Andrew Mayeda and Hugo Miller
A cyber attack on Canada may be on the horizon.
Cyber attacks pose a greater risk to Canada’s economic prosperity than the government previously believed and the country lacks the tools to fight hackers, officials warn in internal documents obtained by Bloomberg News.
“All new knowledge obtained indicates the problem is more widespread than previously thought,” said a “secret”-stamped memo to Public Safety Minister Vic Toews from his deputy minister, obtained under Canada’s freedom-of-information law.
Canada is trying to bolster its defences as countries deploy increasingly advanced technology to disrupt their enemies’ networks and gain access to trade secrets. Some of Canada’s biggest companies, such as Potash Corp. of Saskatchewan Inc. and Nortel Networks Corp., have been targeted.
Poor security against cyber attacks “is increasingly recognized as impacting not just national security, but also public safety and economic prosperity through growing cyber crime and loss of intellectual property,” states the Aug. 2011 memo to Toews from deputy William Baker, who retired in April.
The government’s ability to respond is hindered by the lack of a national emergency policy for cyber attacks, aging lab facilities and difficulty recruiting specialists eligible for “top secret” security status, according to another document written in January by Canada’s Public Safety department.
A software virus discovered last month called Flame, which targeted Iran’s energy sector, is more complex and resourceful than “all other cyber menaces known to date,” according to Moscow-based security company Kaspersky Lab. Flame’s discovery comes after Iran’s nuclear facilities were attacked by the Stuxnet virus, which was created by the Israeli and the U.S. governments, the New York Times reported June 1.
“The industrial espionage piece is becoming the big economic hit,” said David Skillicorn, a computing professor at Queen’s University in Ontario who has testified about cyber security before Canada’s Parliament. “People don’t really understand how widespread it is.”
Nortel, once North America’s largest phone-equipment maker, was under steady attack by Chinese hackers from about 2000 until 2009, according to Brian Shields, who advised the Mississauga, Ontario-based company on cyber security for almost 20 years.
When Shields reported the attacks to the Royal Canadian Mounted Police in 2004, they did not take it seriously, he said. “We got no guidance as far as what we needed to be doing to try and find what turned out to be advanced intruders in our network,” he said.
It was not until January 2009 that the Canadian Security Intelligence Service, Canada’s spy agency, got involved — the same month Nortel filed for bankruptcy, Shields said.
The RCMP didn’t immediately respond to a request for a comment on the Nortel allegations.
Canadian law enforcement may struggle to keep up with hackers, said Shields, who is based near Raleigh, North Carolina. “They historically know how to deal with bank robberies, the physical kinds of theft where there’s losses and companies get hurt, but this is the new age and I really don’t think they have the teams put together,” he said.
More recent attacks in Canada have been linked to commodities like potash, a natural fertilizer sought after in Asia to help improve crop yields. China-based hackers looking to derail BHP Billiton Ltd.’s $40 billion bid in 2010 to acquire Potash Corp. zeroed in on the Canadian law firms connected with the transaction.
The Canadian government released a “cyber security strategy” in October 2010, in which it pledged to better secure public-sector computer systems. The government also promised to work closely with industry and provinces to prevent the theft of state and trade secrets, and protect critical infrastructure such as oil and gas facilities and electricity grids.
Skillicorn said Canada’s response to cyber threats has been fragmented, with responsibilities “chopped up” among organizations such as the Communications Security Establishment, a signals-intelligence agency created during the Second World War that monitors attacks on government networks.
“Nobody actually has their eye on the ball,” he said. “It’s kind of a symptom of the typical thing that happens when you try to solve a problem you don’t understand.”
The Public Safety department established the Canadian Cyber Incident Response Centre to coordinate the federal response to “cyber security incidents” outside government networks, with a focus on guarding key infrastructure such as energy pipelines and power plants.
The center responded to 749 incidents last year, notifying partners 197 times of “compromised systems,” according to a January memo obtained under the Access to Information Act. The center issued nine requests in November and December to shut down “malicious systems,” the memo said.
The center, which employs 22 people full time, faces challenges such as an unclear mandate, the absence of a “national emergency policy” for cyber security, old lab facilities and trouble attracting and retaining talent, according to the memo.
“The sort of people who get those tech skills tend to have done some illegal things in their lifetime,” said Skillicorn.
The government notifies Internet service providers and web hosts when it becomes aware of “potential malicious code,” spokeswoman Jessica Slack said in an e-mail. She said the department has recruited the staff it needed and is “modernizing its cyber security lab.”
“The government of Canada remains concerned about threats to cyber security and is working to mitigate the risks,” Slack said. A plan to consolidate systems under an agency called Shared Services Canada, as well as consultations with senior telecommunications executives, should improve security, she added.
Government agencies, companies and individual computer users will all have to improve to defend against attacks, said Shields. “You gotta have a Fort Knox mentality when it comes to your information security,” he said. “Are we there? Not anywhere close.”