Security committee finds gaps in federal cyberdefences that place vital data at risk

By Jim Bronskill
THE CANADIAN PRESS

OTTAWA – The committee of MPs and senators which oversees federal security policy has uncovered gaps in Canada’s cyberdefences that could leave many agencies vulnerable to state-sponsored hackers from countries like China and Russia.

In a new report, the National Security and Intelligence Committee of Parliamentarians says cyberthreats to government systems and networks are a significant risk to Canada’s security and government operations.

It points to Beijing and Moscow as the most sophisticated cyberthreat actors targeting the government, while Iran and North Korea have moderately advanced capabilities and pose less of a danger.

The committee says although nation states represent the most highly developed threats, any player with malicious intent and sophisticated capabilities puts the government’s data and the integrity of its electronic infrastructure at risk.

The report concludes the federal government has built a strong cyberdefence system to counter this threat over the last decade.

However, it is weakened by the inconsistent application of policies and use of cyberdefence services across government.

The report, tabled in Parliament late Monday, is a redacted version of a classified document submitted to Prime Minister Justin Trudeau last August.

Governments are highly attractive targets for cyberattacks, the report says.

“The federal government holds enormous amounts of data about Canadians, Canadian businesses and innovative sectors such as universities and research institutes. Cyber compromises of this data could reveal sensitive personal information of Canadians and sap the vitality of individual companies and of the economy.”

The government also manages foreign, trade and security relations through electronic infrastructures that, if compromised, could damage federal policies and undermine Canada’s vital interests, the report adds.

It provides new details about the sweeping nature of an early attack by a Chinese state-sponsored attacker that served as a “wake-up call” for the federal government.

Between August 2010 and August 2011, China targeted 31 departments, with eight suffering severe compromises. Information losses were considerable, including email communications of senior government officials and mass theft of information from several departments, such as briefing notes, strategy documents, secret material, and password and file system data.

The report also reveals new information about a debilitating 2014 attack on the National Research Council, saying a Chinese state-sponsored actor used its access to the network to steal more than 40,000 files.

“The theft included intellectual property and advanced research and proprietary business information from NRC’s partners. China also leveraged its access to the NRC network to infiltrate a number of government organizations.”

It cost more than $100 million to deal with the problem.

Three organizations, the Treasury Board of Canada Secretariat, Shared Services Canada and the Communications Security Establishment, work closely together – and with other government departments – on federal cyberdefences, the report says.

Ideally under the system, government networks fall within a single electronic perimeter with a handful of access points to the internet that are monitored by sophisticated sensors capable of detecting and blocking known threats.

Departments should continually update and patch their devices and systems under the co-ordinated direction, advice and guidance of the three organizations, the report adds.

However, the current cyberdefence system “has not yet achieved this ideal.”

The key weaknesses include:

– Treasury Board policies relevant to cyberdefence are not applied equally to departments and agencies, creating gaps in protecting government networks from cyberattack;

– Crown corporations are known targets of state actors, but are not subject to Treasury Board cyber-related directives or policies and are not obligated to obtain cyberdefence services from the government, placing their data at risk; and

– Cyberdefence services are provided inconsistently, meaning, for instance, many agencies do not benefit from Shared Services Canada’s full complement of assistance.

“The threat posed by these gaps is clear,” the report says. “The data of organizations not protected by the government cyber defence framework is at significant risk.”

Moreover, unprotected organizations potentially act “as a weak link” in the government’s defences by maintaining electronic connectivity to organizations within the cyberdefence framework, creating risks for the government as a whole.

In responses included in the report, the government agreed with the committee’s various recommendations to address the deficiencies.