Canada Falling Behind on Critical Infrastructure Cyber Security
After 15 years and nearly $1 billion in spending, Canada’s cyber security efforts to protect critical infrastructure such as the country’s power grid, banking and telephone systems, as well as the government’s own networks, suffer from a lack of direction and might not be keeping up with the current threats, according to Canada’s auditor general.
According to an article from the Vancouver Sun, the lack of detail about how much money has gone to cyber security, as well as what Canadians have received in return, is stemming from weaknesses in the government’s cyber security policy: “there is a strategy to secure networks, but no action plan to identify who is supposed to do what,” the Sun reports.
Which the government agrees with all of the recommendations in Auditor General Michael Ferguson’s Fall 2012 report, officials stressed the threats facing government systems are getting worse, the article says.
The following is an excerpt from the Vancouver Sun’s coverage:
“The federal government has stated that the frequency and severity of cyber threats are growing and that protecting Canadians in cyberspace will be a constantly evolving challenge,” Ferguson’s audit said. “Officials told us that the government has concerns that the cyber threat environment is evolving more rapidly than the government’s ability to keep pace.”
The fall report was the first review of the government’s cyber-security strategy, a document released in 2010 almost 14 years after the federal government first admitted it needed to do more to protect its cyber systems.
In the last decade, about $980 million in spending was approved for 13 departments that asked for money for cyber-security.
Where the money went hasn’t always been clear.
The audit said $570 million had gone to the Communications Security Establishment (CSE), the super-secret agency charged with protecting key government systems from online threats, but that money was for a variety of programs.
Overall, the audit team was unable to identify precisely how a further $200 million of the $980 million was used for cyber-security. And of the remaining $210 million, only about $20.9 million was directed towards cyber-security between 2001 and 2011, and about $190 million couldn’t be accounted for under the cyber-security umbrella itself; for example, some of it may have been spent on general IT.
This year, the government added $31 million for cyber-security to four departmental budgets, part of $155 million over five years made public last week. That funding was approved in April, and is in addition to the $90 million over five years the government committed to its cyber-security strategy in 2010.
That money was also supposed to help the Canadian Cyber Incident Response Centre provide information on cyber-threats, but the centre has yet to operate on a 24/7 basis as originally intended, auditors found. The government has committed to expanding hours of operation to 15 hours a day.
Sharing information within the government has been problematic with so many departments and agencies involved in cyber-security, including the CSE, which for security concerns hasn’t been sharing information with the cyber incident response centre. That is expected to change by the end of November.
Sharing information with the private sector has also been slow to materialize.
The government identified 10 industry sectors as being at high risk of cyber-attacks, such as energy, telecommunications and finance, and intends to share information and best practices with them. Auditors found that six of the sector working groups had incomplete memberships and only half had talked about cyber-security.
“The government’s approach to implementing its Cyber Security Strategy was to use sector networks with critical infrastructure owners and operators to build the partnerships needed to secure systems,” auditors wrote. “However, since sector networks are only now starting to develop and are incomplete in coverage, one of the principal mechanisms for implementing the Cyber Security Strategy has been missing.”