tp-china-computer-cp-306-42

Cyber attacks on government, university and industry computers is a growing threat, a CSIS memo says.

A top secret memo written by Canada's spy agency warns that cyber-attacks on government, university and industry computers have been growing "substantially."

The heavily censored briefing note, obtained by CBC News using Canada's access to information law, outlines the increasing vulnerability of Canada's energy, financial and telecommunications systems face from cyber-attackers.

"Compromises of computer and combinations networks of the Government of Canada, Canadian universities, private companies and individual customer networks have increased substantially," says the June 2009 memo written by the Canadian Security Intelligence Service.

The CSIS memo highlights current concerns about cyber security. A report by North American researchers that made headlines in April revealed how email and Twitter were used to steal sensitive documents from the Dalai Lama's office and national security data from the Indian government.

The report — by the University of Toronto's Citizen Lab, the Ottawa-based think-tank SecDev Group and U.S. researchers from the Shadowserver Foundation — stressed that the federal government needs to take urgent action or risk being targeted by hackers who use social media, such as Twitter, to steal secret government or corporate information.

'Complicated issues'

The CSIS briefing note obtained by the CBC acknowledges that the threat of cyber-attacks is "one of the fastest growing and most complicated issues."

"In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure and low-risk means to conduct espionage," the CSIS briefing says.

Government officials have said they are working to develop a framework to deal with cyber-attacks — the federal government's throne speech in March promised a cyber-security strategy.

However, Canada still has no official plan for responding to a co-ordinated cyber-attack. No one from Public Safety Canada responded to a request from CBC News for a response to this story. 

Liberal public safety critic Mark Holland said Canada is vulnerable to a "catastrophic event" involving its power grid or banking system. 

"Canada is without a plan and we have a government that has given us little more than words. So, rhetoric is cold comfort for those who are concerned," Holland told CBC News.

Canada dependent

Ron Deibert, director of the Citizen Lab at the University of Toronto's Munk Centre, said Canada needs a "coherent, comprehensive strategy" on cyberspace, given how dependent Canadians are on telecommunications.

"We're a large landmass with a population spread across the country," he said. "We obviously have an interest in making sure that these technologies are open and unfettered" because they benefit our commercial relationships and offer us a way to project our values internationally.

Other countries have made progress.

The U.S. government recently announced a $40-billion US national cyber-security plan to combat cyber-attacks from foreign and domestic hackers. Russia and China have also made the growing threat of cyber-terrorism a top defence-spending priority. 

Old computer systems a risk

So-called "ethical hackers" — computer experts who get paid by companies and organizations to identify weaknesses in their computer systems — say Canadian government computers are particularly susceptible to cyber-attacks.

"Some of the systems of government can be up to 20 years old, and they're having a hard time migrating that over to newer technology and until they do that, they are extremely vulnerable," said Terry Cutler, a Montreal-based cyber-security expert and ethical hacker.

However, government — and other targets of cyber-attacks — might never be completely impregnable, said John Aycock, a University of Calgary computer science associate professor.

"There's nothing that we can really do about these attacks, in some sense, because of the way the internet was designed," Aycock said.

"It's not designed to be able to track people back. Having multiple layers of security, educating people about what they should and should not do, all those things are beneficial — but there is no one cure all that's going to do it."