CSEC and the Heartbleed bug
CSEC asserts that it was not aware of the Heartbleed bug until April 7th, the day the public learned of the bug. However, as CBC points out, that was still one day before the Canada Revenue Agency shut down its website in a belated effort to prevent unauthorized data leakage (Valerie Boyer, "CSEC aware of Heartbleed bug day before CRA website shutdown," CBC News, 16 April 2014).
A Bloomberg news report on April 11th claimed that the NSA (and thus, almost certainly, CSEC) has been exploiting the bug for at least two years. The U.S. government has denied that report, claiming that it would have reported the bug if it had been aware of it. It does acknowledge, however, that not all of the cyber security flaws that NSA knows of are disclosed.
Whether or not NSA and CSEC are telling the truth, the issue highlights the conflict of interest that these agencies have between their SIGINT mandates and their IT security mandates.
CSEC's IT security mandate (see National Defence Act para. 273.64(1)(b)) applies only to "electronic information and... information infrastructures of importance to the Government of Canada", so CSEC most likely considers that protection of the average Canadian citizen from cyber security flaws is simply not its job. Indeed, it might well argue that it is not allowed to assist in that regard, as it would not be lawful for the agency to engage in activities outside its statutory mandate.
But even if protection of the public were part of its mandate, there is zero chance that CSEC would reveal a bug that it learned about from its SIGINT allies if those allies wanted the bug to remain secret. And even a Canadian-discovered bug might well be reserved for SIGINT use rather than revealed to the world, or even other Canadian government organizations, for IT security reasons.
The SIGINT side of the house dominates the activities of all the Five Eyes agencies.
That said, CSEC does have a mandate to help secure the Canadian government's cyber infrastructure, and it does make a significant contribution in that regard.
As I understand it, the Government of Canada Computer Incident Response Team (GC CIRT) is the organization directly responsible for responding to threats to Canadian government cyber systems. Formerly part of CSEC, GC CIRT was transferred to Shared Services Canada, the government IT services agency, on November 1st, 2013. CSEC remains mandated to assist in protecting the Government of Canada information infrastructure, however, and the agency has confirmed that it worked with “government departments on mitigation and protection measures to address the Heartbleed bug.” It may well have been CSEC that monitored the exploitation of the flaw on the CRA website, which probably happened on April 7/8th.
Whichever agency ultimately was responsible for protecting Canadian government websites in this case, the overall response does not seem very impressive. You have to wonder why it took so long to react to such a significant security flaw in a site as crucial as Revenue Canada's.
Related news coverage:
- Jordan Press, "Weekend of confusion for Canadians as ‘Heartbleed’ bug forces government website shutdowns," Montreal Gazette, 12 April 2014
- Matt Hartley, "CRA waited days to inform Canadians of SIN leak," Financial Post, 14 April 2014
- Richard Blackwell & Tu Thanh Ha, "Tax agency leaves Heartbleed victims in the dark about stolen data," Globe and Mail, 14 April 2014
- "Heartbleed SIN breach suspect ID'd by RCMP," CBC News, 15 April 2014
- Daniel Leblanc & Tu Thanh Ha, "RCMP charge teen in relation to Heartbleed bug attack on CRA," Globe and Mail, 16 April 2014
Also of interest:
- Canadian Cyber Incident Response Centre Advisory AV14-017, issued 8 April 2014
- CSEC's IT Security Alert 65, issued 10 April 2014
A Bloomberg news report on April 11th claimed that the NSA (and thus, almost certainly, CSEC) has been exploiting the bug for at least two years. The U.S. government has denied that report, claiming that it would have reported the bug if it had been aware of it. It does acknowledge, however, that not all of the cyber security flaws that NSA knows of are disclosed.
Whether or not NSA and CSEC are telling the truth, the issue highlights the conflict of interest that these agencies have between their SIGINT mandates and their IT security mandates.
CSEC's IT security mandate (see National Defence Act para. 273.64(1)(b)) applies only to "electronic information and... information infrastructures of importance to the Government of Canada", so CSEC most likely considers that protection of the average Canadian citizen from cyber security flaws is simply not its job. Indeed, it might well argue that it is not allowed to assist in that regard, as it would not be lawful for the agency to engage in activities outside its statutory mandate.
But even if protection of the public were part of its mandate, there is zero chance that CSEC would reveal a bug that it learned about from its SIGINT allies if those allies wanted the bug to remain secret. And even a Canadian-discovered bug might well be reserved for SIGINT use rather than revealed to the world, or even other Canadian government organizations, for IT security reasons.
The SIGINT side of the house dominates the activities of all the Five Eyes agencies.
That said, CSEC does have a mandate to help secure the Canadian government's cyber infrastructure, and it does make a significant contribution in that regard.
As I understand it, the Government of Canada Computer Incident Response Team (GC CIRT) is the organization directly responsible for responding to threats to Canadian government cyber systems. Formerly part of CSEC, GC CIRT was transferred to Shared Services Canada, the government IT services agency, on November 1st, 2013. CSEC remains mandated to assist in protecting the Government of Canada information infrastructure, however, and the agency has confirmed that it worked with “government departments on mitigation and protection measures to address the Heartbleed bug.” It may well have been CSEC that monitored the exploitation of the flaw on the CRA website, which probably happened on April 7/8th.
Whichever agency ultimately was responsible for protecting Canadian government websites in this case, the overall response does not seem very impressive. You have to wonder why it took so long to react to such a significant security flaw in a site as crucial as Revenue Canada's.
Related news coverage:
- Jordan Press, "Weekend of confusion for Canadians as ‘Heartbleed’ bug forces government website shutdowns," Montreal Gazette, 12 April 2014
- Matt Hartley, "CRA waited days to inform Canadians of SIN leak," Financial Post, 14 April 2014
- Richard Blackwell & Tu Thanh Ha, "Tax agency leaves Heartbleed victims in the dark about stolen data," Globe and Mail, 14 April 2014
- "Heartbleed SIN breach suspect ID'd by RCMP," CBC News, 15 April 2014
- Daniel Leblanc & Tu Thanh Ha, "RCMP charge teen in relation to Heartbleed bug attack on CRA," Globe and Mail, 16 April 2014
Also of interest:
- Canadian Cyber Incident Response Centre Advisory AV14-017, issued 8 April 2014
- CSEC's IT Security Alert 65, issued 10 April 2014