Flaws in cyber defences expose government information to state-sponsored theft: report
NSICOP report shows China has made multiple successful hits over the past decade
Gaps in Ottawa's cyber defences could leave the government agencies holding vast amounts of data on Canadians and businesses susceptible to state-sponsored hackers from countries like China and Russia, says a new report from Parliament's security and intelligence committee.
Their report, tabled late Monday in the House of Commons, shows previous mistakes have allowed state-sponsored actors to infiltrate and steal government information over the past decade.
"Cyber threats to government systems and networks are a significant risk to national security and the continuity of government operations," says the report from the National Security and Intelligence Committee of Parliamentarians.
The committee's study looked at the three main players in Canada's cyber defence shield: the Treasury Board Secretariat, which oversees the spending and operations of the federal government; Shared Services Canada, the agency which provides IT services across federal government departments; and the Communications Security Establishment, the nation's foreign signals intelligence agency.
The report said that after experiencing major attacks, the government has built up strong cyber defence systems. But it found discrepancies in the way those systems are applied.
The report said Treasury Board policies intended to secure government systems are not uniformly applied across the federal family.
Crown corporations and organizations known as "government interests" — such as airport authorities — are known targets for state actors but don't fall under Treasury Board cyber-related directives or policies, said the committee.
Liberal MP David McGuinty, chair of the committee, said some departments aren't using all the protections available to them, while other organizations have declined protection.
"That puts not only them, their data, their processes or systems at risk, but it puts the whole government at risk because it becomes, as we say in the report, a weak link," he said.
"With persistent threat actors who are out there, and who are very aggressively in a nonstop fashion targeting the federal government of Canada, we've just got to up our game here."
The report says China and Russia are the most sophisticated cyberthreat actors targeting the government, while Iran and North Korea have "moderately sophisticated" capabilities.
Intellectual property, advanced research already stolen
A year-long attack by China while Stephen Harper was prime minister served as a "wake-up call" for the federal government, said the report.
Between August 2010 and August 2011, China targeted 31 departments and eight suffered "severe compromises," the report said.
"Information losses were considerable, including email communications of senior government officials, mass exfiltration of information from several departments, including briefing notes, strategy documents and secret information, and password and file system data," said the report.
In 2014, a Chinese state-sponsored actor was able to compromise the National Research Council.
"The theft included intellectual property and advanced research and proprietary business information from NRC's partners. China also leveraged its access to the NRC network to infiltrate a number of government organizations," said the report.
'Damn expensive'
The cost of mitigating the damage of that attack was estimated at more than $100 million.
"It's damn expensive to deal with cyber hits and cyber attacks," said McGuinty.
"If we're not able to increase our overall protection by improving coverage, getting more folks in the perimeter, I think it's fair to say that there will be considerable costs."
The NSICOP committee recommended that the government apply the Treasury Board's cyber defence policies equally to all departments and agencies and extend those policies to all federal organizations, including small organizations and Crown corporations.
It also recommends the government extend CSE's advanced cyber defence services to all federal organizations.
The Treasury Board of Canada Secretariat said it will review its policies to make sure cyber defences are applied equally across departments and agencies "to the greatest extent possible."
An unredacted version of the report was sent to Prime Minister Justin Trudeau over the summer.
The report was completed around the time Conservative MPs decided to boycott the committee to protest the Liberal government's refusal to hand over unredacted documents related to the firing of two scientists from Canada's highest-security laboratory.