Risk alert raised over Manitoba’s aging IT infrastructure By: Danielle Da Silva Posted: 7:00 PM CDT Thursday, Mar. 31, 2022

Hey there, time traveller!
This article was published 30/03/2022 (904 days ago), so information in it may no longer be current.

Much of the digital infrastructure propping up the day-to-day operations of the Manitoba government is on its final leg, as the province stares down a massive bill to upgrade its information systems.

A recent report by auditor general Tyson Shtykalo found the province failed to adequately manage its network, leaving itself vulnerable as it relied on operating systems, databases and programming languages nearing obsolescence, while simultaneously using inadequate processes to measure and respond to risks.

Charles Finlay, executive director of Rogers Cybersecure Catalyst at Ryerson University, said the document raises serious concerns as institutions across Canada grapple with an increasingly volatile digital security environment.

“This auditor general’s report lands at a really important moment in making decisions about securing public technology infrastructure,” said Finlay, who founded the Toronto-based hub for cyber security innovation and policy research.

The suite of deficiencies identified in the AG report are not uncommon among large organizations that might struggle to keep up with necessary system upgrades, especially when a comprehensive system is not in place to streamline appropriate responses, Finlay said.

Other times, necessary spending to maintain information systems is overlooked in the budgeting process, as governments decide which programs they can and cannot fund in a fiscal year.

However, successfully delivering major government programs is becoming increasingly dependent on secure, well-funded digital infrastructure, he argued.

“The consequences of not spending it, of not remedying these concerns, are serious,” Finlay said. “They’re serious for the government of Manitoba, they’re serious for the people of Manitoba who rely on those systems, and who probably provide important data into those systems that need to be protected.”

Fixing the province’s decaying information systems is expected to carry a hefty price tag.

The province has set aside $152 million to begin modernizing its enterprise resource planning software. Work has started to upgrade the software used to manage core business processes and is expected to take years to complete.

Another $8 million has already been spent to roll out Windows 10 operating systems to all provincial workstations and upgrade other software. This year, $7.4 million will be spent on a risk-reduction program and to implement a governance, risk and compliance system that’s currently out for tender, a provincial spokesman said.

Government Services Minister Reg Helwer said of the eight recommendations made by the auditor general, some will be addressed when the enterprise resource software is upgraded.

However, his department and the Business Transformation and Technology branch is also looking to implement outstanding recommendations in a manner acceptable to the auditor general, Helwer said.

Asked why the province tolerated the risk inherent in its dated information system for as long as it did, Helwer placed blame with the former NDP government. The Progressive Conservatives have led government since the 2016 election.

“When we entered into government, the systems were so antiquated that it took us quite a bit of time to find a path to upgrade them,” Helwer said. “We were extending contracts with Microsoft to keep redundant systems operating, so that they were secure.

“We had systems that were absolutely obsolete, that were not being supported anywhere, were at risk, so with that we did a lot of upgrades.”

NDP finance critic Mark Wasyliw said the PCs have had years to act.

“Good digital security matters — it keeps families’ information safe. But the auditor general’s report… shows the PC government is not doing enough to protect Manitobans,” Wasyliw said Thursday in a statement. “Manitobans deserve a government that has the best, up-to-date technology to keep their personal information safe.”

Helwer said he could not disclose if the province had been the victim of any cyber attacks or infrastructure failures related to its aging systems. In December, the Manitoba government temporarily took down some of its websites in response to concerns over ransomware risks.

Winnipeg-based cyber security expert Eddie Phillips likened the province’s current information systems to taking a beaten-down car on the Trans-Canada Highway: things will eventually go wrong.

“It’s a bigger deal than you think it might be,” said Phillips, who owns Shield Networks Inc., a company specializing in information system management for private business and industry.

Phillips said an internal risk assessment from March 2021 showed 82 per cent of the systems used by government departments to deliver services related to justice, transportation, infrastructure and more were at high risk of outages, decreased reliability, and security vulnerabilities.

“This kind of aging equipment could certainly leave the window open to somebody to hack in and steal data or leak data.”

Phillips expressed disappointment at the audit’s findings but commended the province for taking steps to improve its digital infrastructure. He echoed comments that many organizations have been challenged to keep systems up to date, patched, and constantly check for potential risks.

“The fact that they’re taking the steps and doing the audit is probably more than I can say for most private business.”

danielle.dasilva@freepress.mb.ca

AG’s report on aging information systems

Danielle Da Silva
Reporter

Danielle Da Silva is a general assignment reporter.

   Read full biography