Despite warning, many small government bodies still aren't using special cyber defences: report

Despite a stern warning from one of Canada's security review bodies, most Crown corporations,smaller government departments and agencies haven't heeded the call to use specialized cyber defence sensors to protect their networks from state-sponsored attacks, says a recent report.

Last year, the National Security and Intelligence Committee of Parliamentarians released a report pointing to gaps in Ottawa's network.

The committeewrote that Crown corporations andsmall government departments and agencies (SDAs) defined as those with fewer than 500 staffers and annual budgets of less than $300 million are not requiredto follow the same cyber policies as other government departments. The report warned this state of affairscould pose "a security risk to government networks."

"Those organizations receive, hold and use the sensitive information of Canadians and Canadian businesses, information that is at risk of compromise by the most sophisticated of cyber actors, including states," the report said.

"Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole. These challenges are well known to the government."

NSICOP's report which wassubmittedto Prime Minister Justin Trudeau in August 2021 andtabled in Parliament in February 2022said that while China and Russia are the most sophisticated cyberthreat actors targeting the federal government, Iran and North Korea have "moderately sophisticated" capabilities.

The committee hasrecommended thatthe cyber defence sensors of the Communications Security Establishment (CSE) be extendedto cover all federal entities.

But new numbers from the CSE, Canada's cyber intelligence and security agency, show that less than half of Crown corporations and smaller departments and agencies"whose IT infrastructure is outside the government's network defences"followedthat recommendation.

"Since March 2020, the number of Crown corporations and SDAs signed up for our sensors has grown from 12 to 37 (out of 86)," saysthe CSE's 2022-2023report.

"The Cyber Centre continues to view this sector as a high priority and is working to onboard more federal institutions to our services."

CSEsensors process over 200K events per second

Robyn Hawco, CSE spokesperson, said the agency uses itsown in-house technology called Host-Based Sensors, or HBS on government servers, laptops and desktops.

"To put it simply, each sensor securely gathers system data, while protecting the privacy of those using this service. That data is fed back to our experts for analysis. They map any malicious activity, such as malware trying to download, and document the recipe to inoculate other devices from being infected in future," said Hawco.

"The HBS technology is user-friendly and not only detectsbut also neutralizes malicious activity, automatically."

The sensors process over 200,000 host events per second, she said.

In a media statement, the Treasury Board said Crown corporations and smaller agenciesare ultimately responsiblefor their own cyber defence decisions.

"All federal organizations, including Crown corporations, can access the government's cyber defence services and TBS continues to encourage them to take advantage of the full complement of the government's cyber defence services," says the statement.

Treasury Board saidShared Services Canada is working to provide an initial groupof 43 small departments and agencies with advanced cyber defence services, using funding earmarked inthe 2022 federal budget.

"In addition, all federal organizations, including Crown corporations, can enter into agreementsin order to align with TBS cyber defence policies, or to seek cyber defence services from the Cyber Centre," saysthe statement.

Testifying before a Senate committee earlier this year, NSICOP memberSen. FrancesLankin said government inertia is the reason why the committee's recommendation was meant to be compulsory.

"In this report, we saw very clearly that there are gaps and those gaps are dangerous for Canadians and dangerous for our national security, personal data," she said.

"I think that there is a willingness to move, but there's great reluctance and inertia at times within large departmental structures and the interdepartmental relations."

NSICOP has been ignored before

It's not the first time government departments and agencies have failed to act on recommendations from NSICOP, a special committee made up of MPs and senators.

The committeereleased a report back in 2019 that urged Ottawa to take the threat of foreign interference more seriously.

"Canada has been slow to react to the threat of foreign interference," wrote the committee in a 2019 report looking at the government's response to foreign meddling.

"The government must do better."

After at first not responding to the report,Trudeau acknowledged his government should be doing a better job.

"We have to do a better job on following up on those recommendations. I fully accept that," he told a news conference back inMarch.

Those comments came as Trudeau announced he was asking NSICOP to review the state of foreign interference in Canada's democratic processes since 2018.

NSICOP has since agreed and the review is ongoing.