Based on the raw numbers, you could be forgiven for thinking some kind of computer security alarm system is going off every five minutes on Parliament Hill.
The government experienced some form of data loss more than 3,700 times over a 10-month period that ended Jan. 29 of this year, according to figures recently tabled in Parliament and reported by the Ottawa Citizen. That would include a portable hard drive with social insurance numbers of 583,000 individuals that went missing from Employment and Social Development Canada, and a slew of incidents involving Canada Revenue Agency (CRA). The total of reported data breaches outnumber what the public sector has admitted over the last decade. Some citizens are probably wondering if the government is merely careless, negligent, or both.
I’ve heard first-hand, however, that the government not only takes computer security seriously but has taken steps to do better. Five years ago, for instance, I hosted a conference in Ottawa on public sector IT security where an executive from CRA talked in detail about a scheme by hackers to replicate the CRA’s Website and fool citizens into handing over their personal information. This wasn’t a data breach, but the CRA was proactively launching a security awareness program for all of its 50,000 employees, mandating encryption of all laptops and conducting what’s called a “vulnerability assessment program” to see where software patches may need to be applied.
Mississauga, Ont.-based WinMagic, which offers data encryption products, has been seeing strong adoption at both the federal and even provincial levels of government, according to senior direct of product marketing Darren Leroux. Even better, he said there has been more emphasis on adopting encryption not merely on the desktop but with removable hard drives and USB keys.
“We’re seeing fewer situations where it’s a case of doing damage control after the fact,” he said, adding that the policy is as important as technology. “It’s about enforcing the policies correctly. In some cases there have been policies but they weren’t followed, or they left it open to the user to be able to make changes to policies on the device, which you should never do.”
It’s not just a matter of the government buying better technology or civil servants behaving properly, though. On Wednesday, security vendor Websense released a report which showed how complex many computer hacking attempts from outside have become.
Charles Renert, Websense vice-president of security research, told me government security incidents aren’t necessarily rising more than other sectors, but they can be motivated by several different things.
“Simpler attacks try to embarrass a government entity or influence public policy,” he said. “In a few cases, extremely advanced attacks are targeted at public infrastructure or highly sensitive information.” All you can do is classify the risk and monitor like crazy.
Before we criticize the government too harshly, keep a few things in perspective. Transparency around computer security attacks is still relatively new, even in the public sector. Although the numbers look bad, part of the problem is we’re simply hearing more about them than ever before. In contrast, without solid breach notification laws, the private sector may look better at computer security than it is.
Finally, security problems are often a byproduct of technology advancement. The government is doing a lot -- and is being pressured to do way more -- to offer information and services electronically and to empower its workforce to be more productive with mobile computing. That’s why the statistics around computer security in government are probably going to get worse before they get better. That doesn’t necessarily mean we have a crisis on our hands