[ISN] Security gaps in federal computers

InfoSec News isn at c4i.org
Wed Feb 16 10:06:12 EST 2005


February 15, 2005

OTTAWA (CP) - The personal information of Canadians is at risk due to
"significant weaknesses" in government computer security that leave
the digital door open to hackers and thieves, says the auditor
general. In a highly critical report Tuesday, Sheila Fraser warns that
federal agencies have failed to keep up with the demands of the
electronic age, making sensitive files vulnerable.

"If security weaknesses allowed someone to access a database or
confidential information, Canadians' trust in the government would be
greatly eroded," the report says.

"Further, if a citizen's privacy were violated because of a failure to
keep confidential information secure, it could cause that person
hardship and seriously undermine the government's efforts to deliver
services to Canadians electronically."

Fraser told a news conference she was disappointed the government
doesn't meet its own minimum standards for information technology
security, even though most of them have been well known for more than
a decade.

The auditor general likened it to a homeowner leaving the back door
open - eventually someone will break in.

"Government must fill in the gaps," she said. "There are weaknesses in
the system."

But Fraser stopped short of urging Canadians to avoid using online
federal services, saying she would continue to file her tax return by

Information security is becoming increasingly important given that the
federal government wants Canadians to have electronic access to key
information and transactions by the end of the year.

Growing use of the Internet, portable computer devices and wireless
technologies have made access to data easy and affordable, the report

"This environment provides more opportunities for problems to occur,
such as theft of data, malicious attacks or criminal actions."

Treasury Board President Reg Alcock, minister responsible for
government security policy, acknowledged the concerns Tuesday but said
it's a "tough area for any organization, because the technology's
always changing," requiring ongoing vigilance.

New Democrat MP Peter Julian said the government doesn't seem to be
taking the auditor general's points as seriously as it should.

Fraser found the Treasury Board Secretariat was "not adequately
fulfilling its role of monitoring and overseeing" the state of
security across the government.

Last May, the secretariat surveyed 90 departments and agencies on
their security practices. Of the 46 that responded, only one agency
met the basic requirements of the government security policy and
related standards.

The survey found:

* Sixteen per cent of departments didn't even have an information
  security policy. Of those that did, 33 per cent indicated it hadn't
  been formally approved by management.

* More than one-quarter of departments didn't have a policy requiring
  a plan to keep critical systems and services running in the event of
  a major attack or power failure.

Other internal studies flagged similarly worrisome problems.

"Vulnerability assessments, conducted in departments and agencies over
the last two years, have revealed significant weaknesses that, if
exploited, could result in serious damage to government information
systems," says Fraser's report.

Despite the potential for difficulties, many departments and agencies
had yet to adequately assess threats and risks to their computer

In addition, there was often lax control of access to sensitive data
and programs by people without authority to see it, the report says.  
In some cases, computer passwords were not set properly, and most
organizations had no comprehensive program for monitoring who was
using their digital networks.

Fraser says there have been some advances since 2002 when she last
examined these issues, but overall the government has made
"unsatisfactory progress."

Reasons for the continuing gaps include lack of money and people, as
well as little interest in information technology security among
senior management, the report says.

Fraser's recommendations include preparation of action plans
indicating when each department and agency intends to comply with
security requirements.

The report says the Treasury Board Secretariat has "responded
positively" to the recommendations and, in some cases, is already
taking action.

More information about the ISN mailing list