MONTREAL — Cybersecurity experts warned Monday that getting government departments back online could take weeks or months, after Quebec shut down almost 4,000 of its websites as a preventive measure over the weekend because of a massive software vulnerability.
A recently discovered vulnerability in the open-source web server software called Apache exposed systems across the globe to cyberattack risks, and the problem forced the Quebec government on Sunday to take its websites offline.
While some sites were back online in a few hours — such as those belonging to power utility Hydro-Québec and to the Health Department — some university services and various departments remained unavailable on Monday.
Patrick Mathieu, co-founder of Hackfest, a large annual hacking event in Quebec City, said it might take a while until all services are secured and restored.
"This is one of the biggest vulnerabilities from the last 10 or 15 years," Mathieu said.
The software flaw in the Apache product known as Log4J allows unauthorized users to easily gain access to a system through the internet, he explained. "It's so easy to exploit, someone with basic knowledge in IT can do it in a few minutes."
"This Log4J is one of the tools that is used in most systems around the world. The impact is just crazy."
Mathieu praised Quebec's decision to take the websites down, saying malicious activities were circulating online over the last few days, even before news of the flaw was made public. He said, however, the government lacks the staff and knowledge to quickly handle this type of incident.
Minister of Digital Transformation Éric Caire said on Sunday it would take a few days before everything is back online. He said Quebec is working to identify which websites are at risk, one by one.
The government doesn't keep an inventory of which websites use the Apache software — which Mathieu called a technical challenge. Part of the problem, he added, is that government websites may use other software programs that include the vulnerability.
"They need to have a full inventory of all their systems — everything that is installed on it," he said. "Are we even vulnerable to this? Instead of waiting a week or a month to figure it out, it's easier to shut down and not be vulnerable."
Mathieu said the government may be able to fix its most visible sites by the end of the week, but he said he believes it could take up to six months before the government manages the vulnerability completely.
The government on Monday said that websites would remain closed as long as they haven't been verified or as long as the threat is still present. "For security reasons, the list of sites cannot be disclosed," a spokeswoman for Treasury Board secretariat Marie-Ève Fillion said in an email about the number and names of websites still unavailable.
While repercussions of the shutdown might go unnoticed for some, thousands of students were unable to access online class notes and documents, only days ahead of exams, after Université du Québec à Chicoutimi decided to temporary pull down its websites.
For student Caroline Gagnon, this meant additional anxiety during an already stressful end of semester. She said she noticed the website was down when she tried to log on to the student portal on Sunday.
"I'm stressing over this," she said. "I work full time, so my time is very precious."
The school's administration said in a statement on Monday that exams were put off until further notice. It also said staff were working to assess security issues.
Luc Lefebvre, co-founder and president of Crypto.Québec, a nonprofit that promotes awareness of cybersecurity issues, said there is a possibility the vulnerability has already been exploited in Quebec. Lefebvre, like Mathieu, said it could take months for the Quebec government to restore the thousands of sites it took down.
"We know the vulnerability has been used for the past two weeks, but we don't have any proof of it at the moment in Quebec," Lefebvre said. "We can't eliminate the idea that systems might have been compromised."
Cyberattacks, he said, happen "every day, all the time." He said the government needs to raise awareness about cybersecurity, not only among its staff but also among citizens.
"People don't know what to do when they are facing cyberattacks … fraud; they don't know how to identify if a website is legitimate or not. The internet has existed for the past 30 years. We need education."
This report by The Canadian Press was first published on Dec. 13, 2021.
———
This story was produced with the financial assistance of the Facebook and Canadian Press News Fellowship.
Virginie Ann & Jacob Serebrin, The Canadian Press