Part I: Cyber Threats — what's at stake and who is involved?
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
25. As a vital part of Canada's critical infrastructure, the government collects and holds information and provides services that are of significant value to Canada's adversaries. In this digital age, nearly everything the government holds or does is potentially at risk — whether it's Canadians' tax and employment information, companies' proprietary and research data, and government policies, investigations and operations, or the electronic processes that underpin the many services and benefits on which Canadians depend. Government networks are therefore integral to Canada's national security. This chapter describes what is at stake for cyber threats to government systems, the evolution of cyber threats over time, and the most significant threat actors facing Canada today. It is a primer for the rest of this review.
What's at stake?
26. Cyber attacks against government systems threaten the information held by the government and the various electronic systems and processes it needs to function. This broad vulnerability can be broken into five areas, each of which will be described in the following paragraphs:
- personal information of Canadians;
- proprietary information, intellectual property and research of Canadian businesses and researchers;
- government policies and policy-making;
- security and intelligence information and operations; and
- integrity of government systems.
Threats to the personal information of Canadians
27. The government collects and manages significant amounts of personal information. This includes names, dates of birth, addresses, social insurance information, passport information, health records, voting information and many other personal details. For example:
- the Canada Revenue Agency holds information related to Canadians' identity, income, employment, benefits and taxes;
- Immigration, Refugees and Citizenship Canada holds information related to individuals' identity and status in Canada; and
- the Canada Border Services Agency holds sensitive Advance Passenger Information/Passenger Name Record Data, entry-exit information and biometric information (fingerprints and digital photographs) for certain categories of travellers.
Criminals could use such data to impersonate Canadians, open bank accounts, apply for loans or credit cards, or obtain government benefits or refunds. Footnote 19 Hostile foreign states could use this data to track Canadians or persons living in Canada. Footnote 20
Threats to business information, intellectual property, research networks and academia
28. The government holds information related to Canadian businesses, intellectual property, research networks and academia. For example:
- the National Research Council possesses information related to Canadian advancements in technology and intellectual property that can be vital to the technical success of Canadian and international companies;
- Defence Research and Development Canada holds information on defence science and technology — including that developed or shared with partner departments, industry, academia and international allies — that is used to support defence and security operations at home and abroad; and
- Innovation, Science and Economic Development Canada possesses information related to Canada's conditions for investment, innovation and international trade.
The theft of this data by malicious actors could undermine Canada's international competitiveness and economic interests, sap innovation and harm national security.
Threats to government policies and policy-making
29. The government holds information related to its policies and policy-making. Through various policy- and decision-making processes, the government generates and obtains significant and often very sensitive information on topics spanning its domestic and international work, such as foreign policy and trade, defence and security, natural resources, energy, and finance. The same is true for processes and decisions that may affect, for example, financial markets or foreign investments, including budgetary planning and regulations, or involve Canada's judicial system. For example:
- Global Affairs Canada holds information related to Canada's bilateral and multilateral relations, international trade, consular cases, and peace and security assistance efforts;
- Treasury Board of Canada Secretariat possesses information related to government spending, regulation and management in the areas of people, money and technology;
- the Department of Finance holds information related to economic and fiscal matters, including the annual budget, tax and tariff policy, social measures, and security-related investments; and
- the Federal Court holds information on deliberations regarding administrative law; citizenship, immigration and refugee law; intellectual property; maritime law; and national security (e.g., warrants authorizing certain activities of the Canadian Security Intelligence Service).
This information is of interest to foreign states or criminals. If stolen, it could jeopardize Canada's national interests, international competitiveness and negotiating positions, reputation on the world stage, and international relations. The theft of decision-making and finance documents could reveal information related to the government's spending and programming plans, undermine its international negotiation strategies, and jeopardize trust in Canadian markets. Cyber attacks targeting court processes could divulge sensitive records and deliberations, threatening the integrity of the legal system.
