http://www.nationalpost.com/home/story.html?f=/stories/20020417/666688.html Andrew McIntosh National Post amcintoshat_private April 17, 2002 OTTAWA - The government is failing to strengthen security measures for its computer systems and networks across all departments, exposing critical government infrastructure to cyber attacks by thrill-seeking hackers and terrorists, the Auditor-General warned yesterday. If steps are not taken to fix problems fast, it could undermine the federal government's much-vaunted effort to connect Canadians to the Web and provide credible online government Internet services, Sheila Fraser says. "Cyber threats are real and can do significant damage," she wrote. "They can impair information assets and disrupt business operations. Some incidents result in lost productivity; others can lead to a loss of consumer confidence, a tarnished reputation and loss of credibility, to outright fraud." In a special audit tabled in her annual report to Parliament, the Auditor-General paints a picture of a slow-moving bureaucracy in a state of denial about the threats posed by hackers, and inaction on the computer security front. Auditors embarked on a series of "vulnerability assessments" of government computer systems. They conducted what they called "war dialling" tests of government phone lines and checked 260 separate government systems for possible vulnerabilities. One third of the systems checked contained vulnerabilities that "could allow the systems to be readily compromised by a targeted cyber attack," the audit found. In one case, they found a system with no password for its administrator, "allowing any Internet user to gain access to the system." In another case, a government system was so weak it could allow a hacker to install software "to attack other systems on the Internet" and make it appear that the attacks "were initiated by the government." The government knows the threat is real, Ms. Fraser added. In the summer of 1999, federal officials studied security measures for Internet sites and computer systems involving six of its own departments. Officials learned that hackers triggered 80,000 alarms and, upon further investigation, officials discovered 500 attempts by hackers to penetrate government computers, "many using automated tools." Ms. Fraser said that given the increased threat posed by possible cyber attacks and the devastation they can be expected to cause, she expected government oversight of computer security initiatives would have been strengthened. "However, this has not been the case," she wrote. The government adopted a data security policy in 1994 that required all departments to have security specialists from the Royal Canadian Mounted Police review their system security measures at least once every five years and more frequently for systems storing top secret information. Yet 85% of the departments that are subject to the policy failed to comply. So, the government adopted a new computer security policy in 2002: the RCMP is no longer responsible for security reviews and there is no longer a requirement that states the minimum frequency for security assessments. The government has pledged to complete a new report on the "effectiveness of its computer security policies across all departments by 2004. "In our view," Ms. Fraser wrote, "a report is needed sooner." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 05:37:44 PDT