In his book The Outliers, Malcolm Gladwell espoused the theory that to achieve excellence in any field, one needed to practice it for 10,000 hours. So…does the 10,000 hour rule apply also to doing something 10,000 times? It may not be a perfect application of the theory but, in light of a recent report, one wonders just how much more practice the Federal Government needs to properly manage Canada’s records.
The CBC reported this week that the National Security Sweep Program revealed more than 10,000 incidents of classified or secure information being improperly stored by federal government employees since last November. While some of these were sensitive paper document left out on desks or filing cabinets not locked, others involved digital information not being properly handled. Okay – we know that 10,000 hours is not the same as 10,000 times, but you get the point.
Of the departments that report (Revenue Canada and the Justice Department were not included in the report), Public Services and Procurement Canada, the Global Affairs Department and, believe it or not, CSIS, were the worst offenders, accounting for over 60% of the infractions.
The Federal government has been the target of hackers over the past couple of years. In 2011, it was revealed that Chinese hackers had gained access to three departments and stole classified information. During the Tax crunch in April of 2014, Revenue Canada’s tax return site was targeted and shut down for several days. And, in June 2015, the government’s websites and their primary email servers were shut down for a couple of hours. In response to those events, Public Safety Canada reported that it had spent $245 million to harden the government’s computer networks.
While most government ministers declined to explain the lapses in security, Ralph Goodale (Minister of Public Safety) did assure the public that, once a sensitive document that was left out in the open was identified, it was locked up. Sort of like closing the stable door after the horse has bolted.
The improper handling of sensitive information in government appears to be pervasive. Whether the cause is poor training or poor information management systems, the result is the same: sensitive information which is improperly secured is a gold-mine for cyber-criminals.
While Public Safety Canada’s solution to build stronger walls is an important part of cybersecurity strategy, strong walls are not enough – one also has to make sure that sensitive information is not left outside those walls. The Federal Government should take the lead in cybersecurity. Unfortunately, Canadians will now question whether that is presently the case.