Skip to main content

The Globe and Mail

Heartbleed exposes cheapskate cybersecurity budgets

It's called the Heartbleed bug and it's as awful as it sounds – at least when it comes to the enormous risks posed to supposedly safe and encrypted data.

The problem is so serious that it prompted the Canada Revenue Agency to temporarily shut down online services for taxpayers at the height of tax-filing season to ensure "the private information of Canadians remains safe and secure."

Coming after a string of cyberassaults on major U.S. retailers, this latest global security threat is bound to make consumers ever more skeptical about the safety of the sensitive information they have been routinely entrusting to governments, banks, insurers, retailers, hospitals and all manner of other service providers. And they should be.

Story continues below advertisement

The plain truth is that many organizations spend far more on touting their wares and services online and making their web sites as user friendly as possible than they do on safeguarding information. The Heartbleed bug underscores the dangers that lurk in the underbrush, ready to ambush even the most sophisticated of Internet players. And it ought to prompt much more serious investment in strong security measures and the capacity to quickly detect flaws and squelch breaches.

Unlike the malware attack that resulted in the stunning theft from Target Corp. of about 40 million payment card numbers and some 70 million customer records, the Heartbleed bug was not concocted by some clever teenage hacker for criminal clients. It's a critical software programming glitch in a data encription standard called OpenSSL, one that has existed for the past two years. OpenSSL is widely used to safeguard traffic between web users and a vast number of servers storing data for a majority of web sites.

These include sites operated by the likes of Google, Facebook, Amazon and Yahoo. The first three fixed the glitch before it became public this week, and Yahoo is partway there.

The flaw leaves OpenSSL open, alright… to hackers. They can intercept reams of data, really everything stored in a computer's memory. This includes all manner of sensitive personal and corporate information, ranging from passwords and credit card numbers to emails and confidential documents.

Codenomicon, the Finnish cybersecurity company that (along with a Google Security specialist) uncovered the gaping security hole, attacked its own defences as a test. Without leaving a trace, its experts managed to steal secret encryption keys, user names, passwords, emails, instant messages and critical business documents and communication. The keys are the big prize in the cereal box, because they make the encrypted data readable.

Although Internet companies are rushing to close the security breach, the extent of the potential damage is so vast that Heartbleed has triggered earthquake tremors across the digital universe. It has also prompted a wave of "I-told-you-sos" from security-conscious Cassandras, who have long warned about such threats – not least RCMP commissioner Bob Paulson, who wrote to Public Safety Minister Steven Blaney that "this growing threat significantly impacts the economic prosperity of our country, as well as individual Canadians."

Governments, organizations and businesses may not have grasped the need to devote more resources to protecting information. According to research firm IDC Retail Insights, retailers are expected to spend $720.3-million (U.S.) on cybersecurity in 2014 – a figure dwarfed by their total tech spending for 2014, estimated at $36.34-billion.They may be hoping that the rising frequency and size of such attacks might be mitigated by the possibility that everyone will be affected at once. Too bad the costs of cybercrime are not being equally distributed. While the CRA closed its site, its equivalent U.S. agency, the Internal Revenue Service, did not. And Target faces heavy lawsuits over its security breaches, which, given a furiously competitive U.S. retail landscape, must have J.C. Penney and Sears breathing copious sighs of relief.

Story continues below advertisement

Sooner or later, a mega-hack is going to sink a business, or seriously undermine a government. Despite the high costs, organizations increasingly can't afford to take the risk of being the victim.

Report an error Licensing Options
About the Author
Senior Economics Writer and Global Markets Columnist

Brian Milner is a senior economics writer and global markets columnist. In a long career at The Globe and Mail, he has covered diverse business beats, including international trade, the automotive industry, media, debt markets, banking and the business side of sports. More

Comments

The Globe invites you to share your views. Please stay on topic and be respectful to everyone. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

We’ve made some technical updates to our commenting software. If you are experiencing any issues posting comments, simply log out and log back in.

Discussion loading… ✨

Combined Shape Created with Sketch.

Combined Shape Created with Sketch.

Thank you!

You are now subscribed to the newsletter at

You can unsubscribe from this newsletter or Globe promotions at any time by clicking the link at the bottom of the newsletter, or by emailing us at privacy@globeandmail.com.