Federal government’s renewed investment in cyber-security not enough, critics say

by Jordan Press

Postmedia News
October 17, 2012

OTTAWA — The federal government poured more money Wednesday into it cyber-security strategy, but some experts said the Conservatives don’t have a good handle on how exactly to keep digital infrastructure safe from ever-evolving threats.

Opposition critics have suggested that their own parties also don’t know enough about the threats to ensure the government’s systems are safe from malicious hacks.

The $155-million disbursement comes one week before the auditor general is to release an audit on how well the government works with provinces, territories and the private sector on cyber-security. In the past two years, hackers have successfully attacked the Treasury Board, Department of Finance and the parliamentary website.

The new money also comes amid rising concerns about cyber-threats from countries such as China, although Public Safety Minister Vic Toews wouldn’t identify any particular country as being a threat to national security.

The size of the investment — far more than the original $90 million allocated to the strategy in 2010 — may give a hint at the size of the security holes the government is trying to fill.

“Given the size of the original commitment and this additional investment, the implication of the latter being so much greater than the former, the government may have concluded there are holes,” said Daryl Copeland, a senior fellow at the Canadian Defence and Foreign Affairs Institute who monitors digital issues.

“The likely implication seems to me is that it’s pre-emptive damage control, so we shall see.”

The $155 million in spending, spread over five years, will go to the Canadian Cyber Incident Response Centre. A government release said the money will allow the centre to “improve incident response across Canada” and “enhance the ability of government and its partners to maintain awareness of the cyber environment.”

Toews said the money would strengthen federal IT infrastructure against cyber-threats, although he didn’t detail specific initiatives.

“We’re constantly looking at ways to upgrade our security system. That sometimes requires the input of money, technology and indeed legislation,” he told reporters. “We have a very robust system, but we would be living in a fool’s world if we think we can establish any kind of legislative framework or a technological framework and have that last indefinitely. This is a constant struggle because of the nature of technology.”

China has been openly named by American legislators as a problem country in terms of cyber threats.

Experts have said China is not the only country to raise concern: Last year, Canada was ranked the sixth most likeliest nation to host cyber-criminals.

“We’re quite aware of any potential threats in respect to compromises in our security and we will take appropriate actions,” Toews said. “I can assure you this announcement is not only in response to concerns that have been raised, but part of our ongoing strategy that we announced two years ago to ensure that Canadian infrastructure both in terms of government and the private sector is as best as we can possibly make it.”

Cyber-security critics argue the Canadian Cyber Security Strategy is short on specific commitments and doesn’t address larger issues, such as how to work with international partners and the private sector to secure vast digital networks. Opposition parties argued the announcement showed the government was making things up as it goes along.

“All governments all around the world are having difficulties keeping up with technological change,” said interim Liberal leader Bob Rae. “Government is not supple enough, not quick enough, to respond to these things and the people that are doing these things out there are very supple, very fast.”

David Skillicorn, a cyber-security expert from Queen’s University in Kingston, Ont., said it isn’t just governments that have difficulty keeping up with technological change. ”Most private companies don’t even understand the scope of the problem,” Skillicorn said.

The money would be better spent having the Communications Security Establishment — the highly secretive federal agency that protects the government’s IT systems — oversee the policy, Skillicorn said.

“The missing piece (in the policy) is people who are thinking strategically about this,” Skillicorn said. “Those guys know the technical stuff backwards.”

Copeland said flaws in the plan to protect federal IT systems stem from a lack of understanding within the federal government of the nature of cyber-based threats.

“Most of the people in leadership positions cut their teeth in the Cold War … and the new threat set is quite alien,” Copeland said.

Cyber security has become a growing issue for the Conservatives and governments worldwide, especially as more services move online to cut down on costs.

Earlier this year, a denial of service attack took down the parliamentary website. In 2011, foreign-based hackers using servers in China hacked into Treasury Board and Department of Finance systems looking for personal and financial information. In the United States, Defense Secretary Leon Panetta said hackers have cracked American government systems. Denial of service attacks have taken down websites for a number of U.S. government agencies, including the FBI.

Amid that backdrop, Panetta warned last week of the potential for a “cyber Pearl Harbor” — a digital attack so well planned that it would take down key infrastructure and leave the United States vulnerable to traditional military attacks.