Following a massive cybersecurity breach that affected thousands of Canadian CRA accounts, experts say that a behavioural shift in how the public approaches cybersecurity is important, but institutions need to take the lead.
The CBC first reported the series of cyberattacks that compromised the personal information of 11,200 accounts. The hackers targeted the Canada Revenue Agency and GCKey, an online portal through which Canadians are able to access employment insurance and other benefits.
The hackers obtained information through “credential stuffing,” a type of attack where attackers obtain username and passwords that have been used on other websites, acting chief information officer for the Treasury Board of Canada Secretariat, Marc Brouillard, said during a press conference.
Annette Butikofer, chief information officer at the CRA, said the agency was impacted on three separate occasions. She added that the hacked accounts have temporarily been revoked and individuals affected will get a letter from the CRA that will tell them how they can regain access to their accounts.
Onus is on organizations: Cavoukian
Ann Cavoukian, former information and privacy commissioner of Ontario, said that the CRA should have been more responsible for ensuring their systems are up to date so attacks like this didn’t happen.
“You can’t put this on the individuals by saying they have crummy passwords,” she said. “To expect individuals to regularly change their passwords and make it difficult, that’s just not going to happen. I think the CRA has to devise stronger systems.”
One way to do this would be implementing end-to-end encryption, a type of secure communication that would prevent third-parties from being able to access data.
“If systems are not encrypted, hackers are going to jump all over it,” Cavoukian said. “Why the heck doesn’t the CRA elevate the level of security and protection by encrypting the data to make it much more difficult [for hackers]?”
Shared Services Canada said in an email that GCKey is an end-to-end encrypted service, and that the service itself was not compromised.
In the press conference, Brouillard said that systems did not include two-factor authentication because the system has to include security measures that are accessible by all Canadians.
“We are constantly evaluating our security posture and addressing issues, adding mitigations. This is an ongoing challenge,” he said. “Two factor- authentication systems would have prevented this, [as well as technology] where you are required to have a key or device. But that is something that is challenging, not everyone can have those things. We also have to worry about making our systems accessible and easy to use.”
Brouillard noted that the government is looking into different technologies “where multi-factor is available” and they are encouraging Canadians to adopt the practice.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson’s Cybersecure Catalyst told Yahoo Finance Canada that the lack of clarity on what cybersecurity protocols the CRA uses is concerning.
“I’m assuming that like any other company when a breach takes place, there’s some sort of an audit that happens. And then there’s some consideration placed on how they would share what their cybersecurity best practices are,” he said.
“We don’t have two-factor authentication and that just leads to believe that there’s still work to be done on their side with regards to how they manage security.”
Bhatia says that changing technology in a government system takes time, and that one change could impact an entire system dramatically.
“These organizations are using legacy systems and they have to plan out a roll out in a way where one piece does not have a major impact on others,” he said.
“Attacks like this are also an indication that people need to be made aware of their role and responsibility in dealing with public systems and that’s where evolution becomes a priority.”
Bhatia also added that while the CRA needs to implement stronger technology, in the long term Canadians need better cybersecurity education that starts at the grade school level.
“We are talking about a cultural shift and by that, I mean about living in an era where security can’t be an afterthought like it was a few years ago,” he said.
“We are teaching six-year-old kids to learn how to code, how are we not making sure that every time they are taught about technology, or how to use a phone, laptop, or iPad, but we are not starting the discussion about security?”
The RCMP has confirmed it will be investigating the attacks but has not released any information in terms of who is responsible.