Upon discovering that it had been hacked by China, the Canadian government's scientific-research body did digital damage control on an enormous scale. Firing up its vintage fax machines, it jettisoned scores of computer servers, bought its staff hundreds of new laptops and drew up a list of about 20,000 corporate partners in Canada whose secrets risked being collateral damage.
Records newly released to The Globe and Mail reveal these and other details about the extensive fallout from this nightmare at the National Research Council. The hack of the NRC was highlighted in July 2014, when the then-Conservative government blamed China, making it the only cyber-espionage campaign that Canada has ever pinned on a specific state adversary.
While hacks of government departments occur relatively routinely, the NRC could be considered a more valuable target than most. For decades, it has been routing tax dollars to fund cutting-edge research in agriculture, engineering and computer science. Placing bets on Canadian companies helps the NRC work to ensure future prosperity, and its staff gets a glimpse of emerging technologies and proprietary business plans.
That's why the Canadian government was alarmed when federal officials announced two years ago that they had "detected and confirmed a cyber intrusion" within the NRC by "a highly sophisticated Chinese state-sponsored actor."
But while prime minister Stephen Harper's government took the unprecedented step of allowing officials to make the controversy public, it remains unknown how or when Chinese hackers first infiltrated the NRC's computer systems, or what drew them to it in the first place.
The records released to The Globe under the Access to Information Act show only the aftermath. Job No. 1 at the agency was to warn the "clients" – corporations, academics, entrepreneurs – via phone calls and mailed letters that they were at risk. "The NRC has been the target of a cyber intrusion. As a result the information held in our systems from your organization may have been compromised," one form letter reads.
One version of this letter in the NRC files was accompanied by a spreadsheet of more than 20,000 Canadian firms, most of them apparently engaged in government-sponsored research.
"As a precautionary measure, NRC informed all clients and research partners involved in business relationships and research activities of the cyber intrusion," spokesman Guillaume Bérubé said in reply to questions about this list.
Several of the companies that were contacted by The Globe said they felt that the fallout was minimal because they were careful, even before the hack, about sharing trade secrets with the agency. Their biggest gripe with the NRC was that correspondence and payments became frustratingly slow in 2014. "It wasn't back to the buggy, but it was pretty close," said one entrepreneur, who asked not to be named.
This was because staff at the scientific agency had been told not to use computers to communicate. E-mail "must not be used to transmit secure, sensitive or confidential information," one memo read. "The preferred way of transferring confidential information … is paper (fax, mail, courier)," another said.
Clients were to be told that "if you must share sensitive information with the NRC, the best practice is to do it via physical media" – meaning on paper or via USB sticks.
As the hack was announced publicly, one enterprising NRC employee wrote that he found a stash of safe digital devices. "I've dug up a box of brand new McAfee USB keys that we bought a few years ago," he told colleagues in an e-mail. Calling them "state of the art" for their encryption capability, he said they could serve as a "stopgap, at least until NRC gets in more for everyone."
Even the act of plugging a smartphone into an NRC computer was deemed risky. "Instead of using your computer to charge your phone, charge it through a wall outlet," one memo says.
The agency started to pull the plug on almost all of its existing computer architecture as it created the data equivalent of an airlock. The hope was to move electronic files from the NRC's legacy "black" environment to a blank slate of new machines dubbed the "green" environment.
The in-between step was the "grey zone," a locked-down "scrubbing" station with no external network connectivity and which banned unfamiliar digital devices and outsiders. "The process of scrubbing data to be taken out of the Grey Zone can take a long time. We have seen up to 40 minutes to scrub 1 GB [gigabyte] of data," one employee complained.
The NRC's initial hope was to have fully rebuilt systems within a year. Most are in now place, but the Canadian Press recently reported that some parts will not be ready until July 2018.
Early this summer, the NRC announced that it had embarked on a partnership with its scientific counterparts in a foreign country.
That country is China. This new joint venture with Guangdong province aims to better fund collaborative Canadian and Chinese research projects.
The NRC was asked by The Globe why it would want to do business with a country that allegedly stole from it just two years ago.
Mr. Bérubé said simply that "global collaboration is a competitive necessity to generate new business opportunities." The NRC spokesman added in his e-mailed reply that "the government of Canada is committed to deepening our trade relationships with established and emerging markets, including China."
Over the years, the NRC has engaged in several foreign partnerships, and has done business with China before.
But Peter Phillips, a University of Saskatchewan professor who specializes in agriculture and innovation, suggests that several motivations could be at play in the new partnership.
"There's an old adage that if you can't beat them, join them," he quipped.
He added that 2014 will be remembered as a painful year at the NRC. "Everything was down to hard copy, paper, and fax machines at best," he said. "And this is our largest research organization in the country."