Greg Weston: Anti-hacking agency slow to learn about Chinese cyberattack
'We cannot be the soft underbelly of North America,' retired CSIS boss says
Confidential documents obtained by CBC News show that when Chinese military spies hacked into the control systems of Canadian pipelines and power grids last fall, this country’s official cyber-response agency sprang into action – exactly 10 days later.
On Sept. 10, 2012, Calgary-based Telvent advised its customers that hackers had managed to penetrate its computers and access some customer files. The company says it has no evidence the hackers gained access to the customers' computer systems.
"Telvent is aware of a security breach of its corporate network that has affected some customer files. Customers have been informed and are taking recommended actions, with the support of Telvent teams. Telvent is actively working with law enforcement, security specialists and its affected customers to ensure the breach has been contained," Telvent said in a later statement to CBC News.
But no one, apparently, told the Canadian Cyber Incident Response Centre, the federal agency set up to respond to cyberattacks on critical infrastructure.
Documents indicate the first the agency even heard about the attack was a news report 10 days later, saying a "Canadian energy company" had been hacked.
Even then, it took the organization more than 24 hours to determine the Canadian company hit was Telvent.
Part of the problem was the federal response centre wasn't open to respond to anything on weekends. In fact, it was only staffed during banker’s hours – eight hours a day, five days a week.
Whatever the cause, the Telvent embarrassment was hardly an anomaly.
Hundreds of pages of the agency’s internal emails and cyber "incident reports" paint an organization unable to deal with an almost constant hail of cyberattacks on government and industry.
The documents show the government was consistently slow to respond to what would become Canada’s worst cyberattack in the fall of 2010.
China-based hackers broke into the computer systems of at least three federal departments, seven Bay Street law firms, and two multinational corporations – all involved in the ultimately unsuccessful corporate takeover of Saskatchewan’s Potash Corporation.
Documents show warning signs of a cyberattack throughout the fall of 2010, but no evidence of a co-ordinated response to it.
In mid-January 2011, all hell began to break loose with attack alerts pouring in daily.
Emails on Jan. 31 indicated the Finance Department and Treasury Board were both being slammed with severe cyberattacks, including significant volumes of sensitive government data being stolen by computers in China.
U.S. offers help after massive cyberattack
But it wasn’t until three days later – and many meetings and a mountain of emails – that all of the computers at Finance, Treasury Board and Defence Research, also hit, were finally disconnected from the internet to prevent further loss of data.
Two weeks later, the first media reports about the massive cyberattack prompted the U.S. cyber response agency to offer "help and resources," to its Canadian counterpart, and to inquire if there were ways to mitigate the damage.
In an extraordinary exchange of emails, top officials at the Canadian cyber agency spent an entire day debating whether to share information with the Americans offering to help.
Meanwhile, the attacks were far from over.
Documents show six weeks after the three departments were unplugged from the internet, another federal agency was "severely impacted by a cyber incident."
On May 1, five more were hit, including the Privy Council, the prime minister’s department.
Documents show the attacks continued on an almost daily basis through the rest of 2011 and all of 2012.
Experts say most of the attacks on the federal government over the past two years were likely the work of hundreds of different hackers from various countries with a variety of reasons for causing mayhem.
For its part, the Cyber Response Centre issued an unusual report to government a year ago, all but pleading for help.
While the Harper government has long boasted about its "cyber strategy," the report suggests those who had to implement it were not impressed.
The agency complained of "ambiguity of roles in an emergency," and how it is "difficult to prioritize clients and services without clearly defined mission and mandate."
It complained about an "aging" laboratory, and the high turnover of staff at the agency.
Last fall, Auditor General Michael Ferguson hammered the government for its much-touted cyber strategy.
Among many pages of scathing commentary, the federal spending watchdog found that over the past decade, successive governments have promised a lot more in cyber security than they have delivered.
Auditor general critical of federal cyber strategy
Most of the time, he said, the government did not seem to know how much money was available for cyber security, nor what it was being spent on.
The Cyber Response Centre, he concluded, was underfunded and otherwise ill-equipped to do its job.
All of which clearly frustrates security experts such as Canada’s former head of intelligence and counter-terrorism , Ray Boisvert.
In an interview with CBC, the recently retired CSIS boss says the growing cyber threats are "as important if not more important than terrorism now."
He says the Cyber Response Centre is "a good start," but the federal government will "have to do far more than that."
"This government has invested some time and some money in this issue of late and I think it’s all very helpful.
"But we cannot be the soft underbelly of North America."
Rafal Rohozinski of the SecDev Group is one of Canada’s leading cyber experts.
'I think frankly that it requires co-ordination at the upper levels of political authority.'—Rafal Rohozinski of the SecDev Group
He says Canada is lagging behind its allies in making cyber security a co-ordinated effort among all government agencies and the private sector.
"I think frankly that it requires co-ordination at the upper levels of political authority. There has to be a decision made by the Prime Minister's Office that cyber security matters.
"There has to be a national security advisory team that deals with this just like they deal with any other aspect of national security."
Rohozinski says the Chinese attack on Telvent and its big utility customers is another wakeup call for Canada, and a reminder of what’s at stake in securing cyberspace.
"It certainly puts us in the position of military potential vulnerability if some of our core assets are penetrated … by a foreign power or entity that can sidestep the securities that we have built within them."
Since the auditor general’s scathing report last year, the Harper government has increased funding for the Cyber Response Centre, at least enough to operate 15 hours a day, seven days a week."
This week, Prime Minister Stephen Harper seemed to say all’s well in cyberspace.
Asked for his reaction to this week’s report fingering the Chinese for the cyberattack on Telvent, the PM said: "We are certainly aware of these kinds of security threats and risks that exist.
"We have professionals who constantly evaluate them and work with partners on addressing them."
- An earlier version of this story said Telvent had told its customers that hackers had also penetrated their computer systems. In fact, the company says it has no evidence hackers accessed its clients' systems.Mar 27, 2012 10:43 AM ET