Threats to security and intelligence information and operations
30. Government networks hold information related to Canada's national security, intelligence and defence activities, including operations and investigations. For example:
- the Canadian Security Intelligence Service holds highly classified information, including national security investigations on specific states and individual Canadians, and as part of the government's security clearance process, it collects sensitive information on government employees who require access to classified information or sensitive sites; and
- the Department of National Defence and the Canadian Armed Forces hold information on Canada's military operations, technology, and equipment, strategies, intelligence, and procurement plans.
The theft of information related to military operations could reveal military strategies, targets, operations and plans, potentially jeopardizing the safety of Canada's troops abroad and the success of military operations. The theft of information related to security and intelligence operations and investigations could reveal the identities of security and intelligence officials, jeopardizing their safety and making them targets for extortion or espionage. The loss of such information could also risk divulging intelligence-gathering sources and methods, inhibiting Canada's ability to gather intelligence on threats to national security.
Threats to the integrity of government systems
31. Finally, a successful cyber attack could compromise the integrity of government systems. As a key part of Canada's critical infrastructure, the government must provide services without disruption. Ensuring the continuity of government is essential across numerous areas. For example:
- the Prime Minister, Cabinet, individual ministers and parliamentarians rely on information technology and electronic communications to conduct sensitive state business;
- Employment and Social Development Canada, Service Canada and their partner departments rely on information technologies to provide numerous benefits to Canadians, including pensions, passports, Employment Insurance, and disability benefits for veterans; and
- Shared Services Canada provides backbone and digital services to government organizations in order to deliver digital programs and services across a range of mandates.
A cyber attack against government systems could jeopardize the continuity of government, the delivery of services and the integrity of information holdings. The economic and social well-being of Canadians would suffer as a result.
What's happening? The cyber threat environment
32. The Communications Security Establishment (CSE) defines a cyber threat as "an activity intended to compromise the security of an information system by altering the availability, integrity or confidentiality of a system or the information it contains." Cyber threat actors conduct cyber threat activities. These actors are composed of "states, groups, or individuals who, with malicious intent, aim to take advantage of vulnerabilities, low cyber security awareness, or technological developments to gain unauthorized access to information and systems in order to access or otherwise affect victims' data, devices, systems, and networks." Footnote 21 CSE identifies six types of cyber threat actors, based on their primary motivation:
- Nation-states: motivated by a range of strategic, political, security or economic objectives, states try to obtain advantages in the economic, political or military spheres; • Cybercriminals: motivated by a real or perceived monetary reward, criminals seek to make money from targeting vulnerabilities;
- Hacktivists: driven by a sense of activism, hacktivists try to draw attention to their political or social cause; Footnote 22
- Terrorist groups: motivated by violent extremism grounded in religious or political sentiment, terrorists seek to fundraise, proselytize and plan attacks;
- Thrill-seekers: motivated by a sense of personal satisfaction, thrill seekers try to 'beat' the cyber defences of an organization or government; and
- Insider threats: driven by discontent and dissatisfaction, insider threats seek revenge for past slights or profit from selling secrets. Footnote 23
33. Cyber threat actors are not equal in their capability or sophistication. Key differentiators are access to technical and financial resources and training. Threat actors in the top tier of sophistication and skill are called advanced persistent threats. They use advanced techniques to conduct complex and protracted campaigns in the pursuit of their strategic goals. Nation states are typically the most sophisticated threat actors, with their expansive state resources, advanced (and often highly classified) technologies, extensive planning and coordination, and the ability to operate with near legal impunity. With few exceptions, cybercriminals are generally understood as moderately sophisticated threat actors, although they may still use dedicated planning, support and technical capabilities to conduct activities against a large number of victims. Hacktivists, terrorist groups and thrill-seekers are typically at the lowest level of sophistication as they often rely on widely available tools that require little technical skill to deploy. Insider threats are individuals who work as trusted employees within organizations, but could cause significant loss of data or system disruption owing to their access to internal (and otherwise protected) networks. Footnote 24 While the Committee recognizes that the government must defend its systems against any threat, regardless of sophistication or motivation, in this review the Committee focuses primarily on state-sponsored actors due to their high-level of sophistication and therefore greatest possibility of causing significant harm.
