(Quebec) Quebec orders the preventive shutdown of all of its computer systems accessible from the Internet, no less than 3,992 sites and services, following the discovery of a major security breach affecting servers around the world.
In Ottawa, the federal government decided to do the same by shutting down several services that could be vulnerable while the situation is being assessed. The Canada Revenue Agency (CRA) is one of them.
“The Agency has become aware of a security vulnerability that affects organizations around the world. As a precaution, we have proactively made the decision to suspend our online services while we make necessary updates to our systems. There is now no indication that the agency’s systems have been compromised or that unauthorized access to taxpayer information has taken place as a result of this vulnerability, ”the CRA said in a statement.
Revenu Québec has also suspended its online services, although its site remains open to consult the organization’s basic information. “There is no indication that our systems are affected by this vulnerability, but we are acting proactively to preserve its integrity. Our services will be available again as soon as possible ”, we can read on its website.
The “Log4Shell” flaw allows a cyber hacker to execute computer codes on organizations’ servers and take control of their system. A Java library from the Apache company, widely used around the world, is affected. The flaw was discovered on December 10. In Quebec City, the Government Cyber Defense Center became aware of this vulnerability the same day and asked all those responsible for computer security to detect this flaw in the systems of the Quebec government.
At the end of the day on Saturday, “we agreed that the threat of harm was greater than the harm of shutting down all government systems accessible from the internet”, explained the Minister for Digital Transformation, Eric Caire, during a meeting. ‘a press conference with Chief Information Officer Pierre Rodrigue on Sunday. “We were faced with a threat of a critical level of 10 out of 10. A criticality of 10 automatically shutdown the system that is targeted. He therefore ordered the preventive shutdown of all 3,992 government websites and internet services, an exceptional decision never seen by the government of Quebec.
“It is the whole of the public apparatus which is targeted by the directive”, the ministries and the public bodies as parapublic, insisted Eric Cairo. The order affects, among other things, government services offered to citizens on the Internet – such as those using CLICSÉQUR – and the websites of the education and health network. The system for making an appointment for a vaccine against COVID-19 “has already been corrected” and is accessible, while the vaccination passport would not be concerned, according to the minister’s explanations.
Quebec specifies that no activity suggesting that a hacker has exploited this flaw has been detected to date. So there would have been no leakage of personal data or sensitive government information yet, for example.
“There may be people who have scanned systems. That doesn’t leave a trace and we don’t know. But there was no attempt to enter, so no one who tried to use this breach to break into a server and cause damage. There aren’t any as we speak, ”said Éric Caire.
All ministries and public and parapublic bodies must check whether they are using the Java library in question and therefore whether their computer systems are vulnerable. “We’re looking a little for a needle in a haystack, I won’t hide it from you!” The minister blurted out.
“Excuse the expression, but we have to scan all of our systems, because we don’t have an inventory. It’s like saying how many rooms in all Quebec government buildings use 60-watt bulbs. I do not know. So we go around the rooms and we go around the light bulbs to find out if it’s a 60 watt. It is a monk’s job. ”
Internet sites and services will be reopened quickly if it is found that they are not affected by the security breach. Others will need to install a computer patch and then check if a problem persists. “There is a battery of tests to be done,” said Éric Caire. Several days will be needed to complete the operation and restore all of the computer systems. For the minister, there is no question of “turning corners”.
If government websites are available at the moment, it is either because they have not yet carried out the closure order – this would be a very small minority – or because it was quickly concluded that they are not affected by the flaw or that their systems have been corrected – this is the case for sites in the health network. The Quebec platform. ca, which uses the offending library, was shut down and brought back online quickly since the fixes were made.
“Critical sites, more sensitive and used, will be prioritized to minimize the impacts and ensure that they are made available as quickly as possible,” said Minister Cairo. On Monday, the government is expected to make public an inventory of sites and services that are reopened as well as those that remain closed.
Citizens needing a service offered online and coming up against a closed site will have to “use another route” and “officials can meet the needs of citizens,” said Eric Caire.
The Canadian Center for Cyber Security has issued an alert for all federal departments and agencies to carry out updates aimed at ensuring the security of their sites.
With Joël-Denis Bellavance in Ottawa