Some federal organizations still refusing crucial cyber defence services as threats from hostile states grow: report
OTTAWA – Some federal organizations still refuse to obtain crucial cyber defence services from their own security and IT agencies at a time when government organizations are the target of unprecedented levels of cyber threats, namely from China and Russia.
That is the key finding from a redacted report by the National Security and Intelligence Committee of Parliamentarians (NSICOP) tabled in Parliament Monday evening.
The report found that the government’s centralized IT service, Shared Services Canada (SSC) and its cyber security agency, the Communications Security Establishment (CSE), have put together a “very strong” cyber defence system.
But only 43 of the government’s 169 organizations are required to receive all of their key digital services (networks, email and data centres) from SSC and its Enterprise Internet Service (which is monitored for threats and secured by CSE).
That allows some to continue to resist, thus creating significant cybersecurity vulnerabilities for themselves and the rest of government.
“A number of federal organizations are just not obligated to obtain cyber defence services from the government. Sometimes they’ll say it’s because they’re ‘independent.’ Many of these organizations, including crown corporations, have knowingly declined the protection,” NSICOP chair and Liberal MP David McGuinty said in an interview.
“We believe that puts them, their data, their people, their systems, and the government as a whole at considerable risk, because of course we’re joined at the hip.”
The report was a 20-year review (leading up to 2020) of Canada’s efforts to protect its systems, networks and all the sensitive and confidential information contained within from cyber attacks.
It focused mainly on the work done by three federal organizations: SSC, CSE and the Treasury Board Secretariat (TBS).
The committee made two recommendations to the government: that it continue to strengthen its cyber defence frameworks, and that TBS oblige all federal organizations to use SSC and CSE’s cyber defence services “to the greatest extent possible.” TBS accepted both recommendations.
In the report, NSICOP says that CSE blocked a staggering 1.3 billion hostile attempts to infiltrate the government’s networks every single day in 2019-2020, up from 282 million in 2015-2016. The jump is explained in part by increased monitoring by CSE.
But if Canada has become a “world leader” in defending its networks from cyber threats, that was far from the case just over 10 years ago.
The report says the federal government’s “wake-up call” regarding cybersecurity vulnerabilities came during a yearlong cyber attack beginning in 2010 by China. The incident was detected when CSE first deployed “cyber defence sensors” on the government’s secure network, a “turning point.”
New details contained in the report reveal the previously unknown scope of the attack, which targeted 31 federal departments and led to “severe compromises” in eight of them.
“Information losses were considerable, including email communications of senior government officials; mass exfiltration of information from several departments, including briefing notes, strategy documents and Secret information; and password and file system data,” reads the report.
The hardest hit were Finance Canada and the Treasury Board of Canada Secretariat, which lost “entire sets of network passwords” and were forced to disconnect their networks from the Internet completely for an undisclosed amount of time.
The report also gives a glimpse into the staggering cost for government to recover from a successful cyber attack when a department, agency or crown corporation doesn’t adequately protect itself.
The report found that it cost over $100 million and took “years-long” efforts to rebuild the National Research Council’s (NRC) network after a devastating cyber attack by a Chinese state-sponsored actor in 2014.
At the time, CSE found that China had managed to steal more than 40,000 files from the NRC’s highly sensitive network as well as gain access to other government organizations.
In 2017, CSE discovered that an unnamed state-sponsored actor infiltrated the Department of National Defence’s network and stole “significant amounts of data” all the while managing to infect other connected government services.
At the time, the impacted DND network was not part of SSC’s Enterprise Internet Service.
In 2019, CSE used newly obtained powers to catch an attempted attack on a private Canadian company whose clients were “a number” of critical infrastructure providers.
“CSE blocked related state cyber activity on all government networks and determined that government departments were unaffected. CSE informed the company of the compromise and, in response to its request for assistance, worked with the company to stop the attack.”
In 2020, CSE found that a crown corporation’s network was compromised by a state cyber threat actor, which had then used the access to infect several other government departments. Though the report says the attack was mitigated, the state still managed to access “significant amounts of information.”
At the time, the committee found that the crown corporation had not followed CSE’s recommendation to implement SSC’s Enterprise Internet Service.
McGuinty refused to provide any additional information about all those cases, including states behind the attacks or the organizations impacted.
China is described as a “prolific” threat that targets multiple government sectors in Canadian order to both maintain internal stability and develop as a global power. Since the beginning of the COVID-19 pandemic, CSE noted that China focused some of its cyber efforts on Canadian research network.
The report details Russia as “the most prolific” threat actor targeting the Canadian government, noting that it also employs non-state actors including cybercriminals, private companies and “troll farms” to conduct cyber threat activities on its behalf.