Despite warning, many small government bodies still aren't using special cyber defences: report

Despite a stern warning from one of Canada's security review bodies, most Crown corporations, smaller government departments and agencies haven't heeded the call to use specialized cyber defence sensors to protect their networks from state-sponsored attacks, says a recent report.

Last year, the National Security and Intelligence Committee of Parliamentarians released a report pointing to gaps in Ottawa's network. 

The committee wrote that Crown corporations and small government departments and agencies (SDAs) — defined as those with fewer than 500 staffers and annual budgets of less than $300 million — are not required to follow the same cyber policies as other government departments. The report warned this state of affairs could pose "a security risk to government networks."

"Those organizations receive, hold and use the sensitive information of Canadians and Canadian businesses, information that is at risk of compromise by the most sophisticated of cyber actors, including states," the report said. 

"Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole. These challenges are well known to the government."

NSICOP's report — which was submitted to Prime Minister Justin Trudeau in August 2021 and tabled in Parliament in February 2022 — said that while China and Russia are the most sophisticated cyberthreat actors targeting the federal government, Iran and North Korea have "moderately sophisticated" capabilities.

The committee has recommended that the cyber defence sensors of the Communications Security Establishment (CSE) be extended to cover all federal entities.

But new numbers from the CSE, Canada's cyber intelligence and security agency, show that less than half of Crown corporations and smaller departments and agencies "whose IT infrastructure is outside the government's network defences" followed that recommendation.

"Since March 2020, the number of Crown corporations and SDAs signed up for our sensors has grown from 12 to 37 (out of 86)," says the CSE's 2022-2023 report.

"The Cyber Centre continues to view this sector as a high priority and is working to onboard more federal institutions to our services."

Robyn Hawco, CSE spokesperson, said the agency uses its own in-house technology — called Host-Based Sensors, or HBS — on government servers, laptops and desktops.

"To put it simply, each sensor securely gathers system data, while protecting the privacy of those using this service. That data is fed back to our experts for analysis. They map any malicious activity, such as malware trying to download, and document the recipe to inoculate other devices from being infected in future," said Hawco.

"The HBS technology is user-friendly and not only detects but also neutralizes malicious activity, automatically."

The sensors process over 200,000 host events per second, she said.