This stunning revelation just in from the Auditor General: Canada’s government is at sea when it comes to computer security. In wooden ship. With a jammed cannon. Shouting “Bang” at bad guys.
OK, he didn’t say that. Auditors General don’t use that kind of language. Instead they say “Between 2001 and 2009, the government made limited progress in its efforts to lead and coordinate the protection of Canada’s critical infrastructure from cyber threats as these threats were rapidly evolving.”
Or “Eleven years after the government said it would establish partnerships with other levels of government and with critical infrastructure owners and operators to help protect Canada’s critical infrastructure, not all of the sector networks that facilitate these partnerships are fully established, and coverage is incomplete. This lack of progress limits Public Safety Canada’s ability to communicate with critical infrastructure owners and operators.”
Or “Seven years after the Canadian Cyber Incident Response Centre (CCIRC) was created to collect, analyze, and share cyber threat information among federal departments, provincial and territorial governments, and the private sector, many stakeholders are still unclear about the Centre’s role and mandate…. Furthermore, the Centre is still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended. This restriction on operating hours can delay the detection of emerging threats and the sharing of related information among stakeholders.”
Or “The January 2011 intrusion on government systems identified weaknesses in protecting these systems. Incidents were not reported in a timely manner and cyber threat information was not properly shared with appropriate agencies. Also, good information technology (IT) security practices, such as how to store sensitive information, were not consistently followed.”
With hostile governments engaging in massive espionage (how do you say “Hello” in Chinese?) and massive denial-of-service attacks on banks by governments and freelance militants that are probably testing the bits and pieces necessary for what the U.S. Defence Secretary has called a possible “cyber Pearl Harbor” our government has leaped into committee and is firing a barrage of press releases.
Is anyone surprised? Honestly, when you watch MPs fumble files you know they’ve been studying for years that don’t require specialized knowledge, and when you’re certain 95% of them couldn’t find Regedit with a flashlight, what chance is there that they’d be on top of this problem? As for the public service, I’m sure there are people in it who see very clearly how bad this is. But what’s the chance that our swollen and dysfunctional executive branch could develop coherent substantive as opposed to public relations policy?
Hey everyone. “Bang”. Scared now?