34. The cyber threat environment is the online space where cyber threat actors conduct malicious cyber threat activity. Footnote 25 This environment is made up of technological components, including Internet connectivity and connected devices, computing power and data storage, and the people and organizations that use them, including governments, citizens, businesses, universities and industries. This threat environment has evolved over time, the most notable changes being the exponential growth in users, bandwidth, computers and other devices, and a corresponding increase in the creation of personal and proprietary data. Footnote 26
35. Government departments and agencies have increased interconnectivity among themselves and with external Internet environments, such as private sector organizations and citizens. This interface between government networks and external cyber environments is essential for the government to provide services to clients. In fact, it is at the very core of the government's vision for digitally based operations, one where programs and services are available digitally to all Canadians, anytime, anywhere and from any device. Footnote 27 This also exposes government systems and networks to deliberate threat actors that may target the government with malicious cyber activity; it also means that a cyber compromise of one department may threaten others.
36. Cyber threat actors attack information systems using a number of methods. As CSE notes, "the structure of the Internet makes it possible for a threat actor to connect directly to an information system from across the globe or to monitor communications associated with a target information system." Footnote 28 For example, cyber threat actors could:
- monitor an interaction between two devices or software components in the information system, resulting in a compromise of data;
- deny communication between two components, halting the provision of critical services;
- insert themselves between two devices or modules that are communicating and intercept their communications; or
- gain access to government systems by impersonating a legitimate user or by stealing login credentials. Footnote 29
37. The balance between cyber defence and offence varies. Government departments use a variety of Internet browsers, software, applications and hardware, all of which vary in age and sophistication and require constant updating and maintenance to limit vulnerabilities, and have implemented sophisticated measures to strengthen defences. At the same time, threat actors have become more capable of launching cyber attacks. For relatively unsophisticated cyber threat actors, hacking tools have become cheaper and more readily available through criminal service providers, making it easier to conduct sophisticated, hard-to-detect attacks. Footnote 30 As described later, the most sophisticated threat actors, notably China and Russia, continue to adapt their capabilities to subvert defensive measures, and other states, such as***, are investing heavily in their capacity to do the same. In short, cyber threats to government networks and the measures necessary to block them rapidly evolve.
Cyber threats to government networks, 2015 to 2020
38. In its Annual Report 2020, the Committee described the contemporary landscape of malicious cyber activities threatening government systems, critical infrastructure providers, the private sector and Canadians. Footnote 31 In this review, the Committee's analysis will more narrowly describe malicious cyber activities that targeted government systems and networks from 2015 to 2020.
39. CSE identifies threats to government systems in two ways. CSE's foreign intelligence program monitors foreign cyber actors to identify their techniques and interests (among other things). That information is shared with the Canadian Centre for Cyber Security (CCCS), which is housed within CSE. For its part, CCCS manages three types of cyber defence sensors, which scan for known threats and anomalies across certain government departments, networks and cloud environments. CCCS combines information from these sources with information shared by partners to create indicators of compromise that allow it to identify potential malicious cyber threats in the future. Footnote 32 As the deployment of cyber defence sensors has increased over time, CCC'S ability to detect malicious cyber activity on government systems has also grown.
