Government of Canada Security Policy Potentially Unfit for Cloud Services
ITSG-33, Canada's Primary IT Security Standards potentially insufficient to protect Canada
On March 20, 2024, the United States Cyber Safety Review Board released its long-awaited review of the Summer 2023 Microsoft Exchange Online Intrusion incident. The report is a scathing indictment of Microsoft and its leadership for its lax approach to cyber security, which created the conditions for the major breach of Microsoft Exchange. There are many implications for this and Canada. Still, one recommendation of this report effectively classifies the entire Government of Canada’s default technical cyber security standards as insufficient for the security of cloud services. The problem lies with Canada’s IT security risk management: A lifecycle approach (ITSG-33).
The Subject: ITSG-33
The IT security risk management: A lifecycle approach (ITSG-33) is the Government of Canada’s baseline guidance for IT security risk management for departments. ITSG-33 covers three areas:
Technical: Concerns the use of technology for security
Operational: Addresses the use of human processes and procedures
Management: Focuses on the management of IT security and risks
These “classes of control” together provide a standardized, holistic approach to IT security across the Government of Canada. ITSG-33 is considered the equivalent of the United States NIST 800-30 Guide for Conducting Risk Assessments. Importantly, NIST 800-30 and ITSG-33 are not the same, but they have significant overlap, and the differences are isolated to areas that have been largely considered not to impact the security controls, thus making the two comparable. Although there are criticisms of the ITSG-33, my concern today arises from what the United States Cyber Safety Review Board says about NIST 800-30. In its report on the Microsoft Exchange incident, it states that:
The Cyber Safety Review Board found that NIST 800-53 controls are insufficient to address the risks of cloud-based identity systems. This begs the question, if NIST 800-53 is insufficient, does that make ITSG-33 insufficient? Further, if ITSG-33 is insufficient, why is the Government of Canada maintaining ITSG-33 as the baseline cyber security controls when the government
The Problem: Cloud First to Cloud Smart
In 2018, the Government of Canada adopted on a cloud first policy requirement, which dictated that departments had to consider cloud as the “preferred delivery model for IT.” In 2023, this changed from Cloud First to Cloud Smart, which was in response to recognizing that adopting cloud services does not work in all cases. The new cloud smart approach attempts to avoid the belief that the policy is cloud at all costs, but instead, it is about identifying the best modernization approach with cloud as the preferred choice. As such, the Government of Canada is viewing cloud networking as the future and its widely adopting it across the government. In light of the United States Cyber Safety Review Board’s recommendation that NIST 800-53 needs to be updated, we must ask if ITSG-33 is sufficient for government networks.
The Government of Canada does have Guidance on the security categorization of cloud-based services (ITSP.50.103), which some security practitioners have referred to as the ITSG-33 for cloud, and the Security Control Profile for Cloud-based GC Services which compliments ITSG-33 to address cloud-specific security requirements. As I mentioned in my review of the Enterprise Cyber Security Strategy, there is a complex, layered web of guidance and technical documents which govern cyber security of the Government of Canada. As much as the Government of Canada has developed more specialized documents to address cloud security and other cyber security needs, there is a risk that it may overlook incomplete or outdated security models which leave the Government’s networks vulnerable. Since ITSG-33 was released in 2012, it has been updated multiple times with new annexes to address new security requirements, including for Protect B and Secret networks. As such, it is not out of the question for the Canadian Cyber Security Centre to make the changes needed to ensure ITSG-33 accounts for risks associated with cloud-based digital identity systems. The most recent annexes or changes are from 2015, which may necessitate that the need for the Canadian Cyber Security Centre to conduct a review in relation to current threats and best practices.
Takeaways: Minimums Cannot be Defaults
We can all be happy about and support a cloud-first, and now cloud-smart, approach to pushing the government to modernize its information technology processes and services. However, with modernization and adoption of new systems, these new systems, as well as legacy systems, must have equal protections to ensure the protection of the Government of Canada and Canadians.
The Enterprise Cyber Security Strategy is a great step forward for the Canadian government in modernizing its security approaches, but it appears to take for granted that the ITSG-33 is sufficient. However, it is important to note that the strategy recognizes that ITSG-33 is just the start of addressing cyber security risks. A key part of the strategy’s plan is to:
“Define a common approach, methodology, solutions and tools for assessing GC cyber security posture that is aligned with GC policy and the IT governance context, and that applies a risk-based approach according to the Canadian Centre for Cyber Security’s (Cyber Centre’s) IT Security Risk Management: A Lifecycle Approach (ITSG-33).”
This is a positive sign, especially considering the potential risks associated with ITSG-33, but it is taken for granted that the ITSG-33 is good as is and can be used to inform security controls. While ITSG-33 remains a valid framework overall, if it contains the same risks identified in NIST 800-33, then ITSG-33 may contribute to faulty cyber security methodology or approaches that ITSG-33 informs and thus lead to additional risks throughout the government due to unaddressed risks in the underlying ITSG-33 framework.