Cyber security month continues in Canada with the release of the Auditor General’s Fall 2012 Report. Chapter 3 evaluates the federal government’s progress on protecting Canadian critical infrastructure against cyber threats. As the Auditor General noted, the federal government is uniquely positioned to protect Canadians because of its access to foreign intelligence and other information sources that are not available to other stakeholders.

What is the Auditor General’s assessment? The federal government has been stating its commitment to address cyber security threats to critical infrastructure since 2001. However, “[d]espite several past strategies and funding, […] progress in achieving these commitments has been slow.” It appears that that the government’s focus has been on policy development (and, perhaps, redevelopment) rather than monitoring threats and building sectoral partnerships.

For example, the federal government announced the creation of the Canadian Cyber Incident Response Centre (CCIRC) in 2005 to serve as a national readiness and response team for cyber threats. The CCIRC still does not operate 24 hours a day, 7 days a week and there are no plans for it to do so. Instead, it operates Monday to Friday, from 8 a.m. to 4 p.m. Eastern Time. The government plans to extend the operational hours, but not provide 24/7 coverage. Cyber threats or attacks outside of those hours are reported to the Government Operations Centre, which then pages an employee at CCIRC.

There are concerns that the CCIRC is not included early enough when incidents do occur. In part, this is because it is not the initial point of contact for sectoral incidents; however, there also appears to be interdepartmental confusion. For example, CCIRC was not notified of an attack on government systems until more than a week after the intrusion was discovered.

Given that critical infrastructure is owned by the private sector or managed through provincial, territorial or municipal governments, partnerships with the federal government on national cyber security is critical. However, with the exception of the energy and utilities sector network managed by National Resources Canada, partnerships with within other sectors are only now starting to be developed and are not in complete coverage.

Public Safety Canada has, for the most part, agreed with the Auditor General’s recommendations.