Cybersecurity plan for federal government takes aim at 'inefficiencies, blind spots'

OTTAWA — The federal government has unfurled a new cybersecurity strategy aimed at protecting its vast array of computer systems and information banks against a growing variety of threats.

The strategy released Wednesday says while the government has made progress on improving cybersecurity in recent years, the online dangers have advanced even faster.

A renewed commitment is needed across departments and agencies to digitally deliver secure and reliable government services to Canadians, the plan says.

It warns that the government is an attractive target due to its holdings of personal information, valuable research data and other sensitive material.

As a result, cyberattacks can have a significant effect on government operations, either through disruption of critical and essential services or exposure of classified or personal information, it says.

"This significant effect can put people at risk of identity theft or other types of fraud, all of which can potentially erode trust in government institutions and negatively impact the overall Canadian economy and society."

A whole-of-government approach to cybersecurity "has never been more important," Treasury Board President Anita Anand said in an interview.

"I worry about the invasion of privacy. I worry about the shutdown of government systems."

The strategy document flags current gaps, including:

— marginal progress by departments and agencies in improving their ability to identify and respond to threats;

— lack of a comprehensive awareness of cybersecurity risks;

— use of different tools, methods and services to monitor systems, which can make it difficult to obtain a comprehensive view of security threats;

— traditional security architecture models that are now less effective;

— weak information management practices, including reliance on outdated tools;

— and strong global demand for talent, leading to a shortage of skilled cybersecurity professionals.

The document warns that disparate approaches to security capabilities "can lead to inconsistencies, inefficiencies and blind spots" in the government's overall defences.

It highlights the rapid adoption of cloud computing services, usually offered by private firms using software, servers and other hardware hosted on the company's premises.

Due to a lack of clarity, departments and agencies have been expected to manage their cloud-based environments, including cybersecurity operations, the strategy document says. This expectation has led to duplication of efforts, inconsistent approaches and lack of intelligence sharing.

The new strategy, which applies to more than 100 federal departments and agencies, is aimed at clearly spelling out the security risks to government systems and preventing attacks more effectively.

It is also intended to strengthen capabilities across agencies, and build a workforce with the right cybersecurity skills, knowledge and culture.

Anand acknowledged the hurdles of working toward a more uniform approach, given the different systems and practices currently in place.

"It is challenging, but it is something that we must do, to be able to protect against cyberattacks, as well as to be more efficient for Canadians and deliver services in the most effective way possible," Anand said.

The plan does not cover federal Crown corporations, such as Canada Post and the CBC.

"But we are strongly recommending that they follow suit in terms of what we are going to be implementing," she said.

For the strategy to work, key players must work closely together, the document says.

They include the Treasury Board of Canada Secretariat, which provides policy and oversight, the Communications Security Establishment and its Centre for Cyber Security, the central Shared Services Canada agency, and scores of federal departments and organizations.

Anand said Treasury Board's leading role is crucial to ensuring the approach is evergreen, "so that as new threats evolve, we are ready to respond."

This report by The Canadian Press was first published May 22, 2024.

Jim Bronskill, The Canadian Press