Cybersecurity Never Sleeps, Except In Canada

from the this-post-closes-at-5pm dept

Thu, Oct 25th 2012 7:13am — Leigh Beadon

We're highly critical of most government cybersecurity efforts for a number of reasons. One is that they are often pushed with totally overblown rhetoric about power grids going down and planes falling from the sky. That said, it's not as though we want our governments to be completely ignorant about security issues online — more realistic threats like data breaches are something we expect them to be protected against, especially as they struggle to bring more and more government services online. Which brings us to another big reason we are critical of new cybersecurity powers for the government: they usually aren't very good at it, and fail to make smart use of the powers and resources they already have. In the US, federal agencies are demanding more information sharing powers without identifying the obstacles they claim to face. In Canada, a public audit reveals that they have made little effort to start sharing security information at all:

Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were "still unclear" about the centre's role and mandate, says the report.

"Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency."

As a result, the centre "cannot fully monitor" Canada's cyber-threat environment, hampering its ability to provide timely advice.

An ineffectual bureaucracy is nothing new, and it can often be fixed by finding the right people to whip it into shape. But you face a much bigger problem when the core culture of your government still fails to comprehend how the internet works or what cybersecurity means — which is where this tidbit comes in:

Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.

Yes, that's right — the response center for monitoring cyber threats isn't even open around the clock. It has shorter hours than the brunch menus at most restaurants. Recognizing that this could be a problem, but still completely failing to understand the fundamental stupidity of being "closed for the night" online, the government has plans to extend the hours to 9pm, seven days a week.

How did they get to this ridiculous place, and where are they going? Five years ago the government allocated some money for cybersecurity. Nobody really checked to see if it was accomplishing anything until now, with the Auditor General's report. The audit revealed all these flaws and criticized "limited progress", so as the report came out... the government allocated some more money. Hurray! But not. Because what they still lack is an actual road map — a clear identification of the real cybersecurity threats that exist, a strategy to combat them, some evidence that it will actually work, and a way to check and see if it does. Then they can figure out how much money it will cost, and they can figure out if there are any acceptable new laws that are actually necessary to make it happen. If governments in Canada, the US or anywhere else can't get the basics of cybersecurity right with their existing resources, and can't communicate intelligently about the problems, then neither more money nor more laws will fix anything.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, cybersecurity

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

out_of_the_blue, 25 Oct 2012 @ 7:26am

Better to be thought incompetent than evil.
This is just a cover story to blunt public protest.

And your tone is right in line with the intent, seem to be actually complaining that you're not as surveilled as promised.
[ link to this | view in chronology ]
- That One Guy (profile), 25 Oct 2012 @ 7:41am
  
  Re: Better to be thought incompetent than evil.
  No, I think the idea behind this article is that if the governments around the world are going to clamor for more and more security measures, 'for public safety' and 'to deal with terrorists and CYBER terrorists'... they don't exactly look very good if it comes out that they either can't, or haven't, been using the abilities and tools they already had, effectively.
  
  It also raises the question of 'if they can't effectively use the tools they already have, what good would more of the same do them?'
  [ link to this | view in chronology ]
- Leigh Beadon (profile), 25 Oct 2012 @ 10:09am
  
  Re: Better to be thought incompetent than evil.
  And your tone is right in line with the intent, seem to be actually complaining that you're not as surveilled as promised.
  
  This is not about being surveilled. This is about having a centre that monitors government networks for attacks, and takes reports of large-scale attacks on private networks. There are privacy concerns there that must be taken into account, but the principle makes sense -- nobody is suggesting that governments should just wear blindfolds with regards to the internet, and have absolutely no ability to monitor the security of their networks.
  
  There's not likely to be an attack that shuts down a power grid -- that's just FUD -- but the government has plenty of data that is attractive to identity thefts, and plenty of systems that are attractive to hackers wanting to practice or prove their skills, and plenty of targets for groups like Anonymous, etc. Having the ability to monitor and respond to this kind of thing is not just sensible, it's absolutely necessary -- so in an age where we're debating rolling back privacy protections to increase government cybersecurity power, it's highly embarrassing to find out that they can't even use existing basic security technology to monitor their own networks around the clock.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Oct 2012 @ 7:35am

We need to be concerned with internet security
Governments should be doing more about this. They should be looking for threats against critical internet infrastructure and other high value targets like banks and other financial institutions. Instead they seem to waste their time going after places like the Pirate Bay and Megaupload. And the sad part is that there are lots of people who are willing to help them out for free. The governments should be working with the various bloggers and internet security companies to better understand and protect themselves and their citizens from internet crime. But instead they so misunderstand the nature of the internet both socially and economically that no blogger or security company will help because the policies that the governments want to enact will destroy the internet, and what blogger or security company would want that?
[ link to this | view in chronology ]
Trails (profile), 25 Oct 2012 @ 7:45am

