A cybersecurity briefing for Premier John Horgan earlier this year said attempts to hack into B.C. government computers and systems had skyrocketed.
“The B.C. government faced a near tenfold increase in unauthorized access attempts in 2020 over 2015, with 372 million/day or 4,000/second today,” said the March 4 Cybersecurity Update presentation, obtained via freedom of information.
The presentation from the Ministry of Citizens’ Services said cyber breaches erode trust and are costly to remediate and cited a 2021 IBM report that estimated the total cost per breach had risen 20% to $6.7 million. The incidents result in losses of data, productivity, service, intellectual property and public funds. They also harm organizational interconnectedness, lead to lawsuits and threaten public safety.
The presentation also quoted the Canalys Cybersecurity Report that estimated there were more breaches and records lost across industry and government in 2020 than the previous 15 years combined, despite a 10% growth in cybersecurity spending.
The Ministry claimed B.C.’s “cybersecurity posture” was stronger than ever and the government is a leader in privacy, security and digital identity. It said it was challenged to keep systems secure while the pandemic forced it to transform to hybrid work and cloud computing.
The report said government spends $25 million on information technology security annually. In 2021, it updated mandatory security training for public servants and implemented advanced security systems to prevent email-based attacks.
British Columbia, however, has not gone unscathed.
Ministry of Health contractor LifeLabs in 2019 and TransLink in 2020 were both targeted by ransomware gangs. In May 2021, StudentAidBC and LearnLiveBC websites were hacked by a group called RT3N/Guardiran Security Team.
On Thursday, U.S. officials announced an Ontario man with Russian and Canadian citizenship had been charged in New Jersey with conspiring to intentionally damage protected computers and to transmit ransom demands.
Mikhail Vasiliev, 33, was allegedly involved in the LockBit ransomware campaign and could face five years in jail and a $250,000 fine if convicted.
The Department of Justice said LockBit emerged in early 2020 and the FBI began to investigate in March of that year. LockBit members made at least $100 million in ransom demands.
Vasiliev’s alleged victims were not identified, but one of LockBit’s recent targets was in B.C. The Sunshine Coast Regional District lost email and website service for 16 hours on Sept. 8-9.
Nov. 10 is, coincidentally, the second anniversary of a cyber incident at the Legislative Assembly.
The Legislature’s website was taken down Nov. 10, 2020 and replaced with an image that claimed it was subject to “unscheduled maintenance.” The Clerk’s office finally admitted nine days later that it had been hacked, but downplayed the severity and said no data had been lost.
The all-party Legislative Assembly Management Committee (LAMC) and Clerk’s office did not release the report into what went wrong. Then-BC Liberal house leader Peter Milobar expressed frustration at a July 2021 meeting over increasing IT costs and continuing network outages at constituency offices stemming from the incident.
“Our own ability to service our constituents has been eight months of complete frustration that seems to not be getting any better — if anything, getting worse,” Milobar said.
The $5.8 million allotted for IT in that year’s budget was the biggest line item in Legislative Operations.
At LAMC's August meeting, Clerk Kate Ryan-Lloyd told the all-party committee that work was one-third complete to replace the constituency office network.
In late September, numerous B.C. government websites, including Horgan’s website, the DriveBC highways monitoring and incident reports site and government employee directory, went down for nearly 12 hours. The Ministry of Citizens’ Services blamed a scheduled firmware update involving Advanced Solutions and Hewlett Packard Enterprise that went awry.
The NDP government budgeted $173.4 million for enterprise services this year, up from $146.1 million last year. The budget includes information technology infrastructure and network and data services.