Cybersecurity Never Sleeps, Except In Canada

from the this-post-closes-at-5pm dept

We’re highly critical of most government cybersecurity efforts for a number of reasons. One is that they are often pushed with totally overblown rhetoric about power grids going down and planes falling from the sky. That said, it’s not as though we want our governments to be completely ignorant about security issues online — more realistic threats like data breaches are something we expect them to be protected against, especially as they struggle to bring more and more government services online. Which brings us to another big reason we are critical of new cybersecurity powers for the government: they usually aren’t very good at it, and fail to make smart use of the powers and resources they already have. In the US, federal agencies are demanding more information sharing powers without identifying the obstacles they claim to face. In Canada, a public audit reveals that they have made little effort to start sharing security information at all:

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were “still unclear” about the centre’s role and mandate, says the report.

“Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency.”

As a result, the centre “cannot fully monitor” Canada’s cyber-threat environment, hampering its ability to provide timely advice.

An ineffectual bureaucracy is nothing new, and it can often be fixed by finding the right people to whip it into shape. But you face a much bigger problem when the core culture of your government still fails to comprehend how the internet works or what cybersecurity means — which is where this tidbit comes in:

Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

Yes, that’s right — the response center for monitoring cyber threats isn’t even open around the clock. It has shorter hours than the brunch menus at most restaurants. Recognizing that this could be a problem, but still completely failing to understand the fundamental stupidity of being “closed for the night” online, the government has plans to extend the hours to 9pm, seven days a week.

How did they get to this ridiculous place, and where are they going? Five years ago the government allocated some money for cybersecurity. Nobody really checked to see if it was accomplishing anything until now, with the Auditor General’s report. The audit revealed all these flaws and criticized “limited progress”, so as the report came out… the government allocated some more money. Hurray! But not. Because what they still lack is an actual road map — a clear identification of the real cybersecurity threats that exist, a strategy to combat them, some evidence that it will actually work, and a way to check and see if it does. Then they can figure out how much money it will cost, and they can figure out if there are any acceptable new laws that are actually necessary to make it happen. If governments in Canada, the US or anywhere else can’t get the basics of cybersecurity right with their existing resources, and can’t communicate intelligently about the problems, then neither more money nor more laws will fix anything.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cybersecurity Never Sleeps, Except In Canada”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Re: Better to be thought incompetent than evil.

No, I think the idea behind this article is that if the governments around the world are going to clamor for more and more security measures, ‘for public safety’ and ‘to deal with terrorists and CYBER terrorists’… they don’t exactly look very good if it comes out that they either can’t, or haven’t, been using the abilities and tools they already had, effectively.

It also raises the question of ‘if they can’t effectively use the tools they already have, what good would more of the same do them?’

Leigh Beadon (profile) says:

Re: Better to be thought incompetent than evil.

And your tone is right in line with the intent, seem to be actually complaining that you’re not as surveilled as promised.

This is not about being surveilled. This is about having a centre that monitors government networks for attacks, and takes reports of large-scale attacks on private networks. There are privacy concerns there that must be taken into account, but the principle makes sense — nobody is suggesting that governments should just wear blindfolds with regards to the internet, and have absolutely no ability to monitor the security of their networks.

There’s not likely to be an attack that shuts down a power grid — that’s just FUD — but the government has plenty of data that is attractive to identity thefts, and plenty of systems that are attractive to hackers wanting to practice or prove their skills, and plenty of targets for groups like Anonymous, etc. Having the ability to monitor and respond to this kind of thing is not just sensible, it’s absolutely necessary — so in an age where we’re debating rolling back privacy protections to increase government cybersecurity power, it’s highly embarrassing to find out that they can’t even use existing basic security technology to monitor their own networks around the clock.

Anonymous Coward says:

We need to be concerned with internet security

Governments should be doing more about this. They should be looking for threats against critical internet infrastructure and other high value targets like banks and other financial institutions. Instead they seem to waste their time going after places like the Pirate Bay and Megaupload. And the sad part is that there are lots of people who are willing to help them out for free. The governments should be working with the various bloggers and internet security companies to better understand and protect themselves and their citizens from internet crime. But instead they so misunderstand the nature of the internet both socially and economically that no blogger or security company will help because the policies that the governments want to enact will destroy the internet, and what blogger or security company would want that?

Gregg says:

It's not quite what seems

This report from the GoC Auditor was only highlighting low level services and a department call center for receiving calls on Cyber Security threats. By no means does this report cover the Intelligence, Police or Defense departments which have active 24/7 cyber security staff and defenses on watch. I read the report and he made it sound like nothing was being done, when in fact there is a lot going on to protect Canadian security. As for private businesses (ie Nortel) this is where there was a huge gap in managing cyber security threats and how they worked with the Government to protect themselves. Frankly a company that was as large as Nortel was, they should have done far more themselves to protect their interests. The Government can only go so far to help Canadian businesses, and businesses that blame the Government really should be blaming themselves.

junivers (profile) says:

To this once-proud Canadian, the AG’s report (yes, I read it) makes the Harper Government look like a blundering toad incrementally frying itself on the electric fence put up by the guys that the dirtiest oil patch in the world.

But that toad sure loves hockey and beer, eh? Can’t go wrong with enough hockey and beer… Oh, wait.

Can’t go wrong with enough beer…?

Damn. Governments really can be embarrassing, sometimes, can’t they?

junivers (profile) says:

Let's try that again

To this once-proud Canadian, the AG’s report (yes, I read it) makes the Harper Government look like a blundering toad incrementally frying itself on the electric fence put up by the guys that pwned the dirtiest oil patch in the world.

But that toad sure loves hockey and beer, eh? Can’t go wrong with enough hockey and beer… Oh, wait..

Can’t go wrong with enough beer… Hmm….?


Austin (profile) says:

Closing at 4...or

Current time in Ottowa:

Current time in Kabul:

So there’s a 9.5 hour difference in time here between the surveillance and the most likely source/destination of any potentially useful intel. Now, maybe my math is wrong and perhaps my sense of how terrorists operate is rooted too deeply in TV shows like Homeland, but here’s the problem with closing at 4:30PM or 9PM, either one: They’re closed when the terrorists are awake.

So they’re spying on their own citizens, fellow Canadians, but they’re LITERALLY asleep at the wheel during the hours when any ACTUAL terrorists are likely to pass information through their network. Brilliant! Fucking brilliant!

I gotta say, as an American this makes me feel better. I mean, at least there’s a itsy bitsy teeny tiny chance that the NSA’s program MIGHT catch SOME useful intel since, yanno, they’re at least fucking awake. Our system may be pure, unaldutured evil, but at least it has a CHANCE of working.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...