www.theglobeandmail.com Open in urlscan Pro
2a02:26f0:480:e::210:f106  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content
$1.99/wk for 52 wks
Register
Log in

AdChoices
 * Canada
 * World
 * Business
 * Investing
 * Watchlist
 * Personal Finance
 * Opinion
 * Politics
 * Sports
 * Life
 * Arts
 * Drive
 * Real Estate
 * Podcasts








OTTAWA MAKES LITTLE PROGRESS SHORING UP CROWN CORPORATIONS’ CYBERSECURITY

Marsha McLeod
Ottawa
Published March 20, 2023

The West Block of Parliament Hill in Ottawa on March 6.Sean Kilpatrick/The
Canadian Press

Comments
Share

Bookmark
Please log in to bookmark this story.Log InCreate Free Account
Listen to article


Log in or create a free account to listen to this article.

Ottawa has made little progress on recommendations meant to shore up the
cybersecurity of Canada’s Crown corporations, more than 18 months after
parliamentarians identified the risk of those organizations inadvertently acting
as gateways into the federal government’s well-protected networks.

In August, 2021, in a nearly 150-page report, the National Security and
Intelligence Committee of Parliamentarians (NSICOP) raised concerns that 75
federal entities – “primarily Crown corporations and some government ‘interests’
” – were not subject to Treasury Board policies related to cyberdefence. It
called for these entities to be pulled under the directives.

Yet the number of organizations still not subject to these policies hasn’t
budged, confirmed Rola Salem, a spokesperson with the Treasury Board of Canada
Secretariat.

In another recommendation, the NSICOP report, which was released in a partly
redacted format in early 2022, called for the Enterprise Internet Service
provided by Shared Services Canada to be expanded to all government entities. It
provides secure internet connectivity to users, with built-in monitoring of
cyberthreats using advanced technology from the Communications Security
Establishment (CSE), the country’s cryptologic agency.

Still, uptake among Crown corporations remains low. Shared Services spokesperson
Jean-Pierre Potvin said that just five – out of around 50 such federal entities
– currently use the service.

Though Crown corporations are largely meant to be independent of government
direction, they hold sensitive information about Canadians, the NSICOP report
says. And that data is at risk of compromise by sophisticated online actors,
including foreign governments, it adds.

Crown corporations are far from the only government entity being targeted by
cyberthreats. The federal government is subject to between three and five
billion “malicious actions” daily, according to CSE’s latest annual report. But
the many government departments and agencies within the protective net of CSE’s
cyberdefence sensors, through the Enterprise Internet Service, are considered
well protected, the NSICOP report says.

Organizations outside this net, meanwhile, are “worryingly vulnerable to the
loss of their own data and, where they maintain electronic links with related
federal departments, to inadvertently act as a vector into the government’s
protected systems,” it says.

NSICOP declined a request from The Globe and Mail to interview its chair,
Liberal MP David McGuinty. The committee, which was established in 2017, is made
up of MPs from all major parties, as well as several senators. It meets in
secret, and its reports are sent to the Prime Minister’s Office, which can
redact information for national-security reasons.

Asked why no additional federal organizations have been brought into the fold of
the Treasury Board’s policies since NSICOP’s report, a secretariat spokesperson,
Barb Couperus, pointed out that the report called for the policies to be
extended “to the greatest extent possible.”



“The government agreed with that recommendation and the implied perspective that
it might not be advisable or appropriate to apply [Treasury Board Secretariat]
policies to all federal organizations, in all cases,” she said.

Ms. Couperus said the Treasury Board conducted a review of the possibility of
extending its policies to more organizations. It determined that there are no
barriers to “small organizations, Crown corporations or any other federal
organizations” choosing to receive federal cyberdefence services, she said. Ms.
Couperus added that they can also voluntarily make agreements to align
themselves with the relevant policies.

This non-binding approach avoids “a blanket application of policies that might
not be appropriate” to an organization’s governance structure, Ms. Couperus
said.

Stephanie Carvin, an associate professor at Carleton University and a former
federal intelligence analyst, said that taking an opt-in approach to
cybersecurity standards is generally not successful.

“If volunteerism was the best way to do cybersecurity, we wouldn’t have Bill
C-26,” she said, referring to the government bill, introduced last year, that
would legislate cybersecurity requirements for certain segments of the finance,
telecommunications, energy and transportation sectors.

