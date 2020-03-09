This column is an opinion of Alexander Rudolph, a doctoral student in the Department of Political Science at Carleton University, where he is doing research on cyber defense and cyberwar. Besides his research, he also works as an independent consultant and policy analyst. For more information on CBC Opinion Section, please consult the Faq.

Official documents recently obtained by The Canadian Press describe the Government of Canada’s “critical” computer systems and applications as “rust and risk of failure.“Such statements are alarming for many reasons, particularly when you consider the potential loss of critical systems that support the country’s social services.

However, although these systems are an integral part of the provision of digital services, there does not appear to be any urgent recognition of the security risks that these old systems also pose.

While the Government of Canada has released a National Cybersecurity Strategy in 2016, it expressed little concern about the specific threats posed by existing systems. The strategy also offers few concrete plans as to what the government will do to achieve its stated objectives.

In one article Speaking of the government’s aging IT infrastructure, André Leduc, vice president of government relations and policy with the Information Technology Association of Canada, says that many public servants have not sought to upgrade these old systems because they still worked. This approach seems to be based on the adage that “if it is not broken, do not repair it”.

But at least as worrisome as a potential failure of these archaic systems is the risk that government and public information may be stolen, or hijacked and taken hostage.

A recent 800-page federal government response to a question on the Order Paper tabled by Conservative MP Dean Allison reveals that federal departments or agencies mismanaged personal information belonging to at least 144,000 Canadians in the past two years alone, a number that includes incidents ranging from misdirected mail to technology-related violations. And as Canada heads to “digital government“while relying on decaying infrastructure, the risks are likely to increase.

Governments and private sector companies often delay updating information and communications systems due to the complexity and cost of the upgrade. (Sean Gallup / Getty)

The use of older technologies is common in the public and private sectors due to the costs associated with upgrading. However, in a 21st century security environment, these systems are time bombs.

Old systems are vulnerable largely due to loss of technical support by developers, which greatly increases the chances of a successful attack.

As new systems and applications are created, developers are phasing out support for old ones – and we’re not just talking about decades-old mainframes. Microsoft ended support for its Windows 7 operating system on January 15, for example, which means the company will not be providing any new security updates. This creates significant security risks for these systems and the applications that run on them, as they become more prone to malware and hacking.

Ransomware-based cyber attacks, which can block computers until a ransom is paid, are just one type of exploit used by criminals and countries. Last October, the Canadian Center for Cybersecurity issued a warning ransomware called Ryuk according to him, “affected several entities, including municipal governments and public health and safety organizations in Canada and abroad”.

Cyberattacks can be expensive. Recently revealed court documents that data from a Canadian insurance company was held hostage until the criminals who took over its computer systems were paid almost a million US dollars. This may seem like a large sum, but it is pale compared to the cost of other ransomware attacks.

In 2017, for example, the WannaCry ransomware reportedly infected more than 230,000 systems in 150 countries, costing over $ 4 billion in losses . Among those targeted was the National Health Service (NHS) of the United Kingdom, which used obsolete computer systems – the attack cost 159 million dollars in ransom and cleaning costs. (United States arrested a North Korean national as part of WannaCry, alleging that the North Korean government sponsored the attacks.)

In this 2017 file photo, employees are looking at electronic cards to monitor possible ransomware cyber attacks at the Korea Internet and Security Agency in Seoul, South Korea, during the WannaCry attack. (Yun Dong-jin / Yonhap via the Associated Press)

If the revelations in the Canadian press about the deplorable state of our country’s aging computer systems are correct, the hackers are probably salivating at the idea of ​​extracting similar payments from the Canadian government.

In light of this, is the Government of Canada actively addressing the security risks posed by the continued use of these legacy systems?

For a response, see the government ministers’ mandate letters, which describe the policy objectives each of which is entrusted to the Prime Minister.

The Ministers of Public Safety and National Defense have the primary responsibility for protecting Canada from threats. the mandate letter awaits from Minister of Public Safety “identify and prepare for threats to public security, including national security, cybersecurity and increasingly frequent climate emergencies”, but the fight against cybersecurity is not one of the specific priority tasks entrusted to the minister. the Minister of National Defense Mandate Letter does not issue any cybersecurity instructions.

the mandate letter from the minister of digital government, which is specifically responsible for the country’s transition to technology-focused services that make government “more agile, open and user-centric” mentions cybersecurity, but it is part of a long list of other priorities. The Minister must: “Direct the analysis and improvement of information technology (IT) delivery in government. This work will include the identification of all basic and risk IT systems and platforms. You will lead the renewal of SPC so that it has the resources and alignment necessary to provide a common, reliable and secure IT infrastructure. “However, there is no specific timetable for this work.

A programmer shows a sample of a ransomware cyber attack on a laptop. (Ritchie B. Tongo / EPA)

Even if federal ministers are told to prioritize cybersecurity, is there an appropriate amount of funding allocated to quickly improve Canada’s aging government systems?

Well, things don’t look too good on this front.

Maintaining safe and secure IT systems cannot be solved with a single expense in a year. It is an active process that requires continuous annual funding.

Thanks to his 2018 budget, the Government of Canada has committed $ 507.7 million over five years – approximately $ 101.5 million per year, or 0.03% of its annual revenue – “to protect against cyberattacks” and to implement the National Cybersecurity Strategy. Consider that Statistics Canada reported that in 2017 alone, Canadian businesses spent approximately $ 8 billion on salaries for employees, consultants and contractors working on cybersecurity, as well as an additional $ 4 billion on cybersecurity software and related hardware.

Given the critical state of the government’s aging IT infrastructure, the amount budgeted at the federal level is a drop.

The mandate of Minister of Digital Government, Joyce Murray, is to oversee the country’s transition to technology-driven services that make government “more agile, open and user-centric.” (Justin Tang / Canadian Press)

The efforts of a single digital government minister alone cannot repair the chronic inaction that has led to the government’s current IT crisis. Solving a systemic problem requires a systemic approach.

A whole-of-government strategy must be adopted to effectively combat the threats that accompany modern digital government. It is much more than funding services, it requires a change of mentality which understands that any IT system involves inherent risks and that a digital government cannot afford to take a casual approach to the aging of computer technology and security.

Just like all federal departments of the Canadian government must perform a gender-based analysis understand the role of gender in their activities, likewise a full cybersecurity analysis should be conducted.

The study that describes the Government of Canada’s computer systems as at risk of failure is an example of what a cybersecurity analysis might look like. He must understand that all IT systems, new or old, can be entry points that can be attacked and exploited.

Requiring all departments to conduct a detailed cybersecurity analysis would require the government to take into account that while digital government has great potential benefits, it is also a more important goal for Canada.