Security agencies warn of foreign espionage threat to company networks
RCMP warns of of 'supply chain vulnerability' — a back-door tactic to infiltrate systems
Canadian companies should watch out when they use technology supplied by state-owned companies from countries that want to steal corporate secrets, the country's security agencies have warned.
The RCMP organized two workshops last March — one in Calgary, the other in Toronto — to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage, newly disclosed documents show.
Canadian Security Intelligence Service materials prepared for the workshops advise that "non-likeminded countries," state-owned enterprises and affiliated companies are engaged in a global pursuit of technology and know-how driven by economic and military ambitions.
The materials were released to The Canadian Press in response to an access-to-information request.
The heavily censored records do not go into detail about specific countries. But the presentation does include a passage from a 2017 U.S. government report saying competitors such as China steal American intellectual property valued at hundreds of billions of dollars every year.
Advanced technology a target
In addition, CSIS openly warned in 2016 that Russia and China were targeting Canada's classified information and advanced technology, as well as government officials and systems.
The presentations to industry dissected techniques used by adversaries and offered advice on protecting confidential information and assets.
The intelligence community's concerns emerge as Canada considers allowing Chinese firm Huawei Technologies to take part in developing a 5G telecommunications network.
Former security officials in Canada and two members of the U.S. Senate Select Committee on Intelligence have warned against such a move, saying the company's ties to Beijing could compromise the security of Canada and its closest allies. Huawei has denied engaging in intelligence work on behalf of any government.
The workshops led by the RCMP's critical infrastructure team highlighted the problem of "supply chain vulnerability" — a back-door tactic to infiltrate systems.
The RCMP did not respond to questions about the sessions. CSIS spokesman John Townsend said the concerns stem from cases where equipment and related computerized control systems and services are manufactured and installed by companies controlled by or affiliated with a foreign government.
"These foreign governments may pursue, not only profitable commercial objectives, but may also try to advance their own broader and potentially adverse strategic and economic interests," he said.
The tactics could include gaining influence and leverage over the host country, espionage, technology theft and malicious cyberactivities, Townsend added.
The security presentations also warned of "spear-phishing" attempts by hostile forces to gain access to computer systems through emails that fool employees into giving up passwords or other sensitive data.
Develop a corporate security plan
The agencies encouraged companies working on leading-edge research to take stock of protective measures and develop a corporate security plan to manage risks. For instance, scientists should consult corporate security about precautions when outside delegations visit.
"If you detect suspicious activity, contact authorities," the presentation materials say. "All infrastructure sectors should remain engaged with RCMP and CSIS to share security intelligence."
Patrick Smyth, vice-president of performance at the Canadian Energy Pipeline Association, said security is "top of mind" for member companies, which share information and help each other ensure they are prepared for emerging hazards and threats.
Cyberattacks are an evolving threat, but not a new one for pipeline operators, he said in an interview.
"They've been looking at it for a number of years and tracking the evolution around the sophistication of bad actors who might wish to find entry points into individual companies, and take over control of certain elements of the infrastructure and cause damage," he said.
If a state-owned enterprise is looking to acquire an asset, "these companies have programs, checks and balances in place to address that."
Pipeline operators receive intelligence from the RCMP, CSIS, the federal Natural Resources and Public Safety departments and U.S. agencies, Smyth added. However, he sees a place for the awareness workshops, saying any "additional source of information and intelligence is helpful."