Minister says 'no systems under attack' in Quebec following cybersecurity threat
Nearly 4,000 websites targeted but some coming back online
Quebec's digital transformation minister said despite a widespread threat to government websites in the province and across the world, Quebec systems and user data do not appear to have been affected.
"From what we know now, no systems were under attack," Caire said in an interview with CBC Monday.
"Our teams were quick to react, very quick to solve the problem and put in place procedures to solve the problems."
The province did the right thing in taking nearly 4,000 government websites down temporarily in the face of a serious cybersecurity threat, according to one expert.
"I'm really happy to see that the Quebec cyber-defence centre was quick to alert authorities, as well as the private and public sectors, to block access to those sites," said Mourad Debbabi, the dean of Concordia University's Gina Cody School of Engineering and Computer Science.
Some Quebec government websites taken down Sunday due to the massive software vulnerability are back online.
The websites of power utility Hydro-Québec and the Health Ministry were restored today, while the Education Ministry and some university services remain unavailable.
Patrick Mathieu, co-founder of Hackfest, a large annual hacking event in Quebec City, said it might take a while until all services are secured and restored.
"This is one of the biggest vulnerabilities from the last 10 or 15 years,'' Mathieu said.
Quebec shut down close to 4,000 government websites following the threat of an international cyberattack on a widely used logging system.
Some 3,992 provincial government websites were deemed to be at risk, according to Éric Caire, Quebec's minister for government digital transformation.
The government doesn't keep an inventory of which websites use the Apache software — which Mathieu called a technical challenge. Part of the problem, he added, is that government websites may use other software programs that include the vulnerability.
"They need to have a full inventory of all their systems — everything that is installed on it,'' he said. "Are we even vulnerable to this? Instead of waiting a week or a month to figure it out, it's easier to shut down and not be vulnerable.''
Mathieu said the government may be able to fix its most visible sites by the end of the week, but he said he believes it could take up to six months before the government manages the vulnerability completely.
Learning to live with the risk of cyber threats
Debabbi says the threat has affected millions of servers around the world, and that we can expect more like it in the future.
"Just like we are learning to live with COVID-19, we have to learn to live with the risk of these [cybersecurity] threats," Debabbi said.
The software flaw allows an unauthorized user to easily gain access to a vulnerable system over the internet.
Cybersecurity experts praised Quebec's decision to take the websites down, however, they warned that getting all government systems back online could take weeks or months.
Experts say Canadians should be careful online in light of a massive software flaw that has resulted in the precautionary shutdown of thousands of websites.
The Canadian Centre for Cyber Security issued an alert on Dec. 10 about the recently discovered software vulnerability in a Java-based library of an Apache product — known as Log4j.
Experts describe the software flaw as an "open back door" that could give cyber criminals access to thousands of organizations that use the Apache program.
The flaw may be the worst computer vulnerability discovered in years. It was uncovered in a utility that's ubiquitous in cloud servers and enterprise software used across industry and government.
Unless it is fixed with a patch Apache created for the program, it grants criminals, spies and programming novices alike easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
The government of Quebec and the Canada Revenue Agency are among the organizations that have already suspended website operations as a precaution.
Experts say there is no way for the average Canadian to know whether a website they use has the software vulnerability or not.
That means Canadians need to more careful than ever about safety online, including watching out for suspicious emails and refraining from clicking on unknown links.
With files from The Canadian Press, Associated Press and Cathy Senay