Cyber attack at NRC kept from other departments
Organization shut down systems, spent $32.5M on electronic overhaul
Federal cybersecurity officials kept a tight lid on who was aware of a serious cyber attack at the National Research Council last year, a move one security officer suggested may have robbed other departments of a fighting chance to protect their systems as well.
Internal government emails show that officials were aware of the hack at least a week before they went public with the news.
Hackers infiltrated systems of the NRC, one of the most important research organizations in the Canadian government, in 2014. The hack led the organization to shut down its systems, and prompted a year-long IT overhaul that will cost $32.5 million. The NRC’s systems were also isolated from other federal systems.
When the government went public about the hack on July 29, at least one department was caught off-guard, with a security officer at Environment Canada complaining about the lack of communication between federal organizations. Environment Canada and the NRC are part of the same IT portfolio.
“Senior management at EC is very concerned about the incident, since we are also part of the science portfolio. We would like to know if there is anything we can do to prevent a similar compromise on our networks,” senior IT security specialist Peggy Cho wrote in an email that was sent to the top cybersecurity official at Treasury Board.
“As a government, we should be much better at sharing incident information, in order to protect those that still have a chance to apply mitigating measures and protect the GC (government of Canada) further.”
The email is one of hundreds of pages of documents obtained by the Citizen under the access to information law.
The documents don’t explain why Environment Canada wasn’t warned earlier about the hack at the NRC. Neither Treasury Board nor the Communications Security Establishment, the government’s cyber-spy agency, would say why other departments weren’t alerted.
A CSE spokesman said that once the agency detected hackers in the NRC’s systems, the agency “immediately” alerted and started working with Shared Services Canada, the government’s super-IT department, and research council officials to “further assess and develop mitigation for this cyber-intrusion event.” The agency’s policy is to alert affected departments, then ensure “warnings are issued to a broad government audience.”
A Treasury Board spokeswoman wouldn’t say when the government’s chief information officer became aware of the hack at the research council, citing security.
The emails show that officials from Treasury Board, Public Safety, Industry Canada and the NRC met on July 22 to talk about messaging after a successful cyber attack. On July 25, a statement that would eventually go out from Treasury Board about the hack was circulated to three people with the proviso that it not be distributed to anyone else.
When the Treasury Board statement was made public, the government took the unusual step of openly blaming the attack on China, a charge Chinese officials vehemently denied. China, wasn’t mentioned in the original drafts of the statement.
The documents show that officials clamped down on communications, refusing to answer media questions and instead pointing to online statements from the NRC and Treasury Board. Officials were supposed to cite “national security reasons” for not releasing further details.
Internally, the NRC moved quickly to protect its information holdings.
For example, “Effective immediately, connecting any devices to your work computer (e.g. USB memory sticks, smartphones, personal digital assistants, etc.) or connecting departmental devices to your home or other public network is prohibited,” NRC president John McDougall wrote to employees.
Senior management at EC is very concerned about the incident, since we are also part of the science portfolio.