OTTAWA — The federal government knew it had been the target of a cyber attack last year but stayed silent for several days as it developed a comprehensive communications plan, internal documents show.
The documents, including a “Communications Approach” dated July 25, 2014, show the National Research Council was aware it had been hacked at least days before telling employees and client companies that their information was vulnerable.
The attack was eventually revealed by news organizations on July 28 and later confirmed by federal officials, who said the research agency was targeted by a “highly sophisticated Chinese state-sponsored actor.”
After the hack hit headlines, NRC management warned employees away from sharing sensitive information over email, using removable storage devices like USBs, and connecting to the agency’s network at home.
On July 29 at 10 a.m., the agency’s senior management started calling businesses that partner with the NRC to assure them the agency was doing everything they could to protect their confidential information, according to the documents. That disclosure came six days after NRC management sent an email to the federal privacy watchdog’s office, asking about the agency’s obligation to share information about the cyberattack with employees and clients.
“One question we have is with respect to our obligation to inform employees and others potentially affected — though we are not yet certain that information has been accessed,” wrote NRC management.
The documents also show the NRC had been co-ordinating with some the highest levels of government to deal with the fallout of the hack, which was first revealed by CTV News on July 28.
The documents, among over 1,000 released to the Star through access to information law, outline roles and responsibilities in shaping the public messaging.
The cache of emails, briefing notes, and memos also detail “key messages” to fend off reporters’ questions, as well as “internal” messaging telling employees to ignore media queries.
“If you receive any questions on this situation, please refer to the statement on the NRC’s website,” the document reads.
Other emails reveal the Prime Minister’s Office and the Privy Council Office, the bureaucratic wing that supports the prime minister, were directly involved in crafting the messages that made it to the public.
The non-partisan PCO directed the research agency to remove a reference to banks and corporations in a statement about cybersecurity and the digital economy.
“Remove ‘including corporations and banks’ and replace it with a comma. This is something your Minister’s office requested, which the PMO agreed with,” wrote Christiane Fox from PCO. “They do not want to single out particular industries within the private sector. The rest (of the statement) is fine.”
A PCO spokesman said it is part of the department’s role to co-ordinate government communications.
“The National Research Council is part of the Industry Canada portfolio. PCO played a role in co-ordinating communications related to this cyber incident as it involved a number of departments and agencies,” spokesman Raymond Rivet said.
In an email to the Star, National Research Council spokesman Guillaume Bérubé said, “It is part of the role of the Privy Council Office (PCO) to co-ordinate government communications. PCO played a role in co-ordinating communications related to this cyber incident as it involved a number of departments and agencies.
“For security reasons, we cannot release the information requested. What we can tell you is that the National Research Council took decisive actions to contain and address this security breach.”
A PMO spokesman said he was not in a position to comment.
The documents also include speaking notes for Foreign Affairs Minister John Baird’s office, prepared by PCO, which were intended to be censored. Baird visited China the morning Ottawa accused Beijing of backing the hackers that attacked the NRC’s network.
The Chinese government has denied any involvement with the cyber attack.
The National Research Council confirmed the attack on July 29. The documents released to the Star include CTV Ottawa Bureau Chief Bob Fife’s initial request for confirmation, as well as subsequent requests from reporters (with names and detailed questions) at a number of news outlets, including the Star.
The NRC paid very close attention to those reports, as well as comments on social media related to the hack. At least one comment scooped up in the agency’s media monitoring dragnet appears to be from a private citizen claiming to be a former NRC employee.
Most of the documents — hundreds of pages — are simply “media buzz” reports regurgitating news reports and cataloguing interview requests. Most, if not all, of those requests were denied, citing “security” reasons.
Since the attack, the agency has been extremely quiet on the nature of the information that was accessed or at risk. But one internal document — calling other government departments, research and development clients, and industrial research companies “key stakeholders” — provides some clues.
“(There is) potential implication for commercially sensitive data, (intellectual property), client and employee personal information, (and) data pertaining to controlled goods and (international traffic in arms regulations).”
The document goes on to state that media will be “redirected” to a prepared statement.
In August, the Star interviewed NRC President John McDougall in Whitehorse, Yukon. McDougall said the agency’s business clients were not scared off by the attack.
“We’ve been very open with our customers in terms of the fact that it happened,” McDougall said at the time. “With very, very few exceptions they have been quite pleased with the responses that we’ve been taking to try and make sure we’re safeguarding their information.”