Friday, 11 March 2011

The Canadian government doesn't understand "cybersecurity"

I want to have faith in our government when it comes to our computer systems. It doesn't take that much effort to keep systems up to date. So why are government departments still using Internet Explorer 6?

When my friend, Joe blogged about the Canadian Border Services Agency (CBSA) visiting his site, I went and checked my own logs and found that they were paying a visit as well. I don't have much of a comment regarding the CBSA's visits to my site, but it struck me as odd after seeing the entries. - - [15/Dec/2010:12:35:27 -0800] "GET /wp-content/themes/motion/ie6.css HTTP/1.1" 200 1443 "" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Here's what struck me: they're running Windows XP with Service Pack 1 and Internet Explorer 6.

How old is the garbage that they're using? Well, Windows XP came out in 2001 as well as Internet Explorer 6. Service Pack 1 is definitely old as it came out a year after XP's release.

Why? Here's an excerpt from a recent article where Chinese attackers managed to penetrate a number of federal government systems:

He added that in anticipating potential cyberattacks, "we have a strategy in place to try and evolve our systems as those who would attack them become more sophisticated."

Public Safety Minister Vic Toews said he could not speak about details pertaining to security-related incidents, but he said the government takes such threats seriously and has "measures in place" to address them.

What measures in place have you taken, Vic? How is it acceptable that our federal government (as oppposed to "Harper Government") is running software that pre-dates the formation as the Conservative Party as we know it? The Auditor General, Shiela Fraser warned in 2002 that the government systems were not up to snuff. It's amazing how we've gone nowhere in the past ten-years.

And while the excerpt from my log shows that this pre-dates the whole incident, it doesn't mean that the problem has gone away. In fact, Joe's blog article shows that as recent as March 9th that they were still using the decade-old browser.

It isn't just just the CBSA that has these problems. Up until October 2010, the RCMP was still actively browsing the Internet using Internet Explorer 6. - - [02/Sep/2010:06:47:50 -0700] "GET /wp-content/themes/lightword/images/date_comm_box.png HTTP/1.1" 200 369 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; INFOWEB-APPROVED; INFOWEB-APPROVED-IE6-FR; .NET CLR 1.1.4322)"

The RCMP have frequently visited this website since I had started a new set of logs in May. When they revisited in October, they had finally upgraded to Internet Explorer 8.

The main reason a number of organizations (government or not) use this old browser is due to the fact that a number of arrogant, naive web developers relied on certain quirks or abilities that Internet Explorer permits. These features have problems with newer browsers and thus the applications that these groups have spent money on need to be upgraded or replaced. There are solutions for fixing this problem but bean counters tend to get in the way of progress.

Strategies for cybersecurity are lacking in all departments. When I blogged about government e-mail addresses in the Gawker database, I contacted the Communications and Security Establishment (CSE) regarding the matter and got this response:

Thank you for your interest. It is not in our role to pursue this but I will ask internally if it should be reported to the government CIRC. As you infer in your email, organizations should make their people aware that the best practice is to use different passwords for workplace versus non-workplace sites.

What is the government CIRC? Google tells me absolutely nothing. I wish at the time that I had asked, but it should be made clear how to report issues of concern to the federal government. The US government makes it very easy to do this and if Harper wishes to emulate more aspects of our American friends, at least emulate this.

Because of the lack of resources that I as a responsible citizen do not have at my disposal thanks to my government not taking any serious action on security matters, I will be speaking with my Member of Parliament about it. It's upsetting to say that I have to talk to my elected official to get IT departments in government agencies to simply keep their systems up to date.

No comments:

Post a Comment