(OTTAWA) Various federal government departments must do more to secure Canadians’ personal data stored in the cloud, the auditor general warns in a new report released Tuesday.
Faced with increasingly frequent cyberattacks, Auditor General Karen Hogan says in a report tabled in the House of Commons that the government’s requirements put in place to reduce risks “were not always clearly defined”.
Therefore, “these gaps represent an increased risk of security breaches,” she notes, adding that “cyberattacks are becoming more frequent and sophisticated.”
It encourages the government to act now to strengthen its controls to be able to prevent, detect and respond to cyberattacks.
Karen Hogan insists on the importance of acting without delay since the various departments are only “at the first stages of the transition to cloud computing”.
Recommended actions include “strengthening key security controls to prevent, detect and respond to security breaches.”
It is also proposed to define “clear common roles and responsibilities in cybersecurity” so that all departments know what they have to do.
In a response included in the report, we learn that the government welcomes all the recommendations and has already planned a series of actions to implement them.
The report also reveals that the Treasury Board of Canada Secretariat gave the various departments a mandate four years ago to prepare to migrate their databases to the cloud, which means that many more personal information of Canadians will be found there.
However, over these four years, the Treasury Board Secretariat has yet to provide a long-term funding plan for cloud computing adoption.
“Departments need a funding methodology and costing tools to ensure they have the manpower, expertise, skills, training, funding and other resources they need to secure information stored in the cloud in a way that prevents and responds to the most significant threats and risks,” the Auditor General wrote.
The government relies on several services that must work together to ensure the protection of information stored in the cloud.
According to the Auditor General, the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, the Communications Security Establishment of Canada and several departments are implementing their own cybersecurity controls, but they did not “effectively implement these controls, nor did they clearly establish and communicate roles and responsibilities associated with their implementation”.
M’s team of auditorsme Hogan also discovered flaws in the way security inspections are conducted at cloud storage providers. However, these observations cannot be made public so as not to harm national security.
The contracts awarded by Shared Services Canada and the agreements entered into by Public Services and Procurement Canada “contained few details on the obligations of the service providers in the event of security incidents, in particular the target response times and the persons responsible for intervene,” the report read.
The Auditor General also reveals that the roles and responsibilities of each are set out in multiple documents. Thus, many ministries find themselves confused about some of their responsibilities.
For example, it is noted that departments must ensure that data stored in the cloud is kept in Canada. However, it appears that the parties concerned by several service agreements “did not all understand this requirement”.