Gaps in the cyber security efforts of Canadian corporations could be leaving them open to sophisticated attacks by hackers, records show.
"The current situation is that there are an increasing number of new software vulnerabilities that can be exploited to gain access to companies' networks," reads a July 2012 memo obtained from Public Safety Canada under the Access to Information Act.
"The scale of the problem is significant. The cost of maintaining a highly secure network is high for each company, and they may not be willing to make that investment."
Most Canadian critical infrastructure assets — including electricity distribution networks, banking systems, transportation systems and telecommunications networks — are owned by the private sector or by provincial governments.
Their smooth operation is integral to the country's economic, political and social well-being, according to a report by the Auditor General of Canada published last fall.
But despite a commitment to protecting critical infrastructure from cyber attacks, the federal government has been slow to build partnerships with various stakeholders, the Auditor General's report states.
In one instance, records show a federal agency warned about hackers targeting critical infrastructure nearly six months before a security breach at Telvent Canada, an energy technology firm whose systems help run oil and gas pipelines.
Company never got alerts
The Canadian arm of Telvent, now called Schneider Electric, said it never received the alerts because its a vendor that builds systems for energy companies — and not an infrastructure company itself.
Documents obtained through Access to Information requests show the Canadian Cyber Incident Response Centre sent four alerts to technology experts in critical infrastructure and "related industries" in the months before the breach.
The alerts warned that hackers were sending malicious emails disguised as internal messages to staff in the energy sector, and outlined the steps organizations should take to protect themselves.
The first of the warnings was sent on March 30, 2012, with three more following in May.
In September, Telvent Canada announced it had suffered a cyber attack which security firm Mandiant later linked to Chinese military hackers.
Telvent quickly shut off access to its clients to prevent the intruders from infiltrating their systems and taking control of the country's oil and gas pipelines.
Cyber incident management is 'voluntary'
The Canadian Cyber Incident Response Centre said it does not comment on specific incidents, but noted it can't force companies to comply with its recommendations.
"Cyber incident management in Canada is a collaborative and voluntary activity," said Josee Picard, a spokeswoman for Public Safety Canada, in an email.
"CCIRC cannot compel any organization to take action on its network, and organizations can choose not to report incidents or seek assistance."
The cyber security watchdog said its role is to collect information on threats and share it with the private sector, other levels of government and security partners.
'Should we expect...a private company foot the bill for security measures which benefit us all but may not be ones they assess as being needed to protect their own private assets and business profitability?"—Angela Gendron, Carleton University
"This includes working directly with owners and operators of Canada's vital cyber systems to protect those systems and the Canadians who depend upon them," the agency said.
Angela Gendron, a senior fellow at Carleton University's Canadian Centre of Intelligence and Security Studies, said voluntary reporting can be a "minefield."
Companies may not want to disclose a system breach because of how it could harm their reputations, said Gendron.
The government can't force companies to report incidents or heed the CCIRC's warnings, and it's up to each individual company to determine how much to spend on cyber security.
"Their assessments about risks and the level of security needed to protect their assets may well differ from what we, as a society, feel is appropriate," said Gendron in an email.
"Part of the problem, of course, is money. Should we expect or insist that a private company foot the bill for security measures which benefit us all but may not be ones they assess as being needed to protect their own private assets and business profitability?"