40. The same is true for CCC'S ability to block that activity. Beginning in 2013 (before CCCS was created), CSE started to deploy network-based dynamic defences, a ground-breaking shift in defensive capability. Dynamic defences allowed CSE to move beyond only identifying threats to proactively blocking them. To create these defences, newly identified threats are *** updated into CSE's dynamic defence system. The sensors can then detect those threats and launch mitigation actions automatically to block them. Although malicious threat actors continue to target the government, the deployment of these dynamic defences has significantly reduced their success in compromising government systems. Footnote 33 In appearances before the Committee, CCCS officials stated that the volume of cyber incidents has gone down since 2015 and that the impact of such incidents has become less significant, owing to CCC'S ability to respond quickly to new attacks and prevent the type of damage that in the past would have required targeted departments to completely rebuild their networks. Footnote 34 Officials also stated that in the early 2010s, CSE observed thousands of incidents per year, which included a number of cases of data exfiltration from Government of Canada networks. They added, "Now, if we see *** a year, it's a bad year, because we are able to intervene very quickly." Footnote 35 The evolution and deployment of sensors is described later in this review.
Evidence of Compromise
41. There are a number of malicious activities that indicate that a network has been compromised. *** These include beaconing, remote exploitation, malware artifacts, malware download, phishing, browser-based exploitation, data exfiltration, remote access, and denial of service. Each is described below. Footnote 36
42. Beaconing is a method of communication between a compromised target network and the attacker's computer. A threat actor deploys a beacon through numerous means, including remote exploitation, phishing or browser-based exploitation. The purpose of the beacon is to alert the threat actor that the attack was successful and that the tool the actor implanted was able to circumvent network defences (e.g., a firewall). In turn, that allows the threat actor to create other communication channels (usually hidden and encrypted) to introduce additional, more advanced tools (for example, to further exploit the network or to steal information). Footnote 37 [*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment. ***]. Footnote 38
43. Remote exploitation is the process where a threat actor sends a set of commands from a remote network to a target device to gain access to that device or to the information it holds. Footnote 39 In general, remote exploitations take advantage of vulnerabilities or weaknesses in software, hardware or the configuration of a computer or network device. Essentially, a remote exploit is the way the criminal picks the lock. Footnote 40 [*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment. ***]. Footnote 41
44. Remote access refers to unauthorized remote connections to a victim host by a threat actor without the use of an exploit (e.g., by using a valid username and password pair, often illegitimately obtained through data theft or the successful delivery of a phishing email). Footnote 42 Legitimate users interact with files, information and system resources when working remotely (e.g., telework). Footnote 43 By leveraging remote access to a target network, malicious cyber threat actors can mimic all of the interactions and activities of a legitimate user. [*** Two sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment. ***]. Footnote 44
Malware artifacts and downloads
45. Malware refers to a wide range of malicious software designed to infiltrate or damage a computer system, without the owner's consent. Footnote 45 A malware tool can be deployed via multiple means (e.g., remote exploitation, phishing or browser-based exploitation). Malicious software (code) is "written for the specific purpose of causing harm, disclosing information or otherwise violating the security or stability of a system." Footnote 46 Malware artifacts are detectable traces of malware on a victim's device. Footnote 47 Malware downloads refers to instances in which malware was downloaded onto a *** device. Footnote 48 [*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment. ***] (see Figure 1). Footnote 49
Source: CSE, Year Review Cyber Defence Report, 2016; CSE, Year Review Cyber Defence Report, 2017; CCCS, Cyber Defence Report: Government of Canada IT Compromises and Vulnerabilities, 2018 Annual, 2019; and CCCS, Operational Threat Report: 2019 Annual Threat Landscape, 2020.
