Cyberattack cost federal research agency $100M
Securing system after breach by foreign hackers comes at staggering price, files reveal
OTTAWA— A federal research agency bought $8 million worth of new laptops after a crippling cyberattack targeted its secrets in 2014, the Star has learned.
Documents released to the Star show the National Research Council (NRC) had to replace a number of “end-point devices” — Internet-connected devices such as laptops and printers — after foreign hackers targeted its networks in 2014.
According to the agency, they replaced 4,000 laptops at a cost of $2,000 each and over 180 new printers, which the NRC estimated cost $1,800 a year to operate.
The new devices were a drop in the bucket, however, in the total cost to mitigate the damage caused by the cyberattack on the agency. Documents show that the Communications Security Establishment (CSE), Canada’s electronic spying and cyberdefence agency, estimated the price tag to be more than $100 million.
The documents, obtained under access to information law, reveal new details about how CSE intervened to stop the bleeding after hackers penetrated the system in the summer of 2014. They also hint at how damaging a cyberattack can be for an agency — public or private — that doesn’t have sufficient defences.
In July 2014, CTV News reported that the NRC’s network had been isolated from the rest of the federal government due to a cyberattack. At the time, NRC president John McDougall told employees that the hack was so severe that “any information held in (NRC) systems, including employees’ personal information, may have been compromised. Client information and data may also have been compromised.”
The NRC is a research and development hub that partners with industry to advance technology across a number of fields, including aerospace, energy and “disruptive” technology — high-value targets for foreign hackers.
The then-Conservative government took the unusual step of publicly blaming the attack on China, claiming — without releasing evidence — that Beijing backed the hackers that targeted the NRC. China has denied involvement. The NRC had known about the hack for some time before details made their way to the media.
The agency had been working with CSE and other government departments to monitor the hackers and try to mitigate the damage.
According to a CSE briefing for Iain Stewart, the new head of NRC, the agency had a number of serious vulnerabilities in 2014. For instance, NRC was running cross-country networks outside of the federal government’s secure network perimeter.
Access to the NRC networks was “ad hoc,” according to the briefing, with employees able to access sensitive data and exchange information a number of different ways.
Scott Jones, the head of IT security at CSE, said the easiest way to understand why multiple access points are a risk is to think of your house.
“If you’ve got 45 doors to the outside, and you have to lock those all down every night, that’s a lot of work to do every night,” Jones said in an interview with the Star on Friday.
“Having a couple of doors, you go and check those every night, or if you’re in an apartment maybe one door, you check to make sure it’s locked and you can sleep more comfortably, right? Same thing in the network security world.”
It is still unknown what the hackers were able to steal from the NRC, but we do know the cost.
According to the documents, the damage was “mitigated” within four months. But the total “rebuild” time for the NRC’s networks was estimated at more than 16 months, at a cost of more than $100 million. CSE compared that to a $10-million,12-month rebuild of Treasury Board and Finance Canada networks in 2012.
Jones said the nature of NRC’s cross-country networks and operations made the recovery efforts more complicated and therefore more costly. But while the price tag may seem shocking, Jones would guess that it’s in the ballpark for this type of attack.
“What some of this money really is, is catch-up money. When you don’t invest in security, at some point you end up paying the bill. And the bill is usually paid with a compromise,” Jones said.
The CSE briefing ends by saying that NRC has much tighter security after the attack and that an “identical attack would not succeed today.”
The cyberdefence agency then asked if NRC is “still susceptible to other vulnerabilities,” but the answer was censored from the documents.
Access to the NRC networks was “ad hoc,” according to the briefing, with employees able to access sensitive data and exchange information a number of different ways