Adviser cautioned that the patch would ‘enable unimportant work to displace our important priorities’
Shared Services Canada pushed an agency that is setting up secure communications for the government to install a security patch for political reasons — despite being told doing so was a waste of resources and potentially risky.
The agency, the Government of Canada Secret Infrastructure (GCSI) Expansion, initially balked at the demand to immediately set up the patch after a vulnerability was detected in the email software Microsoft Exchange. Officials at GCSI recommended it could wait for a number of reasons, including the fact its devices aren’t actually connected to the internet.
“It’s all about optics and how we are serious about this threat,” René Pariseau, then a senior adviser with Shared Services, responded in a March email.
Bill Main, a senior technical adviser at GCSI server operations, argued that it “should be possible to explain if we are vulnerable or not and to identify a measured response so that we don’t enable unimportant work to displace our important priorities.”
“If we are forced to do things that make no sense, and especially things like this that come up often, then we need more staff. We don’t have the headroom to waste effort!” he said in email exchanges obtained through Access to Information.
Microsoft’s Exchange email software is used across the federal government. In March, Microsoft revealed a “state-sponsored threat actor” operating from China called “Hafnium” had been exploiting a previously unknown vulnerability in its Exchange Server software. It released a security update, and Shared Services Canada told the National Post at the time it had installed the patches “immediately” on the infrastructure it’s responsible for.
That included GCSI, a six-year project to expand the government’s secure communications infrastructure — despite objections from GCSI itself.
In a March 3 email, Main noted that the patch was only needed for externally facing Exchange servers, and recommended GCSI wait for the next patching cycle.
“Politically no we cannot wait,” James Clark, acting director general for Infrastructure Security Operations at Shared Services Canada said in a partially redacted email thread.
Pariseau asked Alain Quesnel, acting director of GCSI operations, whether any devices in GCSI “including workstations have access to the internet.”
“No we are fully (redacted)” Quesnel responded.
Quesnel told Pariseau and Clark that GSCI’s process for patching is “quite long,” and is only done a certain number of times a year.
“Al, I know you tried, but we need to inform senior administration, help them to understand that the (redacted) is not just (redacted) between us and the Internet. There is no connectivity at all,” Main said.
“At least I have to assume they don’t understand or they wouldn’t keep suggesting work like this.”
Main warned that “due to the fact that we have heavily layered security controls in the GCSI environment, every patch represents a significant risk, and that we prefer to not install unnecessary patches.”
Asked about the security update at GCSI, a spokesperson for Shared Services Canada said that “in this instance, patches were applied as an added precaution.”