Facing cybersecurity threats, Quebec shuts down government websites for evaluation

Quebec will be shutting down close to 4,000 government websites following the threat of an international cyberattack on a widely used logging system.

Some 3,992 provincial government websites could be at risk, including those related to health, education and public administration, according to Éric Caire, Quebec's minister for government digital transformation.

At a news conference on Sunday, Caire said there is no indication the government was the victim of a successful cyberattack, and he called the decision to halt access to public-facing websites a "preventative measure."

"We were facing a threat with a critical level of 10 out of 10," he said. "According to the new protocols by the head of government information security, [that rating] automatically calls for the closure of the targeted systems."

Caire said the at-risk websites, which use the Apache Log4j logging library, are being inspected and will become available to the public once they are cleared of vulnerabilities.

The ClicSanté portal used to book COVID-19 vaccine appointments in the province does not use the compromised logging system, so the website remains accessible. 

Prevention mode

Although the number of targeted websites is in the thousands, Caire says the public can expect most to return online fairly quickly because they aren't all highly solicited.

Detecting the vulnerability in a website is a short process, but without an inventory, he says, verifying whether all of the websites use the affected library could take several days.

"It's like saying how many rooms in all Quebec government buildings use 60-watt light bulbs," he said. "I don't know, so you go to each room and see if it's a 60-watt."

Eric Parent, a cybersecurity specialist and the CEO and founder of EVA Technologies, says the government's systematic approach is a strategy every cybersecurity expert would recommend.

"We've also seen attackers exploit [the vulnerability] in various parts of the world, which means they're ready to use it," he said.

"The best scenario is to turn everything off and reset every system as you know that they're OK."

The province joins the Canada Revenue Agency, which put its online service on hold Friday after it learned of a "security vulnerability affecting organizations around the world."