While Prof. Carvin noted that the measures within Bill C-26 and in Treasury
Board policies are not the same, she said the government’s willingness to enact
Bill C-26 weakens its argument for not imposing such standards on Crown
corporations. The proposed legislation, she pointed out, essentially mandates
cybersecurity standards for the private sector.

Records from the Office of the Privacy Commissioner, obtained through
access-to-information requests, show that several Crown corporations have filed
Privacy Act breach reports after cyber-related incidents in recent years.

In January, 2021, for instance, the Canada Council for the Arts received a
message from someone seeking an update on a payment they’d made to the council,
according to a summary of a breach report. When the Crown corporation went
looking for the money, it learned it had never received the funds. The payment
had been made to someone else.

An attacker had gained access to an employee’s e-mail account and the council’s
Office 365 environment, more broadly – likely using a phishing e-mail, the
records note. Pretending to be council staff, the attacker directed payments
meant for the council to their own financial accounts. By the time they were
found out, the impersonator had stolen more than $80,000.

In a statement, the council said it has since introduced “additional protective
measures that are compliant with Treasury Board guardrails and the Canadian
Centre for Cyber Security guidelines.” The council does not use the Enterprise
Internet Service, but instead uses “a commercial enterprise-grade internet
service,” it said. The statement added that their internet service provider was
“not in question” during this incident.

In July, 2020, meanwhile, the International Development Research Centre, a Crown
corporation that funds research within and alongside developing regions, was hit
by a “cybersecurity incident,” resulting in unauthorized access to its
infrastructure, according to a summary of a breach report. It was later
determined that no personal information had been compromised, said Steven
Morris, a spokesperson for the centre.

The centre has opted not to use the Enterprise Internet Service.

“After very careful consideration, the restrictions and additional overhead
costs … would not have been of significant value or benefit to IDRC,” Mr. Morris
said, adding that the centre abides “then and now” by Treasury Board policies.

Canada Post has filed several breach reports after cyber-related incidents,
according to records from the privacy commissioner. In 2020, for instance, the
Crown corporation was affected by a cyberattack indirectly – through a
ransomware attack on one of its suppliers, a company called Commport
Communications.

At first, it seemed contained. Then, six months later, Commport told Canada Post
that “data associated with some larger Canada Post commercial customers was
found to be available for download on the dark web.”

The breach affected 44 commercial customers and contained information related to
nearly one million recipients of mail, mostly their names and addresses, said
Canada Post in a statement at the time. Canada Post declined to answer questions
from The Globe.


SIGN UP FOR THE POLITICS BRIEFING NEWSLETTER

Know what is happening in the halls of power with the day’s top political
headlines and commentary as selected by Globe editors (subscribers only).

Subscribe to sign up

Follow Marsha McLeod on Twitter: @marshamcleod_Opens in a new window


Report an error

Editorial code of conduct


COMMENT

Read or post comments


Welcome to The Globe and Mail’s comment community. This is a space where
subscribers can engage with each other and Globe staff. Non-subscribers can read
and sort comments but will not be able to engage with them in any way. Click
here to subscribe.

If you would like to write a letter to the editor, please forward it to
letters@globeandmail.com. Readers can also interact with The Globe on Facebook
and Twitter .

Log inSubscribe to commentWhy do I need to subscribe?

Discussion loading ...


Read the most recent letters to the editor.


RELATED ARTICLES

Experts see growing need for cybersecurity workers as one in six jobs go
unfilled


Australia plans to reform cyber security rules, set up agency


Some federal public servants get remote-work extension as others face deadline






TRENDING

opinion
Pierre Poilievre needs a Common Sense Revolution of his own
John Ibbitson

charting retirement
Should you start your CPP payments at 65 or 70?

world
On the Balkans’ polluted Drina River, three countries’ garbage becomes one
city’s mess

politics
Biden urged to raise Canadian bills’ impact on Google, Facebook, Netflix, Disney

inside the market
Unlike the U.S., Canada hasn’t had a major bank fail in a century. History
explains why





YOUR GLOBE

Build your personal news feed

More info

FOLLOW THE AUTHOR OF THIS ARTICLE:

 * Marsha McLeod
   Follow
   You must be logged in to follow.Log InCreate free account

FOLLOW TOPICS RELATED TO THIS ARTICLE:

 * Defense
   Follow
   You must be logged in to follow.Log InCreate free account

Check Following for new articles


ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_~

x