As a Canadian...
Let me say those guys are total hosers.
[ link to this | view in chronology ]
Chris-Mouse (profile), 25 Oct 2012 @ 7:46am

This is a great success. The Canadian government has gotten the cyber criminals to agree to attack only during business hours.
[ link to this | view in chronology ]
- Michael, 25 Oct 2012 @ 8:10am
  
  Re:
  Canadian cyber-criminals are extremely mannerly.
  [ link to this | view in chronology ]
- Chosen Reject (profile), 25 Oct 2012 @ 10:48am
  
  Re:
  Yeah, but then they decided to stay open longer giving the cyber criminals even more time to do their dirty work.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Oct 2012 @ 7:48am

This is what happens when a government that has no clue how technology works teams up with a bureaucracy stuck in their cozy 10-4 government job mentality. Neither side has any real interest in getting this to actually work. The only reason it even exists is so the government can look like it's doing something.
[ link to this | view in chronology ]
Laroquod (profile), 25 Oct 2012 @ 8:04am

I am perfectly happy with this situation and I hope it continues for the foreseeable future. However, any news from the current Canadian government that makes proponents of internet freedom feel more comfortable, should be treated with the utmost skepticism.
[ link to this | view in chronology ]
ltlw0lf (profile), 25 Oct 2012 @ 9:41am

Be nice to the Canadians...
Jeesh, they have such a routy neighbor in the apartment below them...they need all the sleep they can get.
[ link to this | view in chronology ]
Gregg, 25 Oct 2012 @ 10:46am

It's not quite what seems
This report from the GoC Auditor was only highlighting low level services and a department call center for receiving calls on Cyber Security threats. By no means does this report cover the Intelligence, Police or Defense departments which have active 24/7 cyber security staff and defenses on watch. I read the report and he made it sound like nothing was being done, when in fact there is a lot going on to protect Canadian security. As for private businesses (ie Nortel) this is where there was a huge gap in managing cyber security threats and how they worked with the Government to protect themselves. Frankly a company that was as large as Nortel was, they should have done far more themselves to protect their interests. The Government can only go so far to help Canadian businesses, and businesses that blame the Government really should be blaming themselves.
[ link to this | view in chronology ]
- Leigh Beadon (profile), 25 Oct 2012 @ 10:53am
  
  Re: It's not quite what seems
  You're right -- I did mention (but should have clarified more strongly) that what's at issue here is information sharing and coordination (which relates closely to debates in the US about expanding those exact powers)
  [ link to this | view in chronology ]
junivers (profile), 28 Oct 2012 @ 9:35pm

To this once-proud Canadian, the AG's report (yes, I read it) makes the Harper Government look like a blundering toad incrementally frying itself on the electric fence put up by the guys that the dirtiest oil patch in the world.

But that toad sure loves hockey and beer, eh? Can't go wrong with enough hockey and beer... Oh, wait.

Can't go wrong with enough beer...?

Damn. Governments really can be embarrassing, sometimes, can't they?
[ link to this | view in chronology ]
junivers (profile), 28 Oct 2012 @ 9:43pm

Let's try that again
To this once-proud Canadian, the AG's report (yes, I read it) makes the Harper Government look like a blundering toad incrementally frying itself on the electric fence put up by the guys that pwned the dirtiest oil patch in the world.

But that toad sure loves hockey and beer, eh? Can't go wrong with enough hockey and beer... Oh, wait..

Can't go wrong with enough beer... Hmm....?

Sorry.
[ link to this | view in chronology ]
Austin (profile), 29 Oct 2012 @ 9:20am

Closing at 4...or
Current time in Ottowa: http://www.timeanddate.com/worldclock/city.html?n=188

Current time in Kabul: http://www.timeanddate.com/worldclock/city.html?n=113

So there's a 9.5 hour difference in time here between the surveillance and the most likely source/destination of any potentially useful intel. Now, maybe my math is wrong and perhaps my sense of how terrorists operate is rooted too deeply in TV shows like Homeland, but here's the problem with closing at 4:30PM or 9PM, either one: They're closed when the terrorists are awake.

So they're spying on their own citizens, fellow Canadians, but they're LITERALLY asleep at the wheel during the hours when any ACTUAL terrorists are likely to pass information through their network. Brilliant! Fucking brilliant!

I gotta say, as an American this makes me feel better. I mean, at least there's a itsy bitsy teeny tiny chance that the NSA's program MIGHT catch SOME useful intel since, yanno, they're at least fucking awake. Our system may be pure, unaldutured evil, but at least it has a CHANCE of working.
[ link to this | view in chronology ]