Figure 1: [*** This figure was deleted to remove injurious or privileged information. The figure depicted data collected by CSE.***]
46. Phishing involves state-sponsored threat actors and cybercriminals soliciting confidential information from specific targets to trick them into disclosing personal data or credentials. Footnote 50 Phishing activity can be conducted with official-looking emails (known as spear-phishing) that can vary in sophistication and often contain malicious links or files that, when opened, infect the recipient's computer with malware. A threat actor may use this malware to access a target's computer to steal information, or use the target's personal information (e.g., account credentials, credit card information) to access banking information or perform identity theft. Footnote 51
47. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described CSE's assessment. ***]. Footnote 52
48. Web browsers and associated applications contain flaws and vulnerabilities that malicious cyber actors use to gain control of a target computer when it connects to an infected website. These actors then proceed to steal user credentials, deliver ransomware, execute malware, steal information or obtain permissions on a network to access other devices. Footnote 53 [*** Two sentences were deleted to remove injurious or privileged information. The sentences described a CSE capability and assessment. ***]. Footnote 54 Footnote 55 Footnote 56
49. Data exfiltration is the unauthorized removal (theft) of information from a target network once a threat actor has gained access through means such as remote exploitation. Footnote 57 [*** Two sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment. ***]. Footnote 58 Footnote 59
Denial of service
50. Denial of service is a technique used to prevent legitimate users from accessing a network-connected service by sending illegitimate requests to overload a network's resources. Footnote 60 [*** Two sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment. ***]. Footnote 61
Nation-state advanced persistent threats
51. CSE tracks the cyber activities of a number of state actors. China and Russia represent the most sophisticated cyber threat actors targeting the government. Footnote 62 Iran, North Korea and *** have moderately sophisticated capabilities and *** pose less-sophisticated threats. Advanced persistent threat actors can be part of the formal apparatus of a state (e.g., a military unit, intelligence or security agency), or a non-state entity directed and supported (e.g., financially) by a state. The former are known as state actors and the latter are known as state-sponsored actors. Footnote 63 For simplicity, the Committee uses the name of the involved state when discussing both state actors and state-sponsored actors (e.g., "China"). The evolution of these advanced persistent threats from 2015 to 2020 is discussed below. (Note: CSE classifies a threat as 'high, moderate or low' based on its knowledge of the technological sophistication of the threat actor and its assessment of the probability that specific threat actors will target Canada.)
52. China is a highly sophisticated cyber threat actor. Its primary strategic objectives are maintaining internal stability and developing as a global power. It has three priorities:
- collection of intelligence to inform the government's foreign, trade and security policies;
- collection of research and academic information for strategic technologies that could benefit China's economy or military; and
- collection of ***. Footnote 64
CSE assessed that "the scope and tenacity of [Chinese] activity in pursuit of Canadian intellectual property, proprietary information, and government positions and policies cannot be overstated." It noted that China's cyber activity was "aggressive and vast" and "more audacious" than previously witnessed.[*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment of China's capabilities. ***]. Footnote 65
53. *** China continued to be *** a prolific threat actor targeting the government. Consistent with its intelligence priorities, China targeted multiple government sectors, including security, intelligence and defence (***); international affairs, trade and development (***); industry and business development (***); government administration (***); transportation (***); and natural resources, energy and environment (***). Footnote 66 Since the start of the COVID-19 pandemic, China has targeted research networks in the United States, United Kingdom and Canada. *** . Footnote 67
54. China uses a range of techniques to target government systems and networks. [*** Four sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment of China's capabilities. ***]. Footnote 68 Footnote 69 Footnote 70 In short, it has adapted its techniques to respond to the particular defensive posture of its targets.
