Auditor general calls for stronger federal action on cloud cybersecurity

OTTAWA — Government departments must do more to ensure secure storage of information in the digital cloud amid the rising threat of cyberattacks, the federal auditor general has warned.

In a report tabled in Parliament on Tuesday, Auditor General Karen Hogan said requirements were not always clear for placing information in the cloud — space the government acquires on computer servers in various data centres.

Hogan’s report said these shortcomings increase the risk of security breaches as cyberattacks become more common and sophisticated.

She urged the federal government to take immediate action to strengthen how it prevents, detects and responds to cyberattacks.

Hogan said the government should do this now, while departments are still in the early stages of moving personal information to the cloud.

The recommended action includes shoring up key security controls as well as clarifying shared roles and responsibilities for cybersecurity. In a response included with her report, the government agreed with her recommendations and listed steps it intended to take.

The Treasury Board Secretariat has directed departments to consider moving applications and databases to the cloud, meaning more personal information of Canadians is being stored there, the report noted.

The auditor general found that in the four years since this direction, there had been no long-term funding plan for cloud adoption.

“Departments need both a funding approach and costing tools to ensure that the people, expertise, skills, training, funding, and other resources they need to secure cloud-based information are available to prevent and address the greatest threats and risks,” the report said.

The government relies on several parties to work together to protect information in the cloud.

The auditor general said the Treasury Board Secretariat, Shared Services Canada, Public Services and Procurement Canada, the Communications Security Establishment and selected departments had controls to manage cybersecurity events in the cloud “but did not effectively implement them or establish and communicate clear roles and responsibilities for implementing them.”

Hogan’s team also found gaps in the way security inspections for cloud service providers were carried out. “We cannot report our findings publicly because doing so could reveal information on vulnerabilities and pose a risk to national security. Consequently, we reported them directly to Public Services and Procurement Canada.”

The contracts for cloud services put in place by Shared Services Canada and the supply arrangements established by Public Services and Procurement Canada included only limited details about providers’ obligations during security episodes, such as who should respond and how quickly, the report added.

The roles and responsibilities for cloud security are articulated in multiple documents, the auditor discovered. “As a result, we found that departments were confused about some of their roles and responsibilities.”

For example, one directive says departments are responsible for ensuring that data stored in the cloud, including sensitive and personal information, resides on servers located in Canada. But after reviewing contracts and supply arrangements, it emerged that “not all parties involved understood this.”

“Without a clear understanding of who ensures that data stored in the cloud resides in Canada, organizations risk not knowing whether personal information ends up stored in a different country and if so, whether it is subject to different (potentially inferior) privacy protection laws and security protocols.”