There are many ways the federal agency that lost the social insurance numbers and student loan information of more than 500,000 Canadians could have responded to its IT security lapses. A vague promise to think about cloud computing instead portable hard drives, however, has got to be among the worst.
To be fair, it wasn’t Human Resources and Skills Development Canada (HRSDC) that mentioned the idea of putting citizen data into a private area online. Several media outlets quoted a spokeswoman from Shared Services Canada who said the notion of so-called “private clouds” were on the table.
The only major thing to come out of HRSDC itself has been the reassurance that parents, spouses and co-signers of loans weren’t on the portable device that left government offices. This can’t be much relief to those affected, but HRSDC is no doubt staying tight-lipped in the face of two class-action lawsuits that in the works since the data breach occurred.
Take it to the cloud?
Here’s the thing: a portable storage device is completely secure if someone doesn’t lose it, or only downloads non-critical information on it. Cloud computing means the files won’t be physically on a device that can end up in the wrong hands, but it would still require some kind of authentication to log in and access the data. That means passwords, and anyone who works in the IT industry can tell you umpteen horror stories about lost, stolen or otherwise ineffective passwords.
You need people to follow policies, and after two IT security incidents in less than a month – there was a report of social insurance numbers and medical records of some 5,000 Canadians disappearing from HRSDC via USB right before the new year – the government isn’t demonstrating people are doing that.
“It’s kind of sad. I have to put it down to education and discipline,” says Brian O’Higgins, a board member of the Canadian Association of Defence and Security Industries and the co-founder of authentication giant Entrust. He pointed out that some parts of the government demonstrate that discipline every day, and those in other fields, like the medical and health-care industries, are really careful about not putting records on USB keys.
While he admitted that the cloud won’t solve all the government’s problems, O’Higgins said it may be better than the current situation. “At least it would be managed by professionals rather than amateurs,” he says. “They could still find a way to screw up, but you wouldn’t have information being put on USB.”
Government falling behind on security
Canadian IT security vendors have been complaining for years that the government is seriously out of step with what’s needed to protect citizen data in the 21st century. Tony Busseri, CEO of Toronto-based Route1, is one of them.
“The government needs to stop patching and working with older technology to foot the bill,” he says. “There’s too much relying on policy. Inherently that’s going to be flawed.”
So if it’s not about educating on policies and it’s not about technology, what’s the solution? Maybe a bit more of both.
The real problem here isn’t necessarily just the potential economic loss to those whose data went missing. As Busseri points out, someone could use the missing HRSDC data to create phony profiles, apply for passports, or much worse. Or nothing could happen – the portable device might have landed in the trash somewhere, never to be seen again.
The dire consequences of a security breach are numerous and multi-faceted. It’s time Canada’s public sector took a similarly nuanced approach to preventing such things from ever happening again.