Article content continued

Robert Beggs, CEO of Digital Defence, a Burlington, Ont.-based company that provides information security services to corporate clients, believes the attack in question is almost certainly an automated one and unlikely to be specifically targeting CSIS. He said it appears to be an “SQL injection,” where a hacking program scours websites for forms meant for visitors to fill out. Instead of filling in requested information such as a name and address, the program then enters coded commands using the SQL database format. This allows hackers to interact with the database and replace content on affected web pages.

Mr. Beggs estimates some 70% of websites are poorly secured and vulnerable to such attacks, but he says it’s unusual for large companies and organizations with a dedicated IT staff not to be protected. “CSIS should not be vulnerable to SQL injection. It’s an embarrassment that the people responsible for the government’s secrets aren’t doing the most minor, easy-to-fix stuff for their own websites,” he said.

Mr. Beggs said the attack is also “indicative of a lack of a consistent security program.” He finds this troubling given that a number of easily available software security programs, both free and commercial, scan for and protect against this type of vulnerability.

While Mr. Beggs doubts that this particular attack has been used to steal information, he said CSIS needs to analyze what happened and why part of its processes seem to have failed.

“This is a symptom of the shoemaker’s children who don’t have proper shoes,” he said.

National Post