It was early January when the first signs of a cyber intrusion became evident at Canada’s Treasury Board – the branch of government responsible for fiscal control and human resources. Within days, staff members in Ottawa were being ordered not to use the department’s network connections.
For several mid-winter weeks, rumors swirled around the nation’s capital that Treasury Board employees were working in substantial numbers from home or at coffee shops, wherever they could get internet access.
On February 17, Treasury Board President Stockwell Day confirmed many people’s worst fears: his department, along with the Department of Finance, had been the target of a massive attack. The assault was “significant,” he admitted, but added that security officials had quickly “slammed the door” on the intruders.
The truth is, no one is sure of the extent of the damage. Hours after Day’s admission, CBC News revealed that Defence Research & Development Canada – a civilian agency of the Department of National Defence – had also been hit, and speculated that the damage didn’t stop there. While government officials were generally tight-lipped, Public Safety Minister Vic Toews told the New York Times that the forthcoming federal budget had not been compromised, a critical point because the future of the current government is expected to hinge on the acceptance of its budget by opposition parties.
What is clear is that the hackers were using Chinese IP addresses, and entered the government networks by spear phishing downwards through layers of the bureaucracy. Apparently, the intruders commandeered the email addresses of senior officials and then infected the computers of lower-level public servants by sending viral PDF documents under the senior bureaucrat’s name. As news of the attack spread, other government departments and agencies warned employees not to open email messages with webmail addresses, even if they recognized the sender’s name.
The attacks gave credence to the warning of Canada’s Auditor General Sheila Fraser, issued in 2005, that the federal government’s networks had serious weaknesses. Last fall, the government announced its plan to invest CDN$90 million over five years in network security. Critics have pointed to the fact that the British government has invested the equivalent of $1.1 billion over the same time period, while the United States has earmarked $40 billion toward its Comprehensive National Cybersecurity Initiative.