Elec­tions Canada phishes for help

Agency in­vites mock at­tack in ef­fort to safe­guard data from threats to democ­racy


OT­TAWA— Elec­tions Canada is look­ing for some­one to run a mock at­tack on its com­puter sys­tem to make sure its se­cu­rity is up to snuff.

The fed­eral agency put out a call on Oct. 26 for a con­trac­tor to con­duct a “sim­u­lated phish­ing pro­gram.”

The goal, ac­cord­ing to the con­tract advertisement, is to “cre­ate aware­ness and as­sess the cur­rent state of readi­ness against cy­ber­crim­i­nal at­tacks ini­ti­ated by phish­ing.”

“Phish­ing” refers to the hack­ing tech­nique of trick­ing email users into pro­vid­ing user­names and pass­words to their ac­counts and net­works.

The tac­tic is com­monly used and of­ten suc­cess­ful. It can also be quite se­ri­ous.

A Lithua­nian man was ar­rested in March after he re­port­edly tricked Face­book and Google into wiring him $100 mil­lion (U.S.) us­ing a phish­ing scheme.

And John Podesta, the chair of Hil­lary Clin­ton’s elec­tion cam­paign, had his pass­word stolen last year through a phish­ing email that was mis­tak­enly called “le­git­i­mate” rather than “il­le­git­i­mate” in a typo by a cam­paign aide, ac­cord­ing to a New York Times in­ves­ti­ga­tion on how the Demo­cratic party servers were hacked dur­ing the U.S. pres­i­den­tial elec­tion.

In an emailed state­ment Thurs­day, Elec­tions Canada spokesper­son Me­lanie Wise said sim­u­lated phish­ing at­tacks are a “stan­dard part” of cy­ber­se­cu­rity ef­forts used by many em­ploy­ers.

“It will help ed­u­cate em­ploy­ees on ways to safe­guard in­for­ma­tion and sys­tems and heighten their aware­ness of cy­ber­se­cu­rity threats,” she said.

The dry run at phish­ing sab­o­tage will give em­ploy­ees real-time train­ing on what an at­tack could look like, the con­tract ad says: “We want to si­mul­ta­ne­ously pro­tect our data while pro­vid­ing in­valu­able cy­ber aware­ness.”

Wise added that this won’t be the first time Elec­tions Canada has run a phish­ing sim­u­la­tion and that, like other gov­ern­ment de­part­ments, the agency faces “ma­li­cious cy­ber at­tempts on an on­go­ing ba­sis.”

In March, for ex­am­ple, Sta­tis­tics Canada’s in­ter­nal net­work was pierced by an unau­tho­rized user after a web­site soft­ware up­date ex­posed vul­ner­a­bil­ity and forced the shut­down of two gov­ern­ment web­sites.

“(The sim­u­lated phish­ing at­tacks) will help ed­u­cate em­ploy­ees on ways to safe­guard in­for­ma­tion and sys­tems and heighten their aware­ness of cy­ber­se­cu­rity threats.” ME­LANIE WISE ELEC­TIONS CANADA SPOKESPER­SON

Canada’s sig­nals intelligence and cy­berde­fence agency, the Com­mu­ni­ca­tions Se­cu­rity Es­tab­lish­ment, con­cluded in June that threats against the demo­cratic process are in­creas­ing around the world, and that it is “very likely” groups will try to in­flu­ence the next elec­tion through cy­ber­at­tacks.

The agency’s re­port on those risks sin­gled out phish­ing cam­paigns as one on the types of threats fac­ing Cana­dian po­lit­i­cal par­ties, politi­cians and the me­dia.

The re­port noted that fed­eral agen­cies such as Elec­tions Canada are less vul­ner­a­ble to cy­ber threats be­cause “fed­eral elec­tions are largely pa­per-based” and the agency al­ready has a num­ber of se­cu­rity mea­sures in place.

Bids on Elec­tions Canada’s mock phish­ing con­tract must be sub­mit­ted by Dec. 5. With files from Alex Boutilier

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.