Cyberattack at NRC occurred weeks before alert sent out
Response to last summer's malware breach occupied several government departments, spy agencies
The federal government was aware a hacker had stolen secret information from the National Research Council last summer for nearly three weeks before it notified stakeholders, employees and the public.
That warning went out on July 29, 2014, a day after news of the hacking incident first broke in the news media.
- 2 Canadian firms approached after NRC cyberattack
- Chinese cyberattack hits Canada's NRC
- Attack breached system holding personal data: privacy watchdog
- NRC writes companies potentially affected by data breach
After the employees were notified, the computer network at the National Research Council was isolated from the rest of government and staff were told not to connect from mobile devices such as laptops.
An amber cyber-flash sent by Public Safety's Canadian Cyber Incident Response Centre, which is tasked with protecting government departments from cyberattacks, said only that it was aware a Canadian institution "has been compromised in ongoing targeted attacks by highly skilled threat actors, using stolen credentials."
"The apparent objective of this activity is the theft of intellectual property, trade secrets and other sensitive business information," the alert added.
According to documents obtained by CBC News through Access to Information, in the three weeks leading up that notification, top officials from NRC, Shared Services, Public Safety and the RCMP met often to talk about priorities in dealing with the cyberattack.
Officials at the NRC will not say exactly what was done in the interim to stop the hackers from getting more information.
In an email to CBC News, the NRC would only say it was "informed of the cyber intrusion by its information security partners and took decisive action to contain and address this security breach."
Emails contained in the documents obtained by CBC News show employees of the Cyber Incident Response Centre referring to two internal reports of "malware infections" and "vulnerable services, including open resolvers" on July 11.
Minutes of meetings held in the ensuing days reveal Canada's spy agencies, the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), were planning to investigate whether attack "was facilitated by an inside threat."
In an email to CBC News Friday, CSE said the investigation into the intrusion explored all possibilities but in the end there was no evidence of any malicious activity by a Government of Canada employee.
The government continues to blame a "highly sophisticated" Chinese state-sponsored actor for the incident.
Communications plan seen as critical
One priority of the internal response was communications, to ensure the government had "coordinated and consistent messaging if this does become public."
The communications strategy included advising senior management on what to expect, what to say to employees, a formal notification of stakeholders and a "robust media relations protocol."
That strategy was led by the Privy Council Office, the bureaucratic wing of the Prime Minister's Office, along with Treasury Board.
Katherine Thompson is a vice-president with the Canadian Advanced Technology Alliance, which brings together public and private sectors to address cybersecurity.
She's not surprised government officials did not notify stakeholders or even staff right away, noting there's no legal requirement to do so.
If you haven't had time to patch the hole, you might actually open up your networks and your customers, and your partners, to more vulnerability- Cheri McGuire, VP of cybersecurity, Symantec Corporation
"The fact of the matter is in many circumstances, organizations are not required to disclose," Thompson told CBC.
As for the time lag of three weeks, Thompson says that's not unusual either.
"It really does fall in line with what you're seeing in a lot of other high profile breaches, including the [U.S. retail giant] Target gap, which was about three weeks. And in fact, the reason why they disclosed when they did was the U.S. Department of Justice stepped in and kind of pulled the trigger on it," Thompson said.
Thompson says one possible solution is the new rules proposed by U.S. President Barack Obama last month, that would force companies to notify customers and stakeholders within 30 days of a breach.
It also encourages the private and the public sectors to share more information about cybersecurity.
Cheri McGuire, who has worked for the U.S. Department of Homeland Security and is now vice-president in charge of cybersecurity for Symantec Corporation, says the debate about when to tell the public about a cyberattack is ongoing in the U.S and Canada. The timing is critical, she said.
"If you haven't had time to patch the hole, you might actually open up your networks and your customers, and your partners, to more vulnerability," McGuire said at a defence conference this week in Ottawa.
In the wake of the attack last summer, NRC officials warned it may take up to a year to upgrade its IT network.
This week, the Harper government tabled supplementary budget estimates that included a request for $32.5 million for a new secure telecommunications and IT strategy for the NRC.
The NRC will only say its working to make sure its computer system is able to withstand cyberattacks in the future.
- This story has been updated from a previous version that incorrectly stated the Treasury Board oversees Shared Services Canada. In fact, Shared Services is under Public Works and Government Services Canada.Feb 23, 2015 9:53 AM ET