PACP Committee Report

OBSERVATIONS AND RECOMMENDATIONS

The Resources Available to Support IT Security

The decisions about resource allocation within departmental operating budgets are in the hands of deputy ministers. This audit shows that many deputy ministers are either unaware of the status of IT security inside their departments or do not assign sufficient importance to it. This finding suggests that departmental IT security is not receiving the resources needed to defeat the growing challenges it confronts. The Committee therefore recommends:

RECOMMENDATION 12

That the Office of the Chief Information Officer conduct a government-wide review to ascertain the total level of human, technological, and financial resources that are being devoted in fiscal year 2005 06 to IT security in departments and agencies, that it analyze the results to determine whether they are appropriate, and that it report the results to Parliament by 30 April 2006.

CONCLUSION

In Canada and elsewhere there is a high level of awareness of the vulnerabilities that surround the use of computer-based communications and data storage and data transmission systems. Threats to these systems have been expanding in harmony with our society’s — and our governments’ — growing reliance on these systems to manage and deliver an enormous array of public and private transactions and services. Many of the transactions are of a confidential commercial or financial matter, or are matters of public health and safety.

The federal government is the largest entity in Canada. The number and nature of its exchanges with groups and individuals is enormous and — in a country whose citizens are dispersed across great distances — sure to expand. These services will grow more sophisticated, more widespread, and from the perspective of individual consumers, less expensive and easier to obtain and use.

Apart from the extent of its involvement in the accumulation of sensitive data, the government is, in turn, one of the largest providers of services and information to Canadians via electronic means. Many of these services are considered vital, including the issuance of Canada Pension Plan, Employment Insurance and other benefits, payments to suppliers, cash transfers to other levels of government, and inter-governmental and intra-governmental communications that touch on health, safety, and other important matters.

Against this backdrop, there is a pronounced need for the highest possible level of security to protect these interactions, and the resulting accumulation of data, against intrusion. A weakness or a breakdown in federal government IT security would have serious implications for Canadians and the availability of all manner of services upon which they depend. Further, as in any democratic system, institutions of government function only to the extent that they are perceived as legitimate and worthy of trust by their citizens. Government, as custodian of some of its citizens’ most private information, must therefore guard that information with utmost caution. Otherwise, in the words of the Auditor General: “If security weaknesses allowed someone to access a database or confidential information, Canadians’ trust in government would be greatly eroded.” (1.4)

From the Committee’s perspective, it is not possible to underestimate the potential adverse consequences of a failure to adequately protect government IT systems against intrusion or breakdown. Those entrusted with the protection of those systems — at central agencies and in senior managerial positions in departments and agencies — need to be fully aware of the significant risks resulting from a failure to exercise proper monitoring of IT security systems and to take immediate corrective action when vulnerabilities are discovered.

Weeks following the Committee’s review, the results of an internal audit obtained through an access to information request shows that there is indeed reason for concern. According to newspaper reports, a 2004 internal audit at the Canada Revenue Agency found that “laptops used outside the office were not locked up properly, confidential information was kept on computers that were vulnerable to hacking and workers did not know they are required to report criminal activity.” Of 3,000 workers surveyed, more than half did not know how to report a security incident. Managers “said they were unsure about whether, and how, to monitor the department’s electronic systems.” ^[4] As the newspaper report noted, four computers stolen from the Revenue Agency’s office in Laval, Québec, in 2003 contained information on 120,000 Canadians, including their social insurance numbers. This report, and the results of the Auditor General’s investigation clearly show that IT security vulnerabilities are spread across all government entities, including large ones responsible for handling the most sensitive personal information of Canadian citizens.

The Committee fully expects, therefore, that the Government of Canada and Treasury Board Secretariat will assign urgent priority to acting on commitments to resolve IT security vulnerabilities, implementing the Auditor General’s recommendations, and ensuring that Canadians have secure, trustworthy electronic access to government programs and services.