Nearly 4,000 Quebec government websites were shut down over the weekend as a preventive measure following threats of a cyberattack, the province’s minister of digital transformation said on Sunday.
Éric Caire made the announcement at an afternoon press conference in Quebec City, during which he said that all official government websites would be taken offline until further notice.
“We are looking for a needle in a haystack,” Caire said. “Without knowing which websites are using the software, we decided to shut them all down.”
The shutdown comes on the heels of a recently discovered software vulnerability in a Java-based library of an Apache product, known as Log4j, which the Department of National Defense said could affect thousands of organizations around the world.
The Common Vulnerability Scoring System, which is also widely used around the world, has rated the current threat at 10 out of 10.
Caire said Quebec learned of the problem on Friday and has been working to identify which websites are at risk, one by one, before bringing them back online.
“Once a system has been scanned, if it turns out that you are not using the problem library, the system is automatically back online,” Caire said. “If you use it, it works. Once we make sure the system is operational, it is back online.”
Caire said the government does not keep an inventory of websites that use Apache software.
“It’s like saying how many government offices use 60-watt bulbs, we have to go and look at each one,” Caire said, without specifying how long the verification process will take.
The province’s Clic Santé portal, used to book appointments for the COVID-19 vaccine in Quebec, was already online as of Sunday afternoon, while the Revenue Québec site, among others, was still down.
Massive software failure with global reach forces #Quebec to close #governmental #websites. #Polqc
Caire said the provincial vaccine passport system was never at risk, and said it does not require Apache software.
Marc-Etienne Léveillé, a cybersecurity expert at international internet security firm ESET, said global internet traffic has skyrocketed since Friday, adding that he has noticed many users trying to find vulnerable services to hack.
He said that while the vulnerability of the software should not affect the general public, websites that store personal data, such as the Canada Revenue Agency, are at higher risk of being compromised.
The vulnerability allows code to run over the Internet, Léveillé said.
“The flaw allows you to bypass security, in other words,” he said.
However, the province has no current indications that the systems have been compromised or that personal data has been accessed, Caire said at the press conference.
The Canada Revenue Agency, which took similar precautions by disconnecting its web-based services after learning of the potential vulnerability on Friday, issued a statement saying that nothing so far suggests that its systems have been compromised.
Léveillé welcomed the government’s precautionary measures, saying it could have prevented major data breaches.
“One of the big problems was that everyone realized the failure at the same time,” Léveillé said. “The developers and their users didn’t have time to fix the problem before people started exploiting the vulnerability.” And since there are so many systems using the software around the world, it will take many months to find which ones are vulnerable to that flaw. “
Federal Defense Minister Anita Anand issued a statement Sunday in which she said the government is aware of the security risk and called on Canadian organizations to “pay attention to this critical Internet vulnerability.”
“As a precaution, some departments have disconnected their services while potential vulnerabilities are assessed and mitigated,” Anand said. “At this point, we have no indication that these vulnerabilities have been exploited on government servers.”
This Canadian Press report was first published on December 12, 2021.