I was caught off guard from the Canadian Government recently and got a real eye opener for someone who works in system administration and has to uphold information security as one of the top factors in every development decision I make. When such rookie mistakes are being made day in and day out by our government themselves, it makes me wonder just how poorly my personal information, arguably some of the most important personal information about me that probably exists, is being treated outside of the obvious public issues that have happened. How secure are the systems being used that aren’t in public internet view? What third party services are being relied on or used with our personal information that haven’t been fully vetted?
Let’s talk about Libya
A few months ago I noticed a variety of official government social media channels promoting links using the bit.ly URL shortening service. Although my personal opinion is that a government should share shortened links with a more official, perhaps government identifiable, URL shortener, this one caught my attention for a very specific reason: it’s ties to Libya.
2019 tech resolutions: Learn about your online security and privacy settings to keep your information private! Stay cybersafe with these tips: https://t.co/oREXI1lHp1 #SSCtechSPC @GetCyberSafe #GCdigital pic.twitter.com/VBeIGooWIO
— Shared Services Canada (@SSC_CA) January 1, 2019
Sure, bit.ly is not a Libyan company themselves, but they are using the convenient and short “.ly” top level domain, which is completely overseen within the country of Libya by their government run General Post and Telecommunication Company. This TLD hasn’t been without it’s controversy in the past when it’s been noted that information passing through .ly TLD’s can be government reviewed and some .ly URLs have even been removed entirely from the web in the past by not serving content that adheres to Libya’s laws. Across the border from us, after some backlash of their own, the US Government created their own URL shortening service that anyone with a Government issued email can use: https://go.usa.gov
Further reading here and here. Or just google the subject and you’ll find lots more reading.
I called the government out about this on Twitter and received an official response from their cybersecurity branch, who seemingly had no idea who TLD’s work and assured me it was perfectly fine. Despite my further replies to them, they simply went silent on the subject and continue using .ly domains for shortening government URLs to this day.
https://t.co/sEopVD047Y and https://t.co/CbUxa3Sn54 are two common link shorteners. There is no connection with Libya.
— Get Cyber Safe (@GetCyberSafe) January 9, 2019
I think this goes to show that the understanding of information security, which we’d expect to be a it’s best from governments even though a lot of large private corporations this past year have shown that they seemingly can’t get it right, is not what we’d think it is. Instead of following in the footsteps of the US Government and making an official URL shortener, perhaps even something that makes it very clear the URL is containing safe government sanctioned/reviewed content and not content that’s been shared by a hacked account, spoofed URL, hacked URL shortening service, or the like, our government continues to use completely third party services for their URL shotening – services where they have no control over the information security and how that company handles data. What if I worked for bit.ly, hate the government, and decide to redirect one of their shortened URLs to a porn site? or a propaganda site? or what if Libya decided to start a cyber war with Canada and started shutting down .ly URLs that are Canadian Government content under the premise of whatever local law they choose to enact to interfere with our government’s information sharing?
I work for a private corporation and any web service, cloud service, or system we want to use has to go through very scrutinous review where these types of questions are asked. The fact that our government is sharing official content on official (and very largely followed) social media channels using services that raise so many questions, without asking those questions themselves, is nothing short of a loss in confidence from me against what is going on out of the public eye with our information security, when this is the type of stuff going on in the public eye.
Let’s all start asking these questions and push for a little change.