OTTAWA—Ottawa’s cyber-attack response centre meant to monitor threats to online security around the clock has only been operating during daytime hours, says a new report from the federal spending watchdog.
And the response centre, meant to serve as the “nerve centre” for the federal government’s cyber security strategy, has routinely been kept in the dark about hacking attacks, according to a new report from the Auditor General.
Opposition MPs jumped on the revelation, which comes just days after Public Safety Minister Vic Toews highlighted the need for increased cyber-security.
Liberal MP Francis Scarpaleggia asked if a corner store can remain open through the night, why can’t the government’s cyber-security hub.
“If 7-Eleven and Couche-Tard can stay open all night, why can’t the Incident Response Centre?” he said in a news release.
The federal public safety department created the Canadian Cyber Incident Reponse Centre (CCIRC) in 2005 to help reduce the risk to critical infrastructure by monitoring and analyzing cyber threats to non-government systems 24 hours a day, seven days a week and providing the latest and best advice for protecting against attacks.
Not so much, says the report, which also concluded that despite several incarnations of cyber security strategies and an estimated $780 million in funding since 2001, the federal government has been slow to meet its own goals.
The response centre was only staffed to operate from 8 a.m. to 4 p.m. five days a week, the audit found, although the federal government operations centre can page someone on call if a cyber attack or threat is reported after hours.
But the audit report says the centre should working around-the-clock to ensure “timely detection and notification” of cyber threats as well as communicating with foreign allies working in different time zones.
Auditor General Michael Ferguson said it’s vital to have the centre working around-the-clock to help coordinate Ottawa’s response to cyber attacks.
“It’s important to have one place that can then take all of that information and figure out whether the threat is greater than the sum of the incidents,” Ferguson told reporters.
“We think it’s important that there be an organization that will collect and organize and connect all the dots,” he said.
Toews reacted quickly to the revelation, announcing that starting Nov. 5, the centre would be operating 15 hours a day, seven days a week, with “experts on call around the clock when needed.”
He defended the government’s cyber-security record, saying it had made “exceptional progress” in the face of emerging technological threats.
“The dynamic nature of the cyber threat is one thing governments have had to learn to respond to,” he said
He says computer networks owned by government and private companies are “attacked by ordinary hackers and organized crime and indeed state actors on a constant basis.”
The audit says the federal department of public safety has committed $13 million over five years to work towards staffing the centre from 6 a.m. to 9 p.m. seven days a week, but there are no plans to keep it open around the clock.
The audit also found the response centre is often kept in the dark.
Some business owners and operators are confused about whom in the federal government, if anyone, should be told about cyber security incidents. Others do not even know the response centre exists.”
This prevents the response centre from fully analyzing the cyber security landscape and hampers its ability to give advice to on how to protect against the latest cyber threats, says the report. “A lack of timely and relevant information and analyses affects the ability of critical infrastructure owners and operators to react to cyber attacks that may cause disruptions,” says the report.
The report notes that even when hackers traced back to China targeted networks at the Treasury Board and Department of Finance in January 2011, no one even told the response centre about the incident until a week after it happened.
Communications Security Establishment Canada (CSEC) took over responsibility for protecting government information systems from cyber threats from the response centre last year, but the audit found that despite the fact that the two agencies are supposed to be working together, CSEC does not routinely share things with CCIRC.
“CSEC told us it was concerned about sharing information because of the sensitive nature of the information it collects, such as classification levels or the sensitivities of client departments,” says the audit.
The audit says they were supposed to have worked things out by August 2011, but have now agreed to resolve things by Nov. 30 and a CCIRC employee has been working at CSEC to make collaboration easier.
Public Safety Minister Vic Toews announced last week the Conservative government would commit $155 million over five years to boost the capacity of the response centre.
The announcement came a week after U.S. Defence Secretary Leon Panetta warned American business, financial and transport computer systems may be vulnerable to devastating attacks and called on legislators to pass new laws to strengthen cyber-protections below the border.
Those comments came after the U.S. House of Representatives Intelligence Committee warned against doing business with Huawei Technologies Co Ltd. and ZTE Corp. — two Chinese telecommunications giants — because they could potentially be used for Chinese spying operations.
Huawei has sold equipment to major Canadian telecommunication companies.
The allegations are being referred to the U.S. Justice Department and Department of Homeland Security.
The 2010-11 annual report of the Canadian Security Intelligence Service said both the federal government and the private sector are frequent targets of cyber attacks.
“The Government of Canada is now witnessing serious attempts to penetrate its networks on a daily basis,” said that report.