China's state-sponsored cyberattack on the National Research Council's computer infrastructure cost Ottawa hundreds of millions of dollars, according to federal documents that shed light on fallout from the 2014 breach.
In a PowerPoint presentation obtained by The Globe and Mail, Ottawa officials highlighted this estimate last year as a cautionary tale about the cost of compromised computer systems. The presentation, released in response to an Access to Information request, gives a dollars-and-cents dimension to a 2014 data breach known mostly for its diplomatic fallout.
The Canadian government's "research, data, and intellectual property are of significant interest to foreign states," read the presentation circulated within a federal department last year. "Canada's National Research Council was a victim of Chinese computer network exploitation activities (CNE). Damage was in the 100s of millions of dollars."
Last week, China's new ambassador to Ottawa called for Canada to open up its economy to Chinese investment as he broadly denied his country has set up an elaborate electronic-intelligence apparatus to steal secrets from other governments.
"China never carries out any cyberespionage activities to other countries," Lu Shaye told The Globe.
An excerpt from the government PowerPoint presentation. Read the full document below.
The "100s of millions of dollars" estimate about the extent of the damage done by the hacking of the National Research Council came from another federal agency. Natural Resources Canada (NRCan) cybersecurity officials cited this range in a presentation they gave in September as they briefed their deputy minister about their efforts to inoculate their networks against future attacks.
"The number is an estimate of the potential cost of a total IT [information technology] compromise involving multiple departments," Tania Pereira, a spokeswoman for the resources department, said in an e-mailed response to questions from The Globe. She said the range took into account several factors, including the "lost productivity that would follow such a compromise."
She did not explain why she was using the conditional tense or how several departments would have been involved in the breach, given that officials in her department stated six months earlier that damage resulting from hacking of the National Research Council "was in the 100s of millions of dollars." The research body would not say whether that range accords with what it actually spent. "We suggest that you contact NRCan for clarity on the source of this information," spokeswoman Gabrielle Giasson said.
As a federal body, the National Research Council finances research that aims to ensure Canadians' future prosperity. Its employees keep an eye out for emerging technologies and for ways to nurture ideas and innovation. Decades ago, its plant scientists helped create canola – an engineered cash crop that is now a multibillion-dollar annual export to China and other countries.
Federal officials have never said what intellectual property hackers sought or took from the research council in 2014.
The first year of fixes to its network were initially pegged at around $30-million, according to a published report.
The hundreds of millions of dollars range is very high, even compared with estimates of concurrent, high-profile hacks against multinational corporations. "It would strike me as a large amount," said Marcus Troiano, a Toronto-based cybersecurity consultant at Mandiant Corp., who added such breaches typically cost millions – not hundreds of millions.
In 2015, Fortune Magazine estimated the cost of fixing damages caused by high-profile hacks then in the news. Sony's was said to have cost about $35-million (U.S.) and Home Depot's $43-million. Corporate insurance policies and tax writeoffs, however, helped significantly reduce these bills.
Government officials generally keep quiet about the scope and nature of specific data breaches, and states almost never call out other states for alleged cyberespionage. This changed for Canada in 2014, when the former Conservative government publicly announced the National Research Council had been severely compromised by state-sponsored Chinese hackers.
China has built vast networks of hackers, including People's Liberation Army officers, in an attempt to secure economic advantage in coming decades. The National Research Council would be an obvious target for such spying, given its interest in long-term research that may pay dividends in the future.
Previously released records show that in the aftermath of the breach, the Canadian research agency worked with several departments to rip apart its information-technology infrastructure, jettisoning scores of computer servers, replacing hundreds of laptops. It also circulated advisories to 20,000 academic and corporate partners warning their secrets were in danger of becoming collateral damage. And because electronic communications were no longer viewed as secure, the partners were urged to communicate by paper, fax and delivering data on thumb drives via mail or couriers.
Since the Conservatives accused China of hacking in 2014, Ottawa officials have never publicly accused another country of cyberespionage against a government department. And the Liberal government has struck a different tone, suggesting Ottawa would like to negotiate a cybertruce with Beijing, given that the United States and Britain have struck such deals.
A Canadian intelligence agency reported last fall that hackers of unspecified origins have lately been trying to hit government's "natural-resources, energy and environment" sectors almost as much as all other federal departments combined. This means departments such as Natural Resources Canada, which helps shape policy for oil, gas, forestry and mining, are currently in somebody's crosshairs.
Natural Resources Canada's PowerPoint presentation from last fall said something similar: "NRCan has recently been the victim of smaller-scale compromises."