55. *** CSE observed a wide range of Chinese malicious cyber activity and the layering of techniques. [*** Three sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment of China's capabilities. ***]. Footnote 71 In sum, China continues to be a highly sophisticated and active cyber threat. Footnote 72
56. Russia is a highly sophisticated cyber threat actor. Russia engages in malicious cyber threat activity, including *** cyber espionage and foreign interference, to support a wide range of strategic intelligence priorities. These include:
- foreign and military intelligence collection against diplomatic, economic and military targets, including private sector entities and academic institutions;
- reconnaissance of critical infrastructure industrial control systems and telecommunications providers; and
- identification of divisive events and trends in rival states to conduct influence campaigns and undermine liberal democratic norms and values. Footnote 73
Russia also employs a number of non-state actors, including cybercriminals, private companies and so-called troll farms to conduct cyber threat activities on its behalf. [*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment of Russian priorities. ***]. Footnote 74
57. *** Russia was among the most prolific state-sponsored threat actors targeting the government. Consistent with Russia's strategic intelligence priorities, its cyber threat activity has been directed at a number of sectors, including consistent targeting of: international affairs, trade and development (***); security, intelligence and defence(***); and natural resources, energy and environment (***). Footnote 75 In 2020, Russia targeted the Canadian health sector to steal intellectual property related to COVID-19 vaccine development and pharmaceutical research. [*** One sentence was deleted to remove injurious or privileged information. The sentence described CSE's assessment. ***]. Footnote 76
58. [*** This paragraph was revised to remove injurious or privileged information. The paragraph described CSE's assessment of Russia's capabilities, and noted that Russia employs a wide range of tactics in its targeting of government systems and networks and that Russia remains a highly sophisticated and active cyber threat to government networks.***]. Footnote 77 Footnote 78 Footnote 79 Footnote 80 Footnote 81 Footnote 82
59. Iran poses a moderate cyber threat. [*** This paragraph was revised to remove injurious or privileged information. The paragraph described CSE's assessment of Iran's capabilities, and noted four sectors where Iran focused its cyber activities. ***]. Footnote 83 Footnote 84 Footnote 85 Footnote 86
60. North Korea poses a moderate cyber threat. North Korea acts similarly to cybercriminals, stealing cryptocurrencies and fiat currencies to fund the government and its officials. [*** Two sentences were deleted to remove injurious or privileged information. The sentences described CSE's assessment. ***]. Footnote 87 Footnote 88
61. [*** This paragraph was deleted to remove injurious or privileged information. The paragraph described CSE's assessment of a state that poses a moderate cyber threat. ***]. Footnote 89 Footnote 90 Footnote 91
Government networks and cyber crime
65. The government is increasingly aware of the threat posed to its systems by cyber crime. Cyber crime is one of the most prevalent cyber activities affecting government networks, systems and users, as it is a low-risk, high-reward activity. Availability and access to new technologies have significantly lowered the cyber crime entry barrier, making it easier for amateur cybercriminals to launch sophisticated and hard-to-detect attacks.
66. CSE examined cyber crime activity targeting the government for the first time in a classified format in its 2019 Annual Threat Report. It assessed that the government is an attractive target for cybercriminals for a number of reasons. First, government networks are home to numerous databases containing valuable information on a wide range of subjects, such as financial information, intellectual property and personal information. Second, the sheer size of government systems and networks means that opportunistic cyber actors that cast a wide net across the Internet are bound to target the government. Third, governments at all levels may be an attractive target for extortion, particularly via ransomware, owing to large departmental budgets and obligations to citizens that may force a government to pay a ransom in some cases. Footnote 98 [*** The rest of this paragraph was revised to remove injurious or privileged information. The paragraph described CSE's assessment of the extent of ransomware attacks as a proportion of all cyber crime targeting government networks. While relatively low, CSE noted that even a single successful ransomware compromise could be devastating for an individual department. It identified one recent attack against a government department, which was contained, and another against a Canadian Crown corporation, which caused considerable harm. The paragraph notes that the government is currently considering a policy on ransomware payments. ***] Footnote 99 Footnote 100 Footnote 101
67. Government of Canada networks are a vital part of Canada's critical infrastructure. The government uses them to collect and hold information and to provide services that are of fundamental importance to Canadians and Canadian businesses. The information they hold is also of significant value to Canada's adversaries, including state-sponsored cyber threat actors and cybercriminals. In this digital age, nearly everything the government holds or does is potentially a target for malicious cyber activity, from a wide range of data on Canadians and businesses to the electronic processes that underpin the many services and benefits on which Canadians depend. The following sections describe government efforts to strengthen its cyber defences and reduce Canada's vulnerabilities.