Canada’s creaking government IT infrastructure is about to get an update that will help address the security gaps that let hackers break into sensitive government records in January.
While the move is presented as a way to save costs and improve efficiencies, one espionage expert says it was prompted by those attacks.
January’s cyber attack against the Finance Department and Treasury Board was a wake-up call to the government and part of the push for the new agency, said Michel Juneau-Katsuya, former head of the Asia desk for CSIS (Canadian Security Intelligence Service) and author of “Nest of Spies.”
“At that point, the government realized ‘we are in serious trouble here’,” he said. “The attack was ultimately the final straw that broke the camel’s back and forced the government to realize they were seriously deficient.”
Juneau-Katsuya said some government systems are “generations behind.”
Public Works Minister Rona Ambrose and Treasury Board President Tony Clement announced last week that the agency, Shared Services Canada, will take control of many IT functions now carried out by separate IT departments in 44 departments and agencies.
While various government departments and agencies will maintain specialized IT personnel and systems, the new agency will take over email, data centres, and the major networks that span government.
That means one email system for the entire government rather than the patchwork of over 100 systems now in place. The new agency will also reduce the number of data centres from 300 to 20 and streamline electronic networks.
A few months before January’s attacks, in late 2010 Public Safety Canada introduced its Cyber Security Strategy. The strategy notes: “The most sophisticated cyber threats come from the intelligence and military services of foreign states. In most cases, these attackers are well resourced, patient, and persistent. Their purpose is to gain political, economic, commercial or military advantage.”
The paper contains background about the danger, and pledges the government “will put in place the necessary structures, tools and personnel to meet its obligations for cyber security,” including limiting the number of gateways into the government’s computer systems.
But a spokesperson from Public Safety declined to answer what role the department had in creating Shared Services Canada.
To date, details are slim on how the Shared Services Canada will roll out, but government sources say within two months it will have taken over 7,000 existing personnel from other departments and agencies. Those personnel will keep their current desks and do much of the same work, but will be doing it under Shared Services.
While the government is playing up the cost savings of the new agency, referencing a similar IT consolidation efforts in Ontario that is racking up savings of $100 million a year, Ambrose said the priorities were set according to security needs.
“We will start with the consolidation and standardization of email, networks, and data centres because these are our most high risk assets in terms of security breaches. Using one email system, fewer platforms, and fewer data centres creates fewer points of entry, and of course, lowers the likelihood of cyber attacks.”
Ambrose said the new agency would strengthen the security of government data and better protect Canadians.
A well-placed government source said fewer points of entry make the system more secure, a key point in the 2010 strategy.
“The reality is that a simpler environment makes it easier to detect [intrusions] and a fewer number of access points actually make it easier for us to defend, and the combination of the two is certainly increasing and improving our security posture,” said the source.
The 2010 strategy also pledges the government will teach its staff about cyber security because “even the most sophisticated security systems can be undermined by simple human error.”
Juneau-Katsuya noted that January’s attack hinged on human error and used social engineering. Hackers posed as managers and asked employees to share passwords or open an infected file that looked like a memo.
“If people open emails that are infected, if people still expose themselves, you will still have exactly the same problem.”
Cyber security has become a major issue in recent years as waves of large-scale cyber attacks target government agencies and major companies around the world. And while most of the attacks originate in China, governments feign ignorance of where the attacks originate.
The United States, Australia, the United Kingdom and other countries have all faced sophisticated attacks originating in China. In the U.K., while the government said it was unsure where attacks came from, senior government sources declining to be named told The Times that it was China.
Similarly in Australia, while the government said it was unsure where the attacks came from, senior government sources, also declining to be named, told the Australian that it was China. In Canada the government also says it is unsure where attacks came from, but highly placed sources told the CBC they trace back to China.
While China routinely denies the allegation, the communist regime there is more frequently accused of cyber espionage than any other country. When Internet security company McAfee uncovered Operation Shady Rat this month—a massive hacking operation dating back to 2006 and targeting 72 organizations including defence contractors and the International Olympic Committee—the Chinese regime was quickly named the most likely culprit based on the scale of the attack and its targets.
