Attention hackers and bored teenagers: the Halifax Regional Police computer systems are woefully insecure and the department has done little to fix the problem over the past 18 months.
Auditor general Evangeline Colman-Sadd outlined her office's concerns about HRP's cybersecurity in a letter sent July 6 to the Board of Police Commissioners.
In the now-public document, Colman-Sadd writes that an external consultant report from 2016 “identified serious security deficiencies” in HRP’s IT security.
Worse, though, is that very few of those problems have been fixed in the last year-and-a-half.
“From discussions with HRP management, we understand a number of the issues identified by the consultant have yet to be addressed in the 18 months since HRP received the report,” writes the AG.
The consultant report by KPMG investigated the likelihood of something going wrong within HRP's information technology systems and what the impact would be if those events occurred.
KPMG highlighted 67 security concerns—35 of which were labelled high-impact and high in likelihood.
The police have pinned the blame on fixing those problems as due to a lengthy recruitment process to hire a new chief information security officer.
But the auditor general says a delay of 18 months in “addressing a large number of significant IT security matters is concerning.
“Issues which have a high likelihood of occurring and a high impact if they do, need immediate attention.”
The police department previously refused to release a copy of KPMG's “Cyber Threat Assessment” to The Coast even after a Freedom of Information request.
Police inspector and HRP FOIPOP coordinator Donald Mosher claimed back in February that releasing even a redacted version of the report, or any emails about its contents, “could reasonably be expected to harm the security” of the police department’s systems.
The Coast appealed that decision, but there’s been no update on whether the documents will be released.
The provincial Freedom of Information web portal, meanwhile, is still down, 100-plus days after its own security flaws were exposed.
In a public response letter sent Wednesday, the board of commissioners and HRP management reassures the municipality that the police have the “necessary controls and practices in place today to protect citizens.”
We're all going to have to take their word on that, though.
“Discussing the specific findings [of the consultant report ]has the potential to introduce further risk,” says the letter.
The office of the auditor general had planned to perform its own audit of HRP’s information technologies systems later this fiscal year.
But as that investigation would likely just repeat what was found by KPMG, instead Colman-Sadd says her office will wait until Spring of 2019 in the hopes that the police will finally be able to fix the flaws in their system.
Meanwhile, the department says it's acting “thoroughly and proactively” to make the necessary changes, starting with the recent hire of Atlantic Security Conference co-founder Andrew Kozma as HRP's new CISO.
Kozma is in charge of developing a strategic view of security and operations for