PUBLICATION: The Toronto Sun
DATE: 2006.03.10
EDITION: Final
SECTION: News
PAGE: 10
ILLUSTRATION: 1. photo of WENDY CUKIER System "secure" 2. photo
BYLINE: MARK BONOKOSKI
COLUMN: Page Ten
WORD COUNT: 704

--------------------------------------------------------------------------------

IN THE WAKE OF FIREARMS THEFTS, IT'S POSSIBLE THE GUN REGISTRY IS NOT AS SECURE AS TOUTED

--------------------------------------------------------------------------------

A fortnight ago, and in the wake of another calculated but seemingly out-of-the-blue robbery of a registered gun collector, even the Toronto Star finally entertained the possibility that the national gun registry might have been compromised and that sensitive information might have leaked to criminals. Trouble is, this is hardly cutting-edge news.

Legitimate gun owners -- including cops and ex-cops who are shooting club enthusiasts -- have been publicly pointing their finger at the Canadian Firearms Centre registry, particularly since its database is linked to the Canadian Police Information Centre (CPIC), the all-things-criminal computer operated by the RCMP under the stewardship of National Police Services.

There are, of course, the usual suspects who will quickly deep-six such a notion, among them Wendy Cukier, president of the Coalition for Gun Control, who maintains gun collectors either talk too much or are followed home from the gun clubs to which they belong.

As for the gun registry being compromised, Cukier said it is "silly" to believe this could possibly happen. "It's as secure as the police CPIC," she has said. If that is truly the case, then licensed gun owners and collectors have some legitimate concerns.

According to an Access to Information request -- File: 03ATIP-20402 -- which was filed in late 2003 and responded to in early 2004, the federal force admitted that there were 1,495 breaches of the CPIC system reported between 1995 and 2003, and that 306 of those breaches had been confirmed, with another 121 cases categorized as still under investigation.

According to the RCMP, all these breaches of the CPIC system were considered to be inside jobs by those with security-cleared access to the database, complete with its link to information stored in the national gun registry.

The sanctions imposed were as follows:
* Six individuals were either demoted, fined, put on probation or imprisoned. (Note: There was no further breakdown as to the severity of the sanction imposed, i.e. demotion or fine, probation or imprisonment, and that goes for the remainder of sanctions handed down.)
* Forty-four individuals were charged, convicted, disciplined or counselled.
* Thirty-five individuals were retrained in CPIC policy regarding operational guidance.
* Eighty-eight individuals were reprimanded or dismissed or had their resignations accepted.
* Forty-seven individuals were suspended or penalized by a loss of pay.
* Sixty-five individuals received what was referred to as "other warning."

The RCMP, in its response to the access to information request, was adamant, however, that only internal personnel had breached the system and that the "number of penetrations to the CPIC system through unauthorized connections is nil."

This left Tory MP Garry Breitkreuz, the most aggressive critic of the registry, incredulous. If the CPIC system was so perfect that it had never been hacked by an outsider, then why, asked Breitkreuz, did the Canadian government pay a private company $27 million to develop safeguards for government computers rather than simply ask the RCMP to duplicate its "CPIC success story" and apply it in every federal department?

The follow-up answer from RCMP Chief Supt. David Gork, the federal force's departmental security officer, was not one that mirrored the initial response. As Supt. Gork put it, "CPIC is but one of many applications that are protected by the National Police Service Network (NPSN), and attacks on the network cannot be broken down as to which application is the intent of the attack. "Therefore," he concluded, "there are no stats that are collected that would indicate where any of the attacks are directed."

In other words, the RCMP has no way of knowing if CPIC had been breached by outside hackers, let alone if it has ever been attacked by unauthorized parties, because there was no qualitative tracking system in place. That alone ensures that CPIC cannot be described as fail-safe, even if anti-firearms crusaders such as Wendy Cukier wish to believe it is "silly" to think otherwise.

The fact that computer hackers broke through federal firewalls several times in 2003 should have opened even the most blinkered eyes to the possibility that CPIC is vulnerable -- particularly since one of the networks compromised by those hackers was the department of national defence, complete with its treasure trove of highly classified records.

According to a 2004 Canadian Press report based on Access to Information documents, the defence department's computer incident response team tracked 160 breaches of its security system, supposedly the most impregnable due to its role in protecting Canada's national security secrets from cyber-terrorism and international espionage agents. If it can happen there, it can happen anywhere.

If there are still doubters, however, then perhaps those doubters should make their way to the website of the Ontario Federation of Anglers and Hunters. In their April hotline, the organization tells the story of former firearm registry webmaster John Hicks -- who has never owned a gun -- who warned authorities that the supposedly impregnable registry site was an easy target. "It took some $15 million to develop it, and I broke into it in about 30 minutes," he said, indicating he warned his superiors repeatedly before resorting to filing an official complaint with the privacy commissioner. "Basically, a 16-year-old kid could have broken into that system in a heartbeat."