Politics

Despite warning, many small government bodies still aren't using special cyber defences: report

Despite a stern warning from one of Canada's security review bodies, most Crown corporations and smaller government departments haven't heeded the call to use specialized cyber defence sensors to protect their networks from state-sponsored attacks, says a recent report.

NSICOP warned that protected organizations 'potentially act as a weak link in the government's defences'

This Feb 23, 2019, file photo shows the inside of a computer. The Biden administration will offer rewards up to $10 million for information leading to the identification of foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure, including ransomware attacks. The administration is launching the website stopransomware.gov to offer the public resources for countering the threat.
Last year, the National Security and Intelligence Committee of Parliamentarians recommended the cyber defence sensors of the Communications Security Establishment be extended to all federal organizations. (Jenny Kane/Associated Press)

Despite a stern warning from one of Canada's security review bodies, most Crown corporations, smaller government departments and agencies haven't heeded the call to use specialized cyber defence sensors to protect their networks from state-sponsored attacks, says a recent report.

Last year, the National Security and Intelligence Committee of Parliamentarians released a report pointing to gaps in Ottawa's network. 

The committee wrote that Crown corporations and small government departments and agencies (SDAs) — defined as those with fewer than 500 staffers and annual budgets of less than $300 million — are not required to follow the same cyber policies as other government departments. The report warned this state of affairs could pose "a security risk to government networks."

"Those organizations receive, hold and use the sensitive information of Canadians and Canadian businesses, information that is at risk of compromise by the most sophisticated of cyber actors, including states," the report said. 

"Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole. These challenges are well known to the government."

NSICOP's report — which was submitted to Prime Minister Justin Trudeau in August 2021 and tabled in Parliament in February 2022 — said that while China and Russia are the most sophisticated cyberthreat actors targeting the federal government, Iran and North Korea have "moderately sophisticated" capabilities.

The committee has recommended that the cyber defence sensors of the Communications Security Establishment (CSE) be extended to cover all federal entities.

But new numbers from the CSE, Canada's cyber intelligence and security agency, show that less than half of Crown corporations and smaller departments and agencies "whose IT infrastructure is outside the government's network defences" followed that recommendation.

"Since March 2020, the number of Crown corporations and SDAs signed up for our sensors has grown from 12 to 37 (out of 86)," says the CSE's 2022-2023 report.

"The Cyber Centre continues to view this sector as a high priority and is working to onboard more federal institutions to our services."

CSE sensors process over 200K events per second

Robyn Hawco, CSE spokesperson, said the agency uses its own in-house technology — called Host-Based Sensors, or HBS — on government servers, laptops and desktops.

"To put it simply, each sensor securely gathers system data, while protecting the privacy of those using this service. That data is fed back to our experts for analysis. They map any malicious activity, such as malware trying to download, and document the recipe to inoculate other devices from being infected in future," said Hawco.

"The HBS technology is user-friendly and not only detects but also neutralizes malicious activity, automatically."

The sensors process over 200,000 host events per second, she said.

The new Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013. The federal cybersecurity centre says foreign countries are very likely to try to advance their agendas in 2019 -- a general election year -- by manipulating Canadian opinion through malicious online activity. In a report today, the Canadian Centre for Cyber Security warns that state-sponsored players can conduct sophisticated influence operations by posing as legitimate users.
The Communications Security Establishment complex in Ottawa on October 15, 2013. CSE said it encourages Crown corporations "to opt into the full range of cyber security services we offer." (Sean Kilpatrick/Canadian Press)

In a media statement, the Treasury Board said Crown corporations and smaller agencies are ultimately responsible for their own cyber defence decisions.

"All federal organizations, including Crown corporations, can access the government's cyber defence services and TBS continues to encourage them to take advantage of the full complement of the government's cyber defence services," says the statement. 

Treasury Board said Shared Services Canada is working to provide an initial group of 43 small departments and agencies with advanced cyber defence services, using funding earmarked in the 2022 federal budget.

"In addition, all federal organizations, including Crown corporations, can enter into agreements in order to align with TBS cyber defence policies, or to seek cyber defence services from the Cyber Centre," says the statement.  

Testifying before a Senate committee earlier this year, NSICOP member Sen. Frances Lankin said government inertia is the reason why the committee's recommendation was meant to be compulsory. 

"In this report, we saw very clearly that there are gaps and those gaps are dangerous for Canadians and dangerous for our national security, personal data," she said.

"I think that there is a willingness to move, but there's great reluctance and inertia at times within large departmental structures and the interdepartmental relations."

NSICOP has been ignored before

It's not the first time government departments and agencies have failed to act on recommendations from NSICOP, a special committee made up of MPs and senators.

The committee released a report back in 2019 that urged Ottawa to take the threat of foreign interference more seriously.

"Canada has been slow to react to the threat of foreign interference," wrote the committee in a 2019 report looking at the government's response to foreign meddling.

"The government must do better."

After at first not responding to the report, Trudeau acknowledged his government should be doing a better job. 

"We have to do a better job on following up on those recommendations. I fully accept that," he told a news conference back in March. 

Those comments came as Trudeau announced he was asking NSICOP to review the state of foreign interference in Canada's democratic processes since 2018.

NSICOP has since agreed and the review is ongoing.

ABOUT THE AUTHOR

Catharine Tunney is a reporter with CBC's Parliament Hill bureau, where she covers national security and the RCMP. She worked previously for CBC in Nova Scotia. You can reach her at catharine.tunney@cbc.ca

Add some “good” to your morning and evening.

Your weekly guide to what you need to know about federal politics and the minority Liberal government. Get the latest news and sharp analysis delivered to your inbox every Sunday morning.

...

The next issue of Minority Report will soon be in your inbox.

Discover all CBC newsletters in the Subscription Centre.opens new window

This site is protected by reCAPTCHA and the Google Privacy Policy and Google Terms of Service apply.