(Quebec) Quebec ordered the preventive shutdown of all of its computer systems accessible from the Internet – no less than 3,992 sites and services – following the discovery of a major security breach affecting servers across the world.
In Ottawa, the federal government has decided to do the same by shutting down a number of services that may be vulnerable while the situation is assessed. The Canada Revenue Agency (CRA) is one of them.
“The Agency has become aware of a security vulnerability that affects organizations around the world. As a precaution, we have proactively made the decision to suspend our online services while we make necessary updates to our systems. There is now no indication that the agency’s systems have been compromised or that unauthorized access to taxpayer information has taken place as a result of this vulnerability, ”the CRA said in a statement.
Revenu Québec has also suspended its online services, although its site remains open for consultation of basic information. “There is no indication that our systems are affected by this vulnerability, but we are acting proactively to preserve its integrity. Our services will be available again as soon as possible ”, we can read on its website.
At the end of the day, Sunday, the City of Montreal followed suit and announced the preventive suspension of some of its digital services.
The “Log4Shell” flaw allows a cyber hacker to execute computer codes on organizations’ servers and take control of their system. A Java library from the Apache company, widely used around the world, is affected. In Quebec, the Government Cyber Defense Center became aware of this vulnerability on December 10 and asked all those responsible for computer security to detect this flaw in the systems of the Quebec state.
” [En fin de journée samedi], we agreed that the threat of harm was greater than the harm of shutting down all government systems accessible from the internet, ”explained the Minister for Digital Transformation, Eric Caire, during a press conference in Company of Chief Information Officer Pierre Rodrigue on Sunday.
We were faced with a threat of a critical level of 10 out of 10. A criticality of 10 automatically shutdown the targeted system.
Éric Caire, Minister for Digital Transformation
It was therefore ordered to preventively close the 3,992 government websites and internet services, an exceptional decision never seen before by the Quebec government.
“It is the entire public apparatus which is targeted by the directive”, the ministries and public bodies as well as parapublic, insisted Eric Cairo. The order affects, among other things, government services offered to citizens on the Internet – such as those using CLICSÉQUR – and the websites of the education and health network. The system for making an appointment for a vaccine against COVID-19 “has already been corrected” and is accessible, and the vaccine passport data would not be affected by the danger, according to the minister’s explanations.
Quebec specifies that no activity suggesting that a hacker has exploited this flaw has been detected to date. So there would have been no leakage of personal data or sensitive government information yet, for example.
“There may be people who have scanned systems. That doesn’t leave a trace and we don’t know. But there was no attempt to enter, so no one who tried to use this breach to break into a server and cause damage. There aren’t any as we speak, ”said Éric Caire.
All ministries and public and parapublic bodies must check whether they are using the Java library in question and therefore whether their computer systems are vulnerable. “We’re looking a little for a needle in a haystack, I won’t hide it from you!” », Dropped the minister.
“Excuse the expression, but we have to scan all of our systems, because we don’t have an inventory. It’s like saying how many rooms in all Quebec government buildings use 60-watt bulbs. I do not know. So we go around the rooms and we go around the light bulbs to find out if it’s a 60 watt. It is a monk’s job. ”
Internet sites and services will be reopened quickly if it is found that they are not affected by the security breach. Others will need to install a computer patch and then check if a problem persists. “There is a battery of tests to be done,” said Éric Caire. Several days will be needed to complete the operation and restore all of the computer systems. For the minister, there is no question of “turning corners”.
If government websites are accessible at the moment, it is either because they have not yet carried out the closure order – this would be a very small minority – or because it was quickly concluded that ‘they are not affected by the flaw or that their systems have been corrected – this is the case for sites in the health network. The Québec.ca platform, which uses the library in question, was closed and put back online quickly, since the corrections were made.
“Critical sites, more sensitive and used, will be prioritized to minimize the impacts and ensure that they are made available as quickly as possible,” said Minister Cairo. On Monday, the government is expected to release a list of sites and services that are reopened as well as those that remain closed.
Citizens needing a service offered online and coming up against a closed site will have to “use another route”, and “officials can meet the needs of citizens,” said Eric Caire.
In Ottawa, Defense Minister Anita Anand said everything is being done to protect the integrity of federal government sites and the confidential data they house.
“The Government of Canada is aware of a vulnerability reported by Apache. This vulnerability could allow malicious authors to carry out targeted and limited-scope attacks. […] The Government of Canada has systems and tools in place to monitor, detect and analyze potential threats, and take action when necessary. Out of caution, some departments have discontinued their online services in order to assess and mitigate potential vulnerabilities. At this point, there is nothing to suggest that these vulnerabilities have been exploited on government servers, ”she said in a statement.
The Canadian Center for Cyber Security has issued an alert to all federal departments and agencies asking for updates to keep their sites secure.