Risk alert raised over Manitoba’s aging IT infrastructure

Much of the digital infrastructure propping up the day-to-day operations of the Manitoba government is on its final leg, as the province stares down a massive bill to upgrade its information systems.

Read this article for free:

or

Already have an account? Log in here »

To continue reading, please subscribe with this special offer:

All-Access Digital Subscription

$1.50 for 150 days*

  • Enjoy unlimited reading on winnipegfreepress.com
  • Read the E-Edition, our digital replica newspaper
  • Access News Break, our award-winning app
  • Play interactive puzzles
Continue

*Pay $1.50 for the first 22 weeks of your subscription. After 22 weeks, price increases to the regular rate of $19.00 per month. GST will be added to each payment. Subscription can be cancelled after the first 22 weeks.

Hey there, time traveller!
This article was published 31/03/2022 (185 days ago), so information in it may no longer be current.

Much of the digital infrastructure propping up the day-to-day operations of the Manitoba government is on its final leg, as the province stares down a massive bill to upgrade its information systems.

A recent report by auditor general Tyson Shtykalo found the province failed to adequately manage its network, leaving itself vulnerable as it relied on operating systems, databases and programming languages nearing obsolescence, while simultaneously using inadequate processes to measure and respond to risks.

Charles Finlay, executive director of Rogers Cybersecure Catalyst at Ryerson University, said the document raises serious concerns as institutions across Canada grapple with an increasingly volatile digital security environment.

Eddie Phillips, chief executive officer of Shield Networks Inc., said continuing to rely on the province’s aging information systems is akin taking a beaten down car on the Trans-Canada Highway: anything that can go wrong will go wrong. (Supplied)

“This auditor general’s report lands at a really important moment in making decisions about securing public technology infrastructure,” said Finlay, who founded the Toronto-based hub for cyber security innovation and policy research.

The suite of deficiencies identified in the AG report are not uncommon among large organizations that might struggle to keep up with necessary system upgrades, especially when a comprehensive system is not in place to streamline appropriate responses, Finlay said.

Other times, necessary spending to maintain information systems is overlooked in the budgeting process, as governments decide which programs they can and cannot fund in a fiscal year.

However, successfully delivering major government programs is becoming increasingly dependent on secure, well-funded digital infrastructure, he argued.

“The consequences of not spending it, of not remedying these concerns, are serious,” Finlay said. “They’re serious for the government of Manitoba, they’re serious for the people of Manitoba who rely on those systems, and who probably provide important data into those systems that need to be protected.”

Fixing the province’s decaying information systems is expected to carry a hefty price tag.

The province has set aside $152 million to begin modernizing its enterprise resource planning software. Work has started to upgrade the software used to manage core business processes and is expected to take years to complete.

Central Services Minister Reg Helwer said the province is evaluating what to do next with the site. (Mike Deal / Winnipeg Free Press files)

Another $8 million has already been spent to roll out Windows 10 operating systems to all provincial workstations and upgrade other software. This year, $7.4 million will be spent on a risk-reduction program and to implement a governance, risk and compliance system that’s currently out for tender, a provincial spokesman said.

Government Services Minister Reg Helwer said of the eight recommendations made by the auditor general, some will be addressed when the enterprise resource software is upgraded.

However, his department and the Business Transformation and Technology branch is also looking to implement outstanding recommendations in a manner acceptable to the auditor general, Helwer said.

Asked why the province tolerated the risk inherent in its dated information system for as long as it did, Helwer placed blame with the former NDP government. The Progressive Conservatives have led government since the 2016 election.

“When we entered into government, the systems were so antiquated that it took us quite a bit of time to find a path to upgrade them,” Helwer said. “We were extending contracts with Microsoft to keep redundant systems operating, so that they were secure.

“We had systems that were absolutely obsolete, that were not being supported anywhere, were at risk, so with that we did a lot of upgrades.”

The current risk rating process showed that 339 out of 411 business applications are high risk as of March 21. (Auditor General’s report)

NDP finance critic Mark Wasyliw said the PCs have had years to act.

“Good digital security matters — it keeps families’ information safe. But the auditor general’s report… shows the PC government is not doing enough to protect Manitobans,” Wasyliw said Thursday in a statement. “Manitobans deserve a government that has the best, up-to-date technology to keep their personal information safe.”

Helwer said he could not disclose if the province had been the victim of any cyber attacks or infrastructure failures related to its aging systems. In December, the Manitoba government temporarily took down some of its websites in response to concerns over ransomware risks.

Winnipeg-based cyber security expert Eddie Phillips likened the province’s current information systems to taking a beaten-down car on the Trans-Canada Highway: things will eventually go wrong.

“It’s a bigger deal than you think it might be,” said Phillips, who owns Shield Networks Inc., a company specializing in information system management for private business and industry.

Phillips said an internal risk assessment from March 2021 showed 82 per cent of the systems used by government departments to deliver services related to justice, transportation, infrastructure and more were at high risk of outages, decreased reliability, and security vulnerabilities.

“This kind of aging equipment could certainly leave the window open to somebody to hack in and steal data or leak data.”

A significant number of business applications and their supporting technologies are old and should be replaced, the report says. More than half of databases and nearly half of application programming languages are rated as high risk. (Auditor General’s report)

Phillips expressed disappointment at the audit’s findings but commended the province for taking steps to improve its digital infrastructure. He echoed comments that many organizations have been challenged to keep systems up to date, patched, and constantly check for potential risks.

“The fact that they’re taking the steps and doing the audit is probably more than I can say for most private business.”

danielle.dasilva@freepress.mb.ca

AG’s report on aging information systems

Danielle Da Silva

Danielle Da Silva
Reporter

Danielle Da Silva is a general assignment reporter.

Report Error Submit a Tip