The Canadian government’s computer networks have been hit by state-sponsored cyberattacks about 50 times a week — and at least one of them usually succeeded.
That acknowledgment from the Communications Security Establishment (CSE), the secretive agency charged with preventing such attacks, is a rare glimpse into the scale and frequency of attempts by foreign powers to penetrate federal government systems.
“Between 2013 and 2015, the Government of Canada detected, on average a year, more than 2,500 state-sponsored cyber activities against its networks,” says a new report.
“Although more than six per cent of these attempts breached the Government of Canada’s systems in 2013, this number had fallen to less than two per cent in 2015.”
The report does not name the foreign states behind the attacks, though the government has previously identified China as responsible for a major cyberattack at the National Research Council in 2014 that forced a long shutdown of its systems and cost millions of dollars for recovery. Russia, Iran and North Korea are also well-known players in cyberwarfare, though have not been publicly identified as such by Canadian officials.
The report did not say how CSE knows the attacks were state-sponsored.
The new report from the Public Safety Department says Canada successfully blocks some 600 million attempts each day to identify or exploit vulnerabilities in its government computer networks. But the vast majority are small-time hackers or other players not aligned with foreign states.
Word of the frequency of state-sponsored hacking follows a deal struck between Canada and China on June 22, in which both sides agreed to refrain from conducting or supporting “cyber-enabled theft of intellectual property,” such as private-sector trade secrets and confidential business information. That agreement, however, was silent about cyberattacks on government networks.
‘They are the most capable adversaries.’— Communications Security Establishment
Last October, CSE reported to Parliament that it detected 4,571 “compromises” of federal systems because of cyberattacks in the first nine months of 2016. More than 2,000 were directed at federal systems related to natural resources, energy and the environment. The agency said only three of those attacks resulted in information being removed, none of it classified, but did not identify any players whether state-sponsored or not.
CSE also warned in a separate report released earlier this year about threats to Canada’s democratic process, saying that “almost certainly, multiple hackivist groups will deploy cyber capabilities in an attempt to influence the democratic process in 2019,” the next scheduled federal election.
‘Attribution is the hardest thing to do.’— Iain Paterson, security expert
That June 16 report also warned that nation-states showed the “highest sophistication” in attempting to undermine democratic processes worldwide, again without naming any players.
“Against Canada, nation-states are constantly deploying cyber capabilities to try to gain access to Government of Canada networks and the communications of federal government officials,” the document said, without providing statistics on the level of threat. “They are the most capable adversaries.”
CSE said it had no evidence that any nation-state used cyberattacks in the 2015 federal election to influence the outcome of the vote. In the United States, the FBI has launched a high-level probe into alleged efforts by Russia to influence the 2016 presidential election in favour of Donald Trump, an inquiry that resulted in charges against former Trump aides Monday.
Undetected for months
The latest CSE statistics on state-sponsored attacks on government networks were revealed in an evaluation of Canada’s Cyber Security Strategy, a multi-department effort begun in 2010 to thwart hackers. CBC News first obtained the document through an Access to Information Act request.
A cybersecurity expert says the new statistics on state-sponsored attacks are likely low-balled, because it is often difficult to identify an attacker bent on anonymity.
“Attribution is the hardest thing to do in cybersecurity,” said Iain Paterson, managing director of Toronto-based Cycura, a technology security firm.
“It’s very possible, and not too hard, for an attacker to disguise their behaviour through changing their method of operation to mimic or imitate other attackers,” he said in an interview.
Paterson also noted that in the private sector, systems and networks are typically compromised by intruders for 200 or more days before the owners become aware of the breach.
A spokesman for CSE declined to provide statistics for 2016 and 2017 “for security reasons.”
“CSE can say that the number of cyberattacks has gone up, and that trend is expected to continue,” Ryan Foreman said in an email.
“From our perspective, the actor is less and less important and attribution is harder and harder,” he added.
“CSE concentrates on methods and techniques of the threat, versus where we think it is coming from.”
The evaluation document was highly critical of Canada’s cybersecurity strategy, citing poor information sharing, weak or non-existent record-keeping, and an approach that led to “confusion and frustration” among departments, agencies and private-sector stakeholders. The document also found that most federal efforts had been devoted to protecting federal government systems, and not enough to safeguarding private-sector networks.
At the same time, the evaluation found that the number of successful breaches is declining. Canada’s success in thwarting more attacks was attributed in part to a decision to bring various government systems within a single secure network.
‘They’d be looking at everything.’— Bob Gordon, cybersecurity expert
The authors noted that the National Research Council attack in 2014 was likely the result of a decision by that agency to remain outside standard federal networks, leaving it without proper defences. The NRC’s post-attack bill to fix the breach was reported at $32.5 million.
Cybersecurity expert Bob Gordon, executive director of the non-governmental Canadian Cyber Threat Exchange, said state-sponsored hackers are looking for a range of material.
“Is there any proprietary information the government holds? The federal government has a very broad breadth of information that it houses and countries could be coming in to get any amount of that type of material.”
Canada’s potential vulnerability to cyberattacks has caught the attention of U.S. defence officials. Then-Adm. William E. Gortney testified to a U.S. Senate committee in 2015 that hackers targeting Canada could cripple parts of North American air defence.
“A cyberattack in Ottawa could take out the northeast quadrant of our air-defence sector,” he testified at the Senate committee on armed services in March that year.
“It would be, effectively, a mission kill.”