Despite warning, many small government bodies still aren't using special cyber defences: report
NSICOP warned that protected organizations 'potentially act as a weak link in the government's defences'
Despite a stern warning from one of Canada's security review bodies, most Crown corporations, smaller government departments and agencies haven't heeded the call to use specialized cyber defence sensors to protect their networks from state-sponsored attacks, says a recent report.
Last year, the National Security and Intelligence Committee of Parliamentarians released a report pointing to gaps in Ottawa's network.
The committee wrote that Crown corporations and small government departments and agencies (SDAs) — defined as those with fewer than 500 staffers and annual budgets of less than $300 million — are not required to follow the same cyber policies as other government departments. The report warned this state of affairs could pose "a security risk to government networks."
"Those organizations receive, hold and use the sensitive information of Canadians and Canadian businesses, information that is at risk of compromise by the most sophisticated of cyber actors, including states," the report said.
"Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole. These challenges are well known to the government."
NSICOP's report — which was submitted to Prime Minister Justin Trudeau in August 2021 and tabled in Parliament in February 2022 — said that while China and Russia are the most sophisticated cyberthreat actors targeting the federal government, Iran and North Korea have "moderately sophisticated" capabilities.
The committee has recommended that the cyber defence sensors of the Communications Security Establishment (CSE) be extended to cover all federal entities.
But new numbers from the CSE, Canada's cyber intelligence and security agency, show that less than half of Crown corporations and smaller departments and agencies "whose IT infrastructure is outside the government's network defences" followed that recommendation.
"Since March 2020, the number of Crown corporations and SDAs signed up for our sensors has grown from 12 to 37 (out of 86)," says the CSE's 2022-2023 report.
"The Cyber Centre continues to view this sector as a high priority and is working to onboard more federal institutions to our services."
CSE sensors process over 200K events per second
Robyn Hawco, CSE spokesperson, said the agency uses its own in-house technology — called Host-Based Sensors, or HBS — on government servers, laptops and desktops.
"To put it simply, each sensor securely gathers system data, while protecting the privacy of those using this service. That data is fed back to our experts for analysis. They map any malicious activity, such as malware trying to download, and document the recipe to inoculate other devices from being infected in future," said Hawco.
"The HBS technology is user-friendly and not only detects but also neutralizes malicious activity, automatically."
The sensors process over 200,000 host events per second, she said.
In a media statement, the Treasury Board said Crown corporations and smaller agencies are ultimately responsible for their own cyber defence decisions.
"All federal organizations, including Crown corporations, can access the government's cyber defence services and TBS continues to encourage them to take advantage of the full complement of the government's cyber defence services," says the statement.
Treasury Board said Shared Services Canada is working to provide an initial group of 43 small departments and agencies with advanced cyber defence services, using funding earmarked in the 2022 federal budget.
"In addition, all federal organizations, including Crown corporations, can enter into agreements in order to align with TBS cyber defence policies, or to seek cyber defence services from the Cyber Centre," says the statement.
Testifying before a Senate committee earlier this year, NSICOP member Sen. Frances Lankin said government inertia is the reason why the committee's recommendation was meant to be compulsory.
"In this report, we saw very clearly that there are gaps and those gaps are dangerous for Canadians and dangerous for our national security, personal data," she said.
"I think that there is a willingness to move, but there's great reluctance and inertia at times within large departmental structures and the interdepartmental relations."
NSICOP has been ignored before
It's not the first time government departments and agencies have failed to act on recommendations from NSICOP, a special committee made up of MPs and senators.
The committee released a report back in 2019 that urged Ottawa to take the threat of foreign interference more seriously.
"Canada has been slow to react to the threat of foreign interference," wrote the committee in a 2019 report looking at the government's response to foreign meddling.
"The government must do better."
After at first not responding to the report, Trudeau acknowledged his government should be doing a better job.
"We have to do a better job on following up on those recommendations. I fully accept that," he told a news conference back in March.
Those comments came as Trudeau announced he was asking NSICOP to review the state of foreign interference in Canada's democratic processes since 2018.
NSICOP has since agreed and the review is ongoing.