Massive Software Flaw With Global Reach Forces Quebec to Shut Government Websites

Massive Software Flaw With Global Reach Forces Quebec to Shut Government Websites
Quebec Minister for Government Digital Transformation Eric Caire speaks during a news conference in Montreal, August 24, 2021. The Canadian Press/Graham Hughes
The Canadian Press
Updated:

MONTREAL—Almost 4,000 Quebec government websites were shut down over the weekend as a preventative measure following threats of a cyberattack, the province’s minister of digital transformation said Sunday.

Eric Caire made the announcement at an afternoon press conference in Quebec City, during which he said all official government websites would be taken offline until further notice.

“We’re kind of looking for a needle in a haystack,” Caire said. “Not knowing which websites use the software, we decided to shut them all.”

The closure comes on the heels of a recently discovered software vulnerability in a Java-based library of an Apache product—known as Log4j—which the Department of National Defence said could affect thousands of organizations worldwide.

The Common Vulnerability Scoring System, also used widely around the world, has assessed the current threat at a 10 out of 10.

Caire said Quebec learned of the issue on Friday and has been working to identify which websites are at risk, one by one, before putting them back online.

“Once a system has been analyzed, if it turns out that it’s not using the problematic library, the system is automatically back online,” Caire said. “If it uses it, a fix is made. Once we make sure the system is operational, it gets back online.”

Caire said the government doesn’t keep an inventory of which websites use the Apache software.

“It’s like saying how many government offices use 60-watt bulbs, we have to go around and look at each one of them,” Caire said, without specifying how long the verification process will take.

The province’s Clic Sante portal used for booking COVID-19 vaccine appointments across Quebec was already back online as of Sunday afternoon, while the site for Revenue Quebec among others was still down.

Caire said the provincial vaccine passport system was never at risk, saying it doesn’t require the Apache software.

Marc-Etienne Leveille, a cybersecurity expert for the international internet security company ESET, said global internet traffic has spiked significantly since Friday, adding he’s noticed many users trying to find vulnerable services to hack.

He said while the software’s vulnerability should not impact the general public, websites storing personal data—such as the Canada Revenue Agency—are more at risk of being compromised.

The vulnerability allows code to be executed over the internet, Leveille said.

“The flaw allows it to bypass security, in other words,” he said.

The province, however, has no current indication that systems have been compromised or personal data was accessed, Caire said at the news conference.

The Canada Revenue Agency, which took similar precautions by taking its web-based services offline after learning of the potential vulnerability on Friday, issued a statement saying nothing so far suggests its systems have been compromised.

Leveille welcomed the government’s precautionary measures, saying it might have prevented major data breaches.

“One of the big problems was that everyone was made aware of the flaw at the same time,” Leveille said. “The developers and its users didn’t have time to correct the issue before people started to jump on the vulnerability. And since there are a lot of systems that use the software across the world, it will take many months to find which ones are vulnerable to that flaw.”

Federal Defence Minister Anita Anand issued a statement Sunday saying the government is aware of the security risk and calling on Canadian organizations to “pay attention to this critical internet vulnerability.”

“Out of an abundance of caution, some departments have taken their services off-line while any potential vulnerabilities are assessed and mitigated,” Anand said. “At this point, we have no indication these vulnerabilities have been exploited on government servers.”

By Virginie Ann