Heartbleed bug shows governments slow to react

The revelation Monday that the social insurance numbers of 900 Canadians were stolen from the website of the Canada Revenue Agency last week has raised yet more questions about the government’s response to the Heartbleed computer bug.

Researchers in Canada’s online security community say that the Heartbleed breach is evidence that government is often not as well equipped as private companies to detect and react quickly to online security threats.

The government "was really slow on this," says Christopher Parsons, a post-doctoral fellow at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto.

"If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action. The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements."

Heartbleed is a hole in the OpenSSL security encryption software, which is used by an estimated two-thirds of sites on the web, and its existence was first widely revealed on April 7 (though Google and a Finnish company had reportedly discovered it some weeks earlier).

The glitch in the software, which was introduced apparently by error in 2012, gave hackers who were aware of it access to sensitive personal and financial information, and enabled them to steal it without a trace, which is why it has been difficult for government and corporate websites to confirm whether they have been compromised.

The Canadian Cyber Incident Response Centre, which reports to Public Safety Canada, issued its first advisory about Heartbleed on April 8. CRA shut down its site that day, and restored public access on April 13.

According to a press release Tuesday, RCMP's National Division was told about a "malicious breach of taxpayer data due to the Heartbleed bug," by CRA on Friday, April 11. Since the site had already been shut down to prevent further breaches, the RCMP says it asked CRA to "to delay advising the public of the breach until Monday morning," so that it could pursue a "viable investigative path."

On Monday, CRA confirmed that as a result of Heartbleed, 900 Canadians had their social insurance numbers stolen from its website. The agency says the thefts took place during a six-hour window on April 8.

According to a statement released by CRA on Monday morning, "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

In the week since the breach, there has been a lot of talk about the quickness of the government’s response. However, it lagged significantly compared to private firms such as Facebook, Google and Yahoo.

Parsons says it’s not entirely fair to compare the CRA to Facebook and Google, who both had advance notice of the bug and thus patched their software in a timely fashion.

But he also notes that word of the Heartbleed breach was circulating in online forums about 24 hours before CRA made any sort of statement.

When it comes to online security, private companies tend to spend more money, says David Fewer, director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

"Government tracks every resource to the penny. You can’t even get a cup of coffee at a government meeting these days," he says.

As a result, in the event of a security breach, government departments don’t have "the same size SWAT team" to deal with these kinds of problems.

The issue of resources isn’t necessarily endemic to government, says Mark Nunnikhoven, vice-president of cloud and emerging technologies at global security firm Trend Micro.

Government departments "can always use more resources, but any security team on the planet can always use more resources," says Nunnikhoven, who spent years in the public service, working in Industry Canada as well as the Transportation Safety Board.

"But in my experience, the government tends to have pretty good security."

However, one thing that Fewer suggests governments lack is the profit incentive.

"Every business’s brand is at stake when something like this happens," he says. "They have shareholders and they have to retain market share and maintain consumer trust."

Fewer, who has worked in both the public and private sectors, adds that because government doesn’t emphasize the bottom line, "‘technical support’ is an oxymoron."

At a private company, technical support is seen as essential to keeping the operation profitable and, as a result, is highly responsive. In government, "there isn’t that same imperative," he says.

While many in the security community feel that CRA’s response to the original threat was slow, Nunnikhoven says he’s been encouraged by CRA’s responsibility after the bug was identified, as well as the work of a secondary department — most likely Shared Services — in identifying the theft of those SINs.

"CRA did a good job defending themselves, took a risk-based decision and shut down [the site], and then the additional agency did their due diligence and caught an actual ex-filtration [theft] of data," says Nunnikhoven.

Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.

This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.

The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.

"This is supposed to be the sort of thing that they’re supposed to find and ideally report," says Parsons.

"I think over the coming months, we need to figure out if they knew and if they didn’t, why didn’t they, because this is what we pay them to do. And if they did know, then why weren’t they protecting us?"