Heartbleed bug left Public Safety officials scrambling, emails show - Action News
Home WebMail Friday, November 22, 2024, 06:34 PM | Calgary | -11.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Politics

Heartbleed bug left Public Safety officials scrambling, emails show

Newly released documents show senior officials in the federal Public Safety Department were taken by surprise by the so-called Heartbleed computer bug.

Vulnerability was disclosed April 7, but Revenue Canada did not shut e-file system until next night

On April 14, the Canada Revenue Agency confirmed that 900 social insurance numbers had been stolen from its website as a result of the Heartbleed bug.

Newly released documents show senior officials in the federal Public Safety Department were taken by surprise by the so-called Heartbleedcomputer bug.

E-mails released under the Access to Information Act show the department scrambling to gather information about the bug on the night it forced a shutdown of the Canada Revenue Agencys online tax filing website, a move that came at the height of tax season.

Heartbleed is a vulnerability in the popular OpenSSL security encryption software thatgave hackers who were aware of it access to sensitive personal and financial information and allowed them tosteal information thats supposed to be protected.

A patch is available to fix this weakness. Without it, the bug can pose a threat to the security and privacy of web traffic, email and instant messaging.

1st questions asked on April 8

CBC News requestedemails related to Heartbleedfrom a number of federal government departments and agencies, for a time frame beginning onApril 1. While the Ministry of Public Safety responded, theCommunications Security Establishment Canada has asked for an additional 250 days to comply with the request, and the Canada Revenue Agency has asked for an extension of up to 540 days.

Internal emails from Public Safety acknowledge theHeartbleedbug was publicly disclosed on April 7, a full day before the Canada Revenue Agency shut down its website.

Correspondence among senior officials began to circulate just after 9p.m. on the evening of Tuesday, April 8, the night the revenue agencylocked down its online operations.

One of the first messages had the subject line: Urgent Request from the Ministers Office."

The MO understands that CCIRC[Canadian Cyber Incident Response Centre]has put out a warning re: CRA E-File, something to do with Heartbleed bug a software flaw that leaves secure websites open to hacking. Can you please confirm/provide any info or explanation asap.

The CanadianCyberIncident Response Centre had issued a warning about Heartbleed that day. The warning is referred to in subsequent emails within Public Safety that went on late into the evening. Still, there was confusion.

CRA is reporting up that PS [Public Safety]officials are advising them to close down E-file. Any accuracy to that? one email asked.

CRA shut down E-file after Shared Services warning

A later message informed officials Public Safety had not advised the revenue agency to shut down its systems but rather that the agency was acting on a warning sent out by Shared Services Canada, the department responsible for federal government computer networks.That same email noted the revenue agency also acted in accordance with its own policy reprotecting confidentiality of clients.

Heartbleed is a hole in the OpenSSL security encryption software which is used by an estimated two-thirds of sites on the web. Its existence was first widely revealed on April 7.
By the next day, Wednesday, April 9, news of Heartbleed had spread. Computer security experts were warning of a serious threat to private information.Revenue Minister Kerry-Lynne Findlay, meanwhile, was assuring Canadians her department was acting out of an abundance of caution by shutting down its website.

CRA has shut down E-File, Netfile, My Account, My Business Account in order to investigate, Findlay said.

On the same day the minister was trying to quell public concern over Heartbleed, communications officers from several government departments were working out a strategy to deal with questions about the bug.

An email sent that day by Andrew Swift, director of public affairs at Public Safety Canada, lays out a road map.

Public safety computers unaffected

PS [Public Safety]Communications chaired a conference call with communications partners from CRA, SSC, CSE, DND, TBS, IC, CSIS, RCMP and PCO this morning to discuss the Heartbleed cyber vulnerability being widely reported in the media today.

Swift writes that the media relations protocol, supported by PCO, will be divided among three departments: the Canada Revenue Agency, Shared Services Canada and Public Safety, with each handling questions about various efforts to counter the Heartbleed bug.

Emails circulated within Public Safety over subsequent days show the department was able to determine that its own computers as well as those of Correctional Services Canada, the RCMP and the National Parole Board were unaffected by Heartbleed.One message refers to lots of meetings at which the computer bug was presumably discussed.

Public Safety Canada wouldn't comment on the emails or specifically on when they first received word ofHeartbleed.

A spokeswoman with the department said the CanadianCyberIncident Response Centre has beenco-ordinatingthe national response and "sharingcyberthreat and mitigation information related toHeartbleed."

SINs of 900 Canadians stolen

The Canada Revenue Agency site remained closed until Sunday, April 13. On Monday, April 14,the agency announced the social insurancenumbers of 900 Canadians had been stolen. Over the course of the day, however, it emerged the agency was aware of the breach on the Friday before its announcement, raising questions about why it delayed going public.

The RCMP eventually came forward with an explanation, saying police had asked the revenue agency to keep quiet about the breach while officers tracked down a possible hacker. Emails between Public Safety and the Mounties dated Tuesday, April 15,show how the RCMP informed the department of its plan to release a statement to clarify the situation surrounding the CRA vs the Heartbleed bug.

The following day, the Mounties announced they had charged Stephen Arturo Solis-Reyes, a 19-year-old university student from London, Ont., with breaching the revenue agencywebsite.He is set to appear in court next month.

Last month, Canadas then interim privacy commissionerChantal Berniertold a House of Commons committee the revenue agency was the only government agency to contact her office about a breach brought on by Heartbleed.

The bug, she said, had exposed the vulnerability of the internet. But she added she had no intention of investigating any further, declaring the Heartbleed case closed, at least for now.