Finance Department at risk of big-impact cyberattack, say internal documents

The federal Finance Department is facing a medium risk of a cyberattack that could deliver a significant blow to its ability to carry out some crucial government operations, says a newly released internal analysis.

Finance, like other federal departments, publicly discloses a handful of its corporate risks but a list obtained by The Canadian Press provides a deeper look at the key concerns for 2018-19 that had been left out of the public's view.

Unlike the public report, the internal analysis gauges both the likelihood and severity for seven risks facing Finance Minister Bill Morneau's department.

"Of the seven corporate risks... five are now considered key corporate risks because of their significant risk score (high and medium-high level) and their link to the departmental mandate," said the document, prepared in late February for deputy finance minister Paul Rochon and restricted to "very limited distribution."

The information and accompanying briefing note were obtained under the Access to Information Act.

The analysis says given the sensitivity of data under Finance's control and the prevalence of security incidents in the public and private sectors, there's a "medium" likelihood of a breach or disruption with a "significant" impact. Such an event would affect the department's "capability to provide policy options and advice and to execute critical government operations," it said.

Departmental systems have been targeted by cyberattacks in the past.

In 2011, assaults crippled computers at the Finance Department and Treasury Board. The attacks were later linked to efforts possibly originating in China to gather data on the potential takeover of a Canadian potash company.

To address each risk, the department laid out mitigation strategies. For instance, its plan to boost IT security includes specific measures such as more collaboration with Shared Services Canada, the agency responsible for the centralized federal email system and data consolidation.

In an email Tuesday, department spokesman Jack Aubry said Finance has taken several steps to improve cybersecurity, including segregating the IT network that holds budget information, making changes to ensure the safe exchange of sensitive information within government and raising awareness of security issues.

Finance's IT infrastructure is overseen by Shared Services Canada, Aubry added.

"Threats in cyberspace are complex and rapidly evolving; now more than ever, cybersecurity is of paramount importance," he said. "Evolving cyberthreats to IT security require constant vigilance and continue to be rigorously monitored."

List of threats

The internal list of risks also features four additional threats that were not made public in the spring. Here's a rundown of corporate risks that didn't make the cut, and their ratings:

• The risk Finance will be unable to attract and retain staff with the specialized skills and expertise needed to meet all the demands for sound and timely policy analysis and advice. Likelihood: medium. Impact: significant.
• The risk the department will be unable to fulfil its objectives of enhanced business effectiveness and collaboration because it lacks a formal, consistent structure to store and manage information and to classify documents. Likelihood: medium. Impact: moderate.
• The risk Finance won't be able to meet both client and implementation expectations on government-wide projects. It's an issue because of the centralization of government services, the dependency on other departments and difficulties with the delivery of some initiatives. It points to the troubled Phoenix payroll system for public employees as one example of a government-wide project. Likelihood: medium. Impact: moderate.
• The risk of failure in supporting systems and processes that would affect the timely and accurate delivery of tax and transfer payments to provinces, territories and indigenous governments. Likelihood: low. Impact: significant.

These risks come in addition to the three that were flagged publicly by the Finance Department in the spring. Here are the previously released risks and their ratings, which were contained in the internal document:

• The risk of unauthorized IT network access or disruptions. Likelihood: medium. Impact: significant.
• The risk Ottawa's financial position and capacity to meet borrowing requirements will take a negative hit from failed transactions or financial losses linked to department activities related to issuing market debt securities and management of liquid financial assets. Likelihood: low. Impact: significant.
• The risk that threats such as the uneven pace of global economic recovery, the emergence of international protectionist policies and rising domestic debt levels could leave the department without infrastructure and resources needed to meet urgent challenges. The department, it warned, could also lose the capability to ensure effective co-ordinated action by responsible agencies domestically and internationally to address a situation that affects the integrity and reputation of Canada's financial system. Likelihood: low. Impact: significant.