Cybersecurity Never Sleeps, Except In Canada
from the this-post-closes-at-5pm dept
We're highly critical of most government cybersecurity efforts for a number of reasons. One is that they are often pushed with totally overblown rhetoric about power grids going down and planes falling from the sky. That said, it's not as though we want our governments to be completely ignorant about security issues online — more realistic threats like data breaches are something we expect them to be protected against, especially as they struggle to bring more and more government services online. Which brings us to another big reason we are critical of new cybersecurity powers for the government: they usually aren't very good at it, and fail to make smart use of the powers and resources they already have. In the US, federal agencies are demanding more information sharing powers without identifying the obstacles they claim to face. In Canada, a public audit reveals that they have made little effort to start sharing security information at all:
Seven years after the Canadian Cyber Incident Response Centre was created to collect, analyse and share information about threats among various levels of government and the private sector, many were "still unclear" about the centre's role and mandate, says the report.
"Some private sector critical infrastructure owners and operators that we interviewed told us they were not sure whether cyber events should be reported to the Government of Canada and, if so, to which agency."
As a result, the centre "cannot fully monitor" Canada's cyber-threat environment, hampering its ability to provide timely advice.
An ineffectual bureaucracy is nothing new, and it can often be fixed by finding the right people to whip it into shape. But you face a much bigger problem when the core culture of your government still fails to comprehend how the internet works or what cybersecurity means — which is where this tidbit comes in:
Further, the centre was still not operating on a 24-hour-a-day, 7-day-a-week basis, as originally intended, shutting down weekdays at 4 p.m. Ottawa time and closing for the weekend.
Yes, that's right — the response center for monitoring cyber threats isn't even open around the clock. It has shorter hours than the brunch menus at most restaurants. Recognizing that this could be a problem, but still completely failing to understand the fundamental stupidity of being "closed for the night" online, the government has plans to extend the hours to 9pm, seven days a week.
How did they get to this ridiculous place, and where are they going? Five years ago the government allocated some money for cybersecurity. Nobody really checked to see if it was accomplishing anything until now, with the Auditor General's report. The audit revealed all these flaws and criticized "limited progress", so as the report came out... the government allocated some more money. Hurray! But not. Because what they still lack is an actual road map — a clear identification of the real cybersecurity threats that exist, a strategy to combat them, some evidence that it will actually work, and a way to check and see if it does. Then they can figure out how much money it will cost, and they can figure out if there are any acceptable new laws that are actually necessary to make it happen. If governments in Canada, the US or anywhere else can't get the basics of cybersecurity right with their existing resources, and can't communicate intelligently about the problems, then neither more money nor more laws will fix anything.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, cybersecurity
Reader Comments
Subscribe: RSS
View by: Time | Thread
Better to be thought incompetent than evil.
And your tone is right in line with the intent, seem to be actually complaining that you're not as surveilled as promised.
[ link to this | view in thread ]
We need to be concerned with internet security
[ link to this | view in thread ]
Re: Better to be thought incompetent than evil.
It also raises the question of 'if they can't effectively use the tools they already have, what good would more of the same do them?'
[ link to this | view in thread ]
As a Canadian...
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Be nice to the Canadians...
[ link to this | view in thread ]
Re: Better to be thought incompetent than evil.
This is not about being surveilled. This is about having a centre that monitors government networks for attacks, and takes reports of large-scale attacks on private networks. There are privacy concerns there that must be taken into account, but the principle makes sense -- nobody is suggesting that governments should just wear blindfolds with regards to the internet, and have absolutely no ability to monitor the security of their networks.
There's not likely to be an attack that shuts down a power grid -- that's just FUD -- but the government has plenty of data that is attractive to identity thefts, and plenty of systems that are attractive to hackers wanting to practice or prove their skills, and plenty of targets for groups like Anonymous, etc. Having the ability to monitor and respond to this kind of thing is not just sensible, it's absolutely necessary -- so in an age where we're debating rolling back privacy protections to increase government cybersecurity power, it's highly embarrassing to find out that they can't even use existing basic security technology to monitor their own networks around the clock.
[ link to this | view in thread ]
It's not quite what seems
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: It's not quite what seems
[ link to this | view in thread ]
But that toad sure loves hockey and beer, eh? Can't go wrong with enough hockey and beer... Oh, wait.
Can't go wrong with enough beer...?
Damn. Governments really can be embarrassing, sometimes, can't they?
[ link to this | view in thread ]
Let's try that again
But that toad sure loves hockey and beer, eh? Can't go wrong with enough hockey and beer... Oh, wait..
Can't go wrong with enough beer... Hmm....?
Sorry.
[ link to this | view in thread ]
Closing at 4...or
Current time in Kabul: http://www.timeanddate.com/worldclock/city.html?n=113
So there's a 9.5 hour difference in time here between the surveillance and the most likely source/destination of any potentially useful intel. Now, maybe my math is wrong and perhaps my sense of how terrorists operate is rooted too deeply in TV shows like Homeland, but here's the problem with closing at 4:30PM or 9PM, either one: They're closed when the terrorists are awake.
So they're spying on their own citizens, fellow Canadians, but they're LITERALLY asleep at the wheel during the hours when any ACTUAL terrorists are likely to pass information through their network. Brilliant! Fucking brilliant!
I gotta say, as an American this makes me feel better. I mean, at least there's a itsy bitsy teeny tiny chance that the NSA's program MIGHT catch SOME useful intel since, yanno, they're at least fucking awake. Our system may be pure, unaldutured evil, but at least it has a CHANCE of working.
[ link to this | view in thread ]