The federal government manages many files for which we entrust it with personal information such as our name, our age, our address, our bank details, our tax data… It also manages ultra-sensitive data related to the security of the country.
However, this data is poorly protected.
This is what emerged from an audit by the Auditor General of federal departments and agencies.
Why this verification now? Because four years ago, the Treasury Board Secretariat asked federal departments to plan the transfer of their databases to cloud computing. In a context where cyberattacks are more and more numerous, and where the security of States is weakened, the Auditor General wanted to ensure that the federal government adequately protects the information under its responsibility.
However, his observation is not reassuring.
It indicates in a report tabled on November 15 that the numerous security measures adopted by the federal government provide a false sense of security. In fact, they are little or not applied within ministries or in contracts with service providers.
His report also highlights confusion over the roles and responsibilities of departments and agencies. Who does what ? It’s not clear.
Result: no one has to answer for their actions, everyone’s responsibilities fall between two chairs and our data is vulnerable.
These rules should be clarified and updated annually, she said.
Another finding of the Auditor General: the Treasury Board Secretariat has not fulfilled its mandate to support departments with regard to the planning and funding of this transition and the securing of data in the cloud.
The Auditor General also notes that the government is not proactive enough in terms of cybersecurity. Among the shortcomings: the few simulations to test the effectiveness of the controls put in place. However, cybersecurity experts estimate that a computer server of a company or a ministry can be the target of a hundred attacks daily. To ensure that our safeguards are adequate, they must be constantly tested.
The federal government has been dragging its feet on this file. Some experts even call it irresponsible.
This negligence is all the more flagrant as the government imposes stricter standards on the private sector (Bill C-26 which strengthens the Cybersecurity Act passed first reading in the House of Commons).
Why not show the same rigor in the public sector whose law has not been reviewed since 1982 (!), when faxes were sent and USB keys did not exist, except perhaps to be in sci-fi movies. This delay is unjustifiable.
It is high time to review our legislative framework in depth by taking inspiration from the standards imposed on the private sector. We can also draw inspiration from European standards, a reference.
The public sector should be at the forefront of cybersecurity and set an example by adopting robust laws that would apply to all departments.
Consideration remains to be given as to the choice of ministry or agency that would be responsible for the application of a revised and strengthened law. But one thing is clear: this entity will have to be accountable and have clear powers established by law. It will also have to be financed commensurate with the responsibilities it will assume.
Hurry up. The auditor general is formal: the federal government must act “immediately”, she insists.
Our governments should also be concerned about the shortage of specialized cybersecurity manpower. In the context of the knowledge economy, when we want to establish ourselves in areas such as artificial intelligence, we have to think of strategies to attract young people to high-level training to meet the needs of the public sector and private. Our individual and collective security depends on it.