From: The Windsor Star

Jordan Press

Canadian companies may be skimping on IT security, leaving themselves and Canadians vulnerable to attacks from hackers, newly released records suggest.

The documents from Public Safety Canada show that the scale of cyber-security threats “is significant” and many companies don’t invest the required money or time in good IT security.

How to solve this problem is something the Harper government has been investigating, show records released to Postmedia News under access to information laws. They included a meeting with a cyber-security expert at an American conservative think-tank who has argued against any form of government intervention in IT security.

The government’s cyber-security strategy doesn’t legislate IT security standards for businesses or citizens. In October, the Conservative senator who chairs the Senate defence committee told a security conference the government wasn’t interested in legislating cyber-security standards.

Some experts argue the answer is to have the government legislate minimum standards for IT security in Canada. Others argue the government should take the lead and raise its expectations for IT security, forcing hardware and software developers to raise their security on the products they put to market.

“I don’t know if it’s an avenue the government will go down,” said John Adams, the former chief of Canada’s cyber spy agency, and now a fellow at Queen’s University.

“It’s a heck of a challenge and the companies would go bonkers if you went after them.”

A discussion paper prepared for Public Safety Canada and released internally in July 2012 suggests there are “resource limitations” and “software dependencies” that affect how the private sector in Canada protects itself from “sophisticated cyber intrusions.” The paper is titled: Defending Canadian private sector from sophisticated cyber intrusions.

“The current situation is that there are an increasing number of new software vulnerabilities that can be exploited to gain access to companies’ networks,” reads the heavily redacted paper, labelled secret.

“The scale of the problem is significant. The cost of maintaining a highly secure network is high for each company, and they may not be willing to make that investment … With many thousands of companies in the same situation.”

The cases of malicious code and software affecting businesses and government alike is growing. From April to June of 2012, the Canadian Cyber Incident Response Centre saw a 45-per-cent increase in the number of reported IT security breaches, states an unclassified report the centre gave to the government and clients after the second quarter of the year.

CCIRC found there was a “clear trend” in “malicious individuals” targeting Canadians “by impersonating financial institutions through phishing campaigns.” There was also an increase in cases of ZeuS malware, which steals banking information by logging keystrokes and taking screen captures of an infected computer.

Government was not immune to malicious code being embedded into websites. CCIRC issued almost 2,000 “victim notifications” to alert businesses, schools and government agencies that they were “hosting malicious content, website forgeries, and personal information.”

At an event on cyber-security organized by the American Enterprise Institute July 9, 2012, which a Department of National Defence employee attended, one expert argued that 80 per cent of attacks could be prevented by better “cyber hygiene,” says a briefing note prepared for the chief of defence staff.

“Most experts argued that given the nature of the threat, minimal standards in cyber security should be legislated,” the briefing note reads.