Many federal departments and entities are still not falling into line with the Canadian government’s cyber defence framework, says a special committee of parliamentarians, putting some government information “at significant risk.”
“Unprotected organizations potentially act as a weak link in the government’s defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole,” says the committee’s report.
Weak links
For example, it notes, in 2020 an unnamed Crown corporation’s network was compromised by a nation-state, which used its access to compromise several government departments accessing “significant amounts of information.” The Crown corporation is not subject to the oversight of Treasury Board — which sets federal cyber policy — and didn’t use Shared Services Canada’s (SSC) secure Enterprise Internet Service. Nor has it implemented a government recommendation to use that network.
Seventy-five organizations that fall outside of Treasury Board direction and SSC’s Enterprise Internet Service are primarily Crown corporations and what the report calls government “interests” that are meant to be independent of government direction. Most have considerable latitude to develop and secure their own information technology infrastructure, and many contract private sector companies to provide their infrastructure, host their data and protect their systems, notes the report. “Nonetheless, those organizations ultimately hold fiduciary and accountability requirements” to the federal government, the report adds.
Even where a department is subject to Treasury Board and SSC direction, it can refuse it, the report adds. In fact, three months before the 2020 attack, SSC shut down an unnamed government department’s weak single-factor authentication service only to have its decision reversed by departmental officials, despite a stronger alternative being available within two weeks. “This was a key factor in the cyberattack,” the report says.
The report was written by 14 members of Parliament — 11 MPs and three Senators — called the National Security and Intelligence Committee of Parliamentarians. The committee’s job is to oversee the work of Canada’s national security and intelligence organizations.
Its full report was submitted to Prime Minister Justin Trudeau last August. An edited version was released to the public last month.
The approach
The government is trying to create a horizontal approach to cybersecurity, the report says, where its many departments and agencies treat government systems and networks as a single entity, much as private sector companies do.
However, some unnamed individual agencies and Crown corporations “retain significant discretion” under rules of Treasury Board, the Communications Security Establishment and SSC on whether they decide “to opt into the government cyber defence framework or to make the changes necessary to protect their systems from sophisticated threats.”
These agencies were set in a pre-digital era “and should be updated for new technologies and threats,” the report says.
Under the framework, three organizations — Treasury Board of Canada Secretariat, Shared Services Canada (SSC) and the Communications Security Establishment (CSE) — oversee the government’s cyber strategy.
Shared Services Canada, as its name suggests, currently provides a range of shared IT infrastructure and services, says the report, such as email and websites. But only 43 departments and agencies subscribe to all of SSC’s services. By 2024, 61 more departments and agencies that do not currently use the SSC Enterprise Internet Service will be on it.
SSC has so far consolidated more than 720 government datacentres into 381. It has also reduced the number of federal Internet access points from approximately 100 to two, with plans to add regional hubs for a total of 5 secure connections. Fewer internet connections make it easier to protect the entire network, the report notes. However, SSC doesn’t provide email, datacentre, or network services to any department that stores Top Secret information.
The report adds there are four unnamed departments and agencies that connect to government networks through third-party internet providers that had few or no defensive measures, posing a serious risk. There is a four-year program to upgrade these and other departments to use the SSC network.
The CSE, the government’s electronic spy agency, is charged with protecting networks, but Treasury Board has responsibility for overall governance and sets cyber policies for service delivery. The federal CIO reports to Treasury Board.
But the report says no government departments are obligated to use one or more of CSE’s cyber defence sensors.
Security framework
Broadly speaking, the report says the framework is aimed at having government systems fall within a single perimeter, with a handful of access points to the Internet that are monitored by sophisticated sensors capable of detecting and blocking known threats. In addition, defences are layered, with specialized sensors capable of detecting and blocking threats deployed both on individual devices and in cloud environments. Departments continually update and patch their devices and systems under the co-ordinated direction, advice and guidance of the CSE, SSC and Treasury Board.
The framework requires deputy department heads to appoint a chief security officer responsible for providing leadership, co-ordination, and oversight of departmental security activities under a three-year security plan that must address eight security controls, four of which involve cybersecurity.
However, the report says these policies “are not uniformly applied; individual departments and agencies retain considerable latitude whether to opt into the framework or to accept specific defensive technologies; and a large number of organizations, notably Crown corporations and potentially some government interests, neither adhere to Treasury Board policies nor use the cyber defence framework.”
The report acknowledges that the government “has significantly reduced the likelihood of cyberattacks being successful” because most federal departments and agencies receive internet services from Shared Services Canada.
As an example, it cites the quick response to word in March, 2021 of cyberattacks by a group against a previously unknown vulnerability in on-premises Microsoft Exchange email systems. Microsoft dubbed the group Hafnium. Western intelligence agencies said it is based in China. Treasury Board, SSC and the CSE’s Canadian Centre for Cyber Security worked with departments to identify and patch their vulnerabilities, the report says. Only one government department was affected. As of June 2021, no federal government organizations were found to have suffered any data losses from the attack.
Recommendations
The report makes several findings:
- First, departments should be applying Treasury Board policies and directives consistently. Since 2006, the report says, on four separate occasions, Treasury Board has issued ‘mandatory’ direction to government departments requiring them to use secure Internet services. “This suggests that government organizations still exercise considerable discretion on which Treasury Board direction they accept and when,” the report says. As of August 2021, only 94 of 169 federal organizations subscribe to SSC’s Enterprise Internet Service, the report says;
- Second, the series of orders in council that establish SSC’s mandate and responsibilities for cybersecurity services creates a “patchwork of coverage for government organizations;”
- and third, the government must establish CSE cyber protection for those organizations that are not considered federal departments or agencies but are digitally tied to the federal government.
Some of these organizations may have privacy concerns about CSE in particular monitoring system network traffic, email or web browsing, the report admits. But it notes that the CSE Commissioner found there were very low levels of privacy implications associated with CSE cyber defence activities conducted under ministerial authorization. More importantly, the report adds, by opting out of federal protection, these organizations are leaving data and the integrity of systems “vulnerable to the world’s most sophisticated cyber threats.”
