi says Canada already leads other nations in terms of developing a common secure IT infrastructure.
“There is a push for the use of public communications not only for external communications but also within government, to assure the security message within government operations. . . . Because we had already started to work on secure electronic service delivery (Government On-line and common infrastructure), we were well positioned. It’s not to say that we weren’t affected by Sept. 11 and it wasn’t taken into consideration, but I think that we were already doing all the right things.”
In light of the December budget, Velenosi does not anticipate any change in program delivery. “Specifically for the Treasury Board of Canada Secretariat, as we have the lead on Government On-line, the budget allocated $600 million over the next four years. We were quite pleased with the commitment to a four-year agenda, which allows us to move forward on the initiative one year at a time.
“Having that (commitment) allows us to move forward on the enabling infrastructure and work with our partner departments to deliver services to the online channel…The government has committed investment in these very specific areas to ensure the safety of Canadians and the continuity of government services and services in general.”
Outside IT circles, it was no longer inconceivable after 9/11 that government Internet and telecommunications networks might be compromised. But according to Max London, manager of public affairs for the new federal Office of Critical Infrastructure Protection and Emergency Preparedness, 9/11 has neither impeded nor changed the governments’ ability to offer services to the public.
The office was launched in February 2001, London notes, and network security and cyber incident analysis strategies were subsequently updated to account for the devastating attacks. “The Government On-line program is still kicking. From our perspective, we were already advancing, as a relatively new organization, our program of cyber protection and critical infrastructure protection. If anything, our work has accelerated because of Sept. 11.”
No links have been drawn between Internet worms and viruses and terrorists, London says. “There is a heightened vigilance (with respect to online security), but it’s always a priority.”
Network security was already high on the government agenda; now it’s the number one IT issue in and outside government, said Brian O’Higgins, chief technology officer and founder of Ottawa-based Entrust. Entrust is the security provider for both Government On-line (internal government usage) and Secure Channel (government to citizen). As the push to leverage e-services continues, O’Higgins contends, so does the need for enhanced security such as Public Key Infrastructure (PKI) to provide identification, verification, privacy and security management. O’Higgins noted that basic web browser-to-server encryption security such as SSL is like an “epsilon about nothing.”
“Of course governments are a target,” he said. “If there was anyone with a service on the Internet to get picked on, it would be them.
The government was already going ahead with the deployment of security, but now it’s got more much intensity, much more into the foreground. Anything going forward will have more attention to security on it…(Sept. 11) is actually a benefit to rolling out stuff online.”
Robb Stoddard, CIO at Alberta’s Ministry of Innovation & Science, said Sept. 11 has reinforced the fact that privacy and security issues are paramount. Given the nature of personal information government holdings and the high standard that the public holds governments to in the protection of that information, appropriate, reliable authentication is a key component of any system that exchanges information.”
Stoddard said that in Alberta, there has been no discernable change in e-service delivery.
“We have not seen any effect on the services currently offered electronically by the Alberta Government. What we have seen is a change in public perception regarding the need for a higher level of security, and perhaps more of a tolerance towards security measures that, prior to Sept. 11, would have been viewed as an inconvenience.
Network security has always been a priority and will continue to be. What Sept. 11 did highlight was a need to review and update our business continuity and disaster recovery plans. People now realize that anything is possible when it comes to extremists.”
Changes to privacy and security laws shouldn’t affect the services governments can offer simply because governments are by law required to do so and because citizens already expect it, noted Dave Nikolegsin, executive director of network services with the government of B.C. On the surface, Nikolegsin added, citizens will notice very little day-to-day difference.
“I think that if anything, it’s probably going to be a boost to some of the things that average citizens would see because you are now seeing more willingness to look at more integrated security solutions…(and) more common access as opposed to (departments) going more on their own and developing solutions – there’s much more of a general acceptance towards integrated authentication and security mechanisms. I think that actually manifests itself to the citizen as being an improvement because there are fewer differences in the way they access different government programs.”
Adel Melek, national leader of Deloitte & Touche’s secure e-business consulting service, contends that this shift in public perception has actually assisted IT security departments by raising the profile of online and network security.
“The level of security has been heightened within the public sector within the past few months. As a result of Sept. 11, people are figuring out that these things are real.
“It is no longer the view that it’s a bunch of security guys just trying to scare everybody. We’re seeing more organizations in the public sector focused on contingency planning and recovery planning.”
Melek said that previously discussed initiatives are now starting to gain visibility and several provinces are looking at a proactive, nation-wide system of Information Protection Centres (IPC’s) that would detect intrusion viruses: “We’re seeing organizations thinking and talking about physical security and access to their premises. We’re hearing about evacuation plans and health and safety of individuals.”
On the municipal level, John Dunning, director of IT for the City of Vancouver, said major cities like Vancouver have also refocused their efforts to protect data.
“What is a city? A city is made up of physical things like our roads and streets. But more importantly, it’s about our information, various bylaws and rules and regulations, information that our citizens need,” Dunning said.
“I can’t stress it more; data is our most important commodity. The Sept. 11 occurrence gave us an opportunity to review what we were doing, support our city management and explain to them that we are taking care of the data…we’re not going out of our way to change, so I think the key word is status quo.”
If security organizations were doing their job correctly, Sept. 11 should simply be viewed as a wake-up call, said Patrick Holger, director of IT security for the province of Manitoba. Holger noted that the potential threat of coordinated cyber attacks doesn’t necessarily change anything from a security perspective.
“For security professionals,” Holger said, “it reaffirmed why it is security officials that tend to be vigilant towards issues. The Manitoba government established its IT security department four years ago and we’ve been identifying threats and vulnerabilities to our network infrastructure for some time. It’s a constant and evolutionary process as new threat agents and new vulnerabilities (appear) – we’re in a constant life cycle management over IT already.”
Tim Whelan, senior advisor, Security and Privacy, Government of Saskatchewan agreed, adding that there haven’t been any “dramatic changes” in security efforts since Sept. 11. Whelan noted that Saskatchewan is implementing CommunityNet, its public sector data network. “We do believe now is the time to focus on network security, locally and nationally. (Saskatchewan) is going from an individual network with 700 connections to a centralized public sector network…our security profile will improve dramatically when that is fully realized.”
As for a nation-wide network, Whelan said the implementation of large-scale end-to-end e-procurement depends on the cooperation of the federal government and the larger provinces.
Velenosi said the new federal security policy will call for additional work on standards, including network security. “It’s a balance one tries to strike between ensuring the interoperability of departmental networks as well as ensuring the appropriate firewalls and intrusion capabilities are there.”
It appears that any prior dissonance regarding visible and verifiable security tools, such as PKI, has been supplanted by a renewed commitment to a centralized system. Although 9/11 occurred after the safe and secure public sector e-procurement ball had started rolling, the pace has been hastened. Added Velenosi: “We were already moving forward on enhancing our backbone networks and our infrastructure and ensuring the security of our backbone. We were already working on a Public Key Infrastructure rollout – we had the government security policy review under way, ready to go out and remind departments of their obligation under the policy. I think that from an information technology security posture, we were already starting to do those things because of ensuring the security of privacy law and online services.”
The general consensus, Melek said, is that while government departments always had the right vision, Sept. 11 has had the effect of putting everyone on the same wavelength. The fundamental core processes and service offerings haven’t changed, but a sense of urgency has been created: “Security is a journey, not a destination.”
Ryan B. Patrick is a staff writer for IT World Canada (www.itworldcanada.com) in Toronto. He may be contacted at rpatrick@itworldcanada.com