Skip to content

Auditor general dodges questions about 2020 hack of B.C. legislative assembly website

Government lacks controls to enforce ban on use of personal devices for telework.
The B.C. legislature’s website was taken down in a cyberattack on Nov. 10, 2020

B.C.’s auditor general says the government’s information technology department has adequate policies regulating employees working from home, except when it comes to the use of personal devices.

But during a March 29 media teleconference, he declined to comment on the state of cybersecurity and telework at the legislative assembly.

In his new report, Michael Pickup said even though the Office of the Chief Information Officer (OCIO) prohibits use of personal devices for telework, the OCIO has not established technical controls to ban their use.

“With no controls to enforce this policy, there is a risk of government data being stored in an unencrypted format on teleworkers’ personal devices,” the report said.

Pickup became auditor general in July 2020, four months after the government shifted to telework due to the coronavirus pandemic.

In November 2020, after the BC NDP won a snap election, the legislative assembly suffered a cyberattack that remains shrouded in secrecy. The information technology department at the seat of government received emergency help from the OCIO, a division of the Ministry of Citizens’ Services.

“What we set out to do was look at whether the OCIO overall has established these processes and practices, and, of course, with the exception of the one area with a recommendation, found that they did these things,” Pickup said during a media teleconference. “So, otherwise, I would have nothing to comment in relation to that specific question.”

The B.C. legislature’s website was taken down Nov. 10, 2020, and replaced with an image that claimed it was subject to “unscheduled maintenance.” The clerk’s office finally admitted on Nov. 19, 2020, that it had been hacked, but downplayed the severity and said no data had been lost. The all-party Legislative Assembly Management Committee (LAMC) and clerk’s office have not released the report into what went wrong. Neither has the BC NDP government fulfilled house leader Mike Farnworth’s February 2019 promise to add the legislature to the freedom of information law. Farnworth made that promise after the information and privacy commissioner, merit commissioner and ombudsperson publicly demanded new transparency and accountability measures in the wake of the damning report by then-Speaker Darryl Plecas about spending misconduct by former legislature clerk Craig James and former sergeant-at-arms Gary Lenz.

The public portions of most LAMC meetings have skirted the issue. Then-BC Liberal house leader Peter Milobar expressed frustration at the July 8, 2021, meeting over increasing IT costs and continuing network outages at constituency offices stemming from the incident.

“Our own ability to service our constituents has been eight months of complete frustration that seems to not be getting any better — if anything, getting worse,” Milobar said.

At the Dec. 16, 2021, meeting, Clerk Kate Ryan-Lloyd admitted that there had been an “underinvestment” in the IT infrastructure for years and that constituency office network replacement projects, to manage power or network outages, continued. She also said work was underway for a disaster recovery plan for financial systems.

“The network challenges experienced over the past year are well-known to members, as well as some of the other challenges that we have with Wi-Fi connectivity, for example, on the precinct grounds,” Ryan-Lloyd said.

The BC NDP government allotted $92 million for the legislative assembly’s 2022-23 operating budget. The $5.8 million for IT is the biggest line item in legislative operations. According to the December budget update, it forecast spending $7.9 million on IT, a whopping $2.3 million more than budgeted for 2021-22.

Andrew Spence, the assembly’s chief information officer, said, “With all the challenges over the past year, we recognize the need to strengthen business continuity considerations and ensure business interruptions are minimized.”