The chief information officer branch of the Treasury Board of Canada Secretariat is in the final stages of drafting a review of its IT security policy that will standardize the way departments interact.
Due later this year, the draft will bring together not only existing guidelines, such as
the RCMP’s technical security standard for IT, but a lot of updated information that is consistent with international standards bodies, according to John Weigelt, senior director of ITS & PKI at the Treasury Board of Canada Secretariat.
“”This will … hopefully help us interoperate better,”” he said. “”Protect, detect, respond recover … we’ve been doing that since medieval times, and to relate that to today’s IT environment is a challenge.””
According to one IT expert, the federal government is not properly warning the public about possible cyber-attacks by terrorists or other potential threats to Internet security.
Moreover, the government’s apparent lack of harmonized data-security standards makes a coordinated response to such threats “”very difficult,”” said Rick Broadhead, a commentator on technology, the Internet and e-business.
“”Maybe it just hasn’t filtered down to my level, but it’s not clear to me who (in Ottawa) is responsible for getting the word out on matters (involving Internet security),”” he said.
To emphasize his argument, Broadhead points to a recent high-profile advisory put out by the U.S. Department of Homeland Security’s DHS/ Information Analysis and Infrastructure Protection (IAIP) National Cyber Security Division (NCSD). The division monitors chat rooms to pre-empt possible cyber-attacks.
In consultation with Microsoft Corp., the NCSD put out several advisories in the last few weeks to make people aware of “”potential Internet disruptions resulting from the possible spread of malicious software exploiting a vulnerability in popular Microsoft Windows operating systems.””
“”DHS and Microsoft are concerned that a properly written exploit could rapidly spread on the Internet as a worm or virus in a fashion similar to Code Red or Slammer,”” read a recent advisory.
Broadhead wonders “”who in Canada will take the initiative in putting out such warnings?””
In fact, the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) has the same warnings on its Web site as its U.S. counterpart, including an August 11 warning about the Blaster Worm and an Aug.1 advisory on the W32.Mimail Virus.
Weigelt acknowledged that Ottawa has leaned more toward internal warnings, with less emphasis on warning the public.
“”There hasn’t been as much in-your-face advice and guidance (offered) to the citizenry,”” Weigelt admitted. “”These (efforts) are more focused on internal to government at the present time.””
Weigelt also acknowledged that some people would like to see the government take a stronger advisory role, “”but there are others who say ‘No, that’s something that should be left to … industry.’””
Recently, OCIPEP has taken the lead role in providing alerts, advisories and administrative notices to government and to governmental partners. There is “”not as much public facing as some people want, but we’re looking at how far we can engage in that activity,”” said Weigelt.
At the moment, OCIPEP works in concert on the information security file with the Royal Canadian Mounted Police (RCMP), the Communications Security Establishment (CSE), and the Chief Information Officer Branch (CIOB) at TBS.
Weigelt said there is “”ongoing discussion as to what involvement these groups have in providing outward advice and guidance (on information security issues), as well as who should take that role on.””
In the meantime, Broadhead is dually concerned that federal departments lack harmonized standards on data security. This means “”it’s very difficult for the government to coordinate a response to a problem if everyone is operating with different levels of data security,”” he said.
“”Especially in this day and age, where we’re cognizant of the risks we’re all exposed to on the Internet, you need some sort of coordination to make sure everyone is on the same page. You don’t want a situation where the right hand doesn’t know what the left hand is doing.””
Weigelt said the approach, or threat-risk assessment process, is the same for each department. But the safeguards that are put in place as a result of that assessment can vary from department to department. The Department of National Defence (DND), for example, will employ different safeguards than Canadian Heritage because the security risks are “”quite different,”” he said.
Susan Elliott, president of BAR-eX Communications Inc., suggested this approach is practical when the cost of security is weighed with whether medium- to high-level systems are entirely necessary.
“”In security, you run up against cost versus benefit all the time,”” she said. “”There’s a certain level of risk that some people decide to take or they determine the risk they thought was there isn’t actually there. Anyone who is given a viable alternative probably will look at that alternative.””
Weigelt said it is the CIOB’s intention “”to provide departments with the latitude to determine what threats they’re facing and what safeguards they are going to pay for.”” This means having departments write their own departmental standards “”so they can allocate their resources in the best way to meet their business and security needs.””
To be fair, Broadhead says he recognizes these challenges.
“”Relatively speaking, Canada has been a leader among other countries in bringing government services online. We’re really well positioned, but there’s always more you can do. Security is a moving target, so you never want to rest and assume you’re okay.””