A “secret network” launched by the Canadian federal government last year, costing millions of dollars to taxpayers, came under close scrutiny following a suspected hack. The network is based at the Federal Treasury Board, and was produced after hackers attacked department servers in 2011. In an interview with Global News, Citizen Lab Postdoctoral Fellow Christopher Parsons said that maintaining the integrity of a network is possible regardless of the number of employees, though it can be difficult.
The project has grown since this hack, including over five times the employees and further investments into it’s budget. Documents obtained by Global News following an alleged hack by Anonymous indicate that the department also required $1.05 million to purchase hardware and software last year. Initially, plans specified that 200 employees would have access to the network, though it is now estimated that nearly 1,800 full time staff are employed there. Concerns have emerged that this increase in employees has left the server more vulnerable to hacking.
“The goal with these secured networks is to keep classified material in the classified space. If that firewall is maintained between classified and unclassified material, the number of people doesn’t immediately cause a problem” Parsons said. However, introducing more individuals increases the chance a weak link will emerge. “It’s just the fact of the matter that the more people you have on any of these networks, the higher the chance someone accidentally moves a document where they weren’t supposed to, or intentionally moves a document somewhere they weren’t supposed to, or, in a worst case scenario, there’s an insider threat,” Parsons said.
Parsons went on to offer some possibilities as to how the documents revealing the servers information were revealed, saying that it was difficult to determine if it was by leak or hack. Possibilities include someone accidentally sharing the file through a program, moving from a classified to unclassified network.Also, he suggested the possibility that malware had infected a particular employee’s computer. Finally, he explained that Anonymous claim that they compromised the Treasury Board’s servers could also be legitimate.
Parsons concluded that if this was the case, this leaves open the possibility that others could have access to this information as well. “Some of the government’s Crown Jewels lie in the Treasury Board’s networks. Having unauthorized parties within them would be a serious breach of not just cyber security, but national security … If one party is doing it, there’s no reason to think another party, like a foreign government isn’t doing the same thing.”
In an article written by CBC reporter Dave Seglins for Canadian Journalists for Free Expression (CJFE), titled “The Case for Encryption,” Christopher Parsons explains the interest of security agencies in all sorts of user data. Though surveillance often pinpoints reporters covering issues such foreign conflicts, terrorism, or military espionage, targets can be varied.
“Sports reporters might be less interesting to signals intelligence organizations but might still be very interesting to other sporting organizations, criminal betting organizations and so forth” Parsons added.
Surveillance can often strike at the workplace, in particular for journalists. “Malware and spyware infect computers across Canada on a regular basis; what do you do when your work computer, holding audio or text files pursuant to a sensitive story, has been compromised?” asks Parsons. “Do you want to notify sources? Do you want to have an ‘air gapped’ computer, which is disconnected from the Internet, where you store source materials, and another computer or device for writing your stories?” Parsons said.
Speaking to SC Magazine, Christopher Parsons discussed recently revealed documents from Edward Snowden, which indicate that the NSA had partnered with some of the world’s leading telecommunications providers to collect user information. For many privacy experts and organizations, the documents simply confirmed suspicions that this was occurring.
AT&T and Verizon are known to publish transparency reports, though they are limited to smaller law enforcement efforts and do not include requests for larger national security issues. Parsons added that leaks of this sort damage the United States’ diplomatic credibility, in addition to losing its citizens’s trust. “The government can’t argue for a free and open internet if it monitors foreigners and its own citizens” he said, adding “If you use the internet, and the data goes through the U.S., the government is spying on it.”
The Toronto Star reported that the hack of infidelity site Ashley Madison points to the larger issue that corporate data hacks often occur without the public’s knowledge. Given that companies suffer greater financial losses when the compromising of secure data is revealed, Canadians are often kept in the dark. Parliament passed the Digital Privacy Act in June, which requires companies to report when hacks occur, pending the establishment of regulations. Parsons said that the lack of breach notification laws up to now has meant that there is little information on the security of corporations in Canada.
The Act will introduce fines with a maximum of $100,000 for a failure to report. However, there have been concerns that the legislation is ineffective because of the fine being too small, a view that Christopher Parsons echoed. “There’s the obligation to report, which is, of course, positive, but without any sort of punitive consequences you run into the question of how useful is the notification itself.”
He also explained that security is often treated as a “drag,” and that cybersecurity investments are frequently rejected by corporate executives. Security systems in corporate Canada are weak, and often outdone by higher levels of technical sophistication by hackers. This lack of investment means that IT professionals have greater security concerns, in turn saying ‘no’ to new company ideas. Parsons concluded by observing that ““If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”
Christopher Parsons’s piece, “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” is published in an edited book by Michael Geist, entitled “Law, Privacy and Surveillance in Canada in the Post-Snowden Era,” by the University of Ottawa Press.
In addition, along with Citizen Lab Research Fellow Andrew Hilts, Parsons also published an article describing the motivation, design, implementation, and impact of Access My Info (AMI), a tool which the two created to generate legal requests for Canadians to access the data that telecommunications service providers had collected about them. AMI’s release was part of a larger effort to encourage Canadian telecommunications service providers to be more transparent about the personal information that they disclose to state agencies and other third parties.