BC auditor general dodges questions about website hack

The government lacks controls to enforce the ban on using personal devices for teleworking.

BC’s auditor general says the government’s information technology department has adequate policies governing employees working from home, except for the use of personal devices.

But during a March 29 media conference call, he declined to comment on the state of cybersecurity and telecommuting in the Legislative Assembly.

In his new report, Michael Pickup said that while the Chief Information Officer’s Office (OCIO) prohibits the use of personal devices for telecommuting, the OCIO has not established technical controls to prohibit their use. .

“In the absence of controls to enforce this policy, there is a risk that government data will be stored in an unencrypted format on the personal devices of remote workers,” the report said.

Pickup became auditor general in July 2020, four months after the government switched to working from home due to the coronavirus pandemic.

In November 2020, after the BC NDP won a snap election, the Legislative Assembly suffered a cyberattack that remains shrouded in secrecy. The information technology department at the government headquarters received emergency assistance from OCIO, a division of the Ministry of Citizen Services.

“What we set out to do is see if the OCIO has broadly established these processes and practices, and, of course, with the exception of the one area with a recommendation, found that they have done these things,” Pickup said at a press conference. teleconference. “So otherwise I wouldn’t have anything to comment on that specific issue.”

The BC Legislature website was taken down on November 10, 2020, and replaced with an image claiming it was undergoing “unscheduled maintenance.” The Registrar’s Office finally admitted on November 19, 2020 that it had been hacked, but downplayed the severity and said no data had been lost. The all-party Legislative Assembly Management Committee (LAMC) and Clerk’s Office have not released the report on what went wrong. BC’s NDP government has also failed to deliver on a promise made in February 2019 by House Leader Mike Farnworth to add the legislature to the Freedom of Information Act. Farnworth made the promise after the Information and Privacy Commissioner, Merit Commissioner and Ombudsman publicly demanded new transparency and accountability measures in the wake of the President’s damning report. at the time, Darryl Plecas, on the misconduct expenses of former Clerk of the Legislative Assembly Craig James and former Sergeant-at-Arms Gary Lenz.

The public portions of most LAMC meetings sidestepped the issue. Peter Milobar, then House Leader of the BC Liberals, expressed frustration at the July 8, 2021 meeting over rising IT costs and continued network outages in constituency offices following of the incident.

“Our own ability to serve our constituents has been eight months of utter frustration that doesn’t seem to be getting any better — if anything getting worse,” Milobar said.

At the December 16, 2021 meeting, Clerk Kate Ryan-Lloyd admitted that there had been “underinvestment” in IT infrastructure for years and that plans to replace the constituency office network, to deal with power or network outages, continued. She also said work was underway for a disaster recovery plan for financial systems.

“The network challenges we’ve had over the past year are well known to members, along with some of the other challenges we’ve had with Wi-Fi connectivity, for example, on the grounds of the compound,” said Ryan- Lloyd.

The NDP government of British Columbia has allocated $92 million to the Legislative Assembly’s 2022-2023 operating budget. The $5.8 million for informatics is the largest budget item for legislative operations. According to the December budget update, he planned to spend $7.9 million on IT, $2.3 million more than planned for 2021-22.

Andrew Spence, Assembly Chief Information Officer, said: “With all the challenges of the past year, we recognize the need to strengthen business continuity considerations and ensure that business disruptions are minimized.

Comments are closed.