While the move is presented as a way to save costs and improve efficiencies, one espionage expert says it was prompted by those attacks.
January’s cyber attack against the Finance Department and Treasury Board was a wake-up call to the government and part of the push for the new agency, said Michel Juneau-Katsuya, former head of the Asia desk for CSIS (Canadian Security Intelligence Service) and author of “Nest of Spies.”
“At that point, the government realized ‘we are in serious trouble here’,” he said. “The attack was ultimately the final straw that broke the camel’s back and forced the government to realize they were seriously deficient.”
Juneau-Katsuya said some government systems are “generations behind.”
Public Works Minister Rona Ambrose and Treasury Board President Tony Clement announced last week that the agency, Shared Services Canada, will take control of many IT functions now carried out by separate IT departments in 44 departments and agencies.
While various government departments and agencies will maintain specialized IT personnel and systems, the new agency will take over email, data centres, and the major networks that span government.
That means one email system for the entire government rather than the patchwork of over 100 systems now in place. The new agency will also reduce the number of data centres from 300 to 20 and streamline electronic networks.
Cyber Security Strategy
A few months before January’s attacks, in late 2010 Public Safety Canada introduced its Cyber Security Strategy. The strategy notes: “The most sophisticated cyber threats come from the intelligence and military services of foreign states. In most cases, these attackers are well resourced, patient, and persistent. Their purpose is to gain political, economic, commercial or military advantage.”
The paper contains background about the danger, and pledges the government “will put in place the necessary structures, tools and personnel to meet its obligations for cyber security,” including limiting the number of gateways into the government’s computer systems.
But a spokesperson from Public Safety declined to answer what role the department had in creating Shared Services Canada.
To date, details are slim on how the Shared Services Canada will roll out, but government sources say within two months it will have taken over 7,000 existing personnel from other departments and agencies. Those personnel will keep their current desks and do much of the same work, but will be doing it under Shared Services.
Savings And Security
While the government is playing up the cost savings of the new agency, referencing a similar IT consolidation efforts in Ontario that is racking up savings of $100 million a year, Ambrose said the priorities were set according to security needs.
“We will start with the consolidation and standardization of email, networks, and data centres because these are our most high risk assets in terms of security breaches. Using one email system, fewer platforms, and fewer data centres creates fewer points of entry, and of course, lowers the likelihood of cyber attacks.”
Ambrose said the new agency would strengthen the security of government data and better protect Canadians.
A well-placed government source said fewer points of entry make the system more secure, a key point in the 2010 strategy.
“The reality is that a simpler environment makes it easier to detect [intrusions] and a fewer number of access points actually make it easier for us to defend, and the combination of the two is certainly increasing and improving our security posture,” said the source.
The 2010 strategy also pledges the government will teach its staff about cyber security because “even the most sophisticated security systems can be undermined by simple human error.”
Juneau-Katsuya noted that January’s attack hinged on human error and used social engineering. Hackers posed as managers and asked employees to share passwords or open an infected file that looked like a memo.
“If people open emails that are infected, if people still expose themselves, you will still have exactly the same problem.”
Elephant in the Room
Cyber security has become a major issue in recent years as waves of large-scale cyber attacks target government agencies and major companies around the world. And while most of the attacks originate in China, governments feign ignorance of where the attacks originate.
The United States, Australia, the United Kingdom and other countries have all faced sophisticated attacks originating in China. In the U.K., while the government said it was unsure where attacks came from, senior government sources declining to be named told The Times that it was China.
Similarly in Australia, while the government said it was unsure where the attacks came from, senior government sources, also declining to be named, told the Australian that it was China. In Canada the government also says it is unsure where attacks came from, but highly placed sources told the CBC they trace back to China.
While China routinely denies the allegation, the communist regime there is more frequently accused of cyber espionage than any other country. When Internet security company McAfee uncovered Operation Shady Rat this month—a massive hacking operation dating back to 2006 and targeting 72 organizations including defence contractors and the International Olympic Committee—the Chinese regime was quickly named the most likely culprit based on the scale of the attack and its targets.