Ottawa has made little progress on recommendations meant to shore up the cybersecurity of Canada’s Crown corporations, more than 18 months after parliamentarians identified the risk of those organizations inadvertently acting as gateways into the federal government’s well-protected networks.
In August, 2021, in a nearly 150-page report, the National Security and Intelligence Committee of Parliamentarians (NSICOP) raised concerns that 75 federal entities – “primarily Crown corporations and some government ‘interests’ ” – were not subject to Treasury Board policies related to cyberdefence. It called for these entities to be pulled under the directives.
Yet the number of organizations still not subject to these policies hasn’t budged, confirmed Rola Salem, a spokesperson with the Treasury Board of Canada Secretariat.
In another recommendation, the NSICOP report, which was released in a partly redacted format in early 2022, called for the Enterprise Internet Service provided by Shared Services Canada to be expanded to all government entities. It provides secure internet connectivity to users, with built-in monitoring of cyberthreats using advanced technology from the Communications Security Establishment (CSE), the country’s cryptologic agency.
Still, uptake among Crown corporations remains low. Shared Services spokesperson Jean-Pierre Potvin said that just five – out of around 50 such federal entities – currently use the service.
Though Crown corporations are largely meant to be independent of government direction, they hold sensitive information about Canadians, the NSICOP report says. And that data is at risk of compromise by sophisticated online actors, including foreign governments, it adds.
Crown corporations are far from the only government entity being targeted by cyberthreats. The federal government is subject to between three and five billion “malicious actions” daily, according to CSE’s latest annual report. But the many government departments and agencies within the protective net of CSE’s cyberdefence sensors, through the Enterprise Internet Service, are considered well protected, the NSICOP report says.
Organizations outside this net, meanwhile, are “worryingly vulnerable to the loss of their own data and, where they maintain electronic links with related federal departments, to inadvertently act as a vector into the government’s protected systems,” it says.
NSICOP declined a request from The Globe and Mail to interview its chair, Liberal MP David McGuinty. The committee, which was established in 2017, is made up of MPs from all major parties, as well as several senators. It meets in secret, and its reports are sent to the Prime Minister’s Office, which can redact information for national-security reasons.
Asked why no additional federal organizations have been brought into the fold of the Treasury Board’s policies since NSICOP’s report, a secretariat spokesperson, Barb Couperus, pointed out that the report called for the policies to be extended “to the greatest extent possible.”
“The government agreed with that recommendation and the implied perspective that it might not be advisable or appropriate to apply [Treasury Board Secretariat] policies to all federal organizations, in all cases,” she said.
Ms. Couperus said the Treasury Board conducted a review of the possibility of extending its policies to more organizations. It determined that there are no barriers to “small organizations, Crown corporations or any other federal organizations” choosing to receive federal cyberdefence services, she said. Ms. Couperus added that they can also voluntarily make agreements to align themselves with the relevant policies.
This non-binding approach avoids “a blanket application of policies that might not be appropriate” to an organization’s governance structure, Ms. Couperus said.
Stephanie Carvin, an associate professor at Carleton University and a former federal intelligence analyst, said that taking an opt-in approach to cybersecurity standards is generally not successful.
“If volunteerism was the best way to do cybersecurity, we wouldn’t have Bill C-26,” she said, referring to the government bill, introduced last year, that would legislate cybersecurity requirements for certain segments of the finance, telecommunications, energy and transportation sectors.
While Prof. Carvin noted that the measures within Bill C-26 and in Treasury Board policies are not the same, she said the government’s willingness to enact Bill C-26 weakens its argument for not imposing such standards on Crown corporations. The proposed legislation, she pointed out, essentially mandates cybersecurity standards for the private sector.
Records from the Office of the Privacy Commissioner, obtained through access-to-information requests, show that several Crown corporations have filed Privacy Act breach reports after cyber-related incidents in recent years.
In January, 2021, for instance, the Canada Council for the Arts received a message from someone seeking an update on a payment they’d made to the council, according to a summary of a breach report. When the Crown corporation went looking for the money, it learned it had never received the funds. The payment had been made to someone else.
An attacker had gained access to an employee’s e-mail account and the council’s Office 365 environment, more broadly – likely using a phishing e-mail, the records note. Pretending to be council staff, the attacker directed payments meant for the council to their own financial accounts. By the time they were found out, the impersonator had stolen more than $80,000.
In a statement, the council said it has since introduced “additional protective measures that are compliant with Treasury Board guardrails and the Canadian Centre for Cyber Security guidelines.” The council does not use the Enterprise Internet Service, but instead uses “a commercial enterprise-grade internet service,” it said. The statement added that their internet service provider was “not in question” during this incident.
In July, 2020, meanwhile, the International Development Research Centre, a Crown corporation that funds research within and alongside developing regions, was hit by a “cybersecurity incident,” resulting in unauthorized access to its infrastructure, according to a summary of a breach report. It was later determined that no personal information had been compromised, said Steven Morris, a spokesperson for the centre.
The centre has opted not to use the Enterprise Internet Service.
“After very careful consideration, the restrictions and additional overhead costs … would not have been of significant value or benefit to IDRC,” Mr. Morris said, adding that the centre abides “then and now” by Treasury Board policies.
Canada Post has filed several breach reports after cyber-related incidents, according to records from the privacy commissioner. In 2020, for instance, the Crown corporation was affected by a cyberattack indirectly – through a ransomware attack on one of its suppliers, a company called Commport Communications.
At first, it seemed contained. Then, six months later, Commport told Canada Post that “data associated with some larger Canada Post commercial customers was found to be available for download on the dark web.”
The breach affected 44 commercial customers and contained information related to nearly one million recipients of mail, mostly their names and addresses, said Canada Post in a statement at the time. Canada Post declined to answer questions from The Globe.