Faulty IT products and premature software releases, coupled with a lack of accountability on the part of the IT industry, put Canada’s critical information infrastructure (CII) at risk of a major meltdown within five years, says a recent report.
The report, which was commissioned by
Public Safety and Emergency Preparedness Canada, has not yet been published. Through a Freedom of Information request the report was provided to the National Post and shared with Technology in Government.
It suggests increasing the adoption rate of alternative (non-Microsoft) software such as open source, licensing or certifying software professionals, and giving software product liability laws more teeth as ways to reduce the risk of CII disasters.
Donald Johnston, national technology industry group leader at Toronto-based law firm Gowling Lafleur Henderson LLP, and the lead author of the report, said while the report doesn’t say a major CII failure is inevitable, it is probable.
“We have been told by some people in the industry there will be one or more cascade failures as we had the other summer with the electrical situation,” said Johnston in reference to last summer’s blackout. “I’m not necessarily saying it’s true; I’m just reporting it.”
Johnston said the report was commissioned because PSEPC — which will not yet comment on it — is in the process of looking at ways to protect Canada’s CII in the telecommunications arena.
“PSEPC is using it as an aide to current initiatives,” said Johnston. “We actually don’t offer any recommendations. It’s really taking a snapshot, looking at risk factors and trying to show those who will look more closely into it the length and breadth of the problem.”
According to the study, software vendors have long been allowed to get away with a sales model that gives them from immunity from the liability applied to most other industries.
The study also points to Microsoft’s dominance in the software market as increasing the risk of CII failure.
What that implies for public sector networks, said Johnston, is that “it would be healthy to have a lot of variety so they don’t all share the same DNA as far as their operating platforms are concerned. It said you need a judicious mix of different systems that are capable of talking to each other so you can get the best result with maximum functionality.”
That, he said, “could be an endorsement of any open source type of approach.”
But while telecommunications consultant Brian Sharwood, a principal with the Toronto-based SeaBoard Group, agrees that diversity of platforms increases the reliability and stability of the CII, he’s not advising everyone to rush out and adopt Linux.
Instead, he said, CII networks should use a number of alternate operating systems, including Apple and Unix.
“You have to remember that a lot of the core networks are not running the Microsoft operating system,” he said. “A lot of the core networks are running on Unix, Linux and Cisco’s own hardware and software, so a lot of it’s not reliant on Microsoft. If it was we’d have a lot more trouble.”
Sharwood, pointing to the recent vandalism that left thousands of residents in Nova Scotia and Newfoundland without phone and Internet services for a night, said he’s divided on whether the greatest dangers posed to Canada’s CII come from accidental or intentional harm.
But he disagrees that trying to hold the software industry more accountable would reduce the risk.
“The whole software industry is really a best efforts industry,” he said. “You know when you buy a piece of software it’s not going to work all the time, and it’s not going to work in every situation, and to try to regulate that it has to work really forces an undue burden on the software industry that will end up stifling innovation rather than creating it and it costs a lot more.”
According to Osama Arafat, CEO of Toronto-based Q9 Networks, which provides outsourced Internet infrastructure and managed hosting services, there might be many conditions that contribute to the risk to Canada’s information infrastructure, but a major meltdown is not inevitable — if the right steps are taken now.
“If people don’t put the right infrastructure in place this becomes more and more possible as we rely more and more on technology, but we’re hoping through .. proper planning this would not happen,” he said.
First, he said, organizations that provide critical pieces of the infrastructure have to have the basics in place, such as fire suppression on their primary systems and backup power systems. But having a bullet-proof disaster recovery and business continuity plan is essential.
Arafat said more organizations are adopting a DR approach in which systems in one geographic area are replicated in another, providing seamless failover.