Soon after Huawei CFO Meng Wanzhou was arrested in Vancouver, there was a spike in sophisticated cyber attacks attributed to Huawei devices in Canada, according to a newly uncovered 2019 government report.
The report, aimed at outlining the most dangerous and actionable cyber-risks to Canadians, was commissioned by Public Safety Canada from Clairvoyance Cyber Corp. It was shared with The Tyee, Global News and the Toronto Star by the Institute of Investigative Journalism at Concordia, who acquired it via a freedom of information request.
If true, the allegation bolsters opposition to including Huawei in government contracts, including for Canada’s next generation of network technology — 5G, which will enable faster speeds and connectivity for new kinds of devices.
The refusal of the Trudeau government to rule out Huawei, arguably a Chinese state-owned entity, for critical infrastructure contracts is surprising to many security experts and puts Canada at odds with all of its fellow Five Eyes intelligence sharing alliance members.
The report summarizes how China is alleged to be involved in “systematic computer network exploitation” and “espionage” of technology in the Canadian public and private sector.
Such spying and taking advantage of technology weaknesses has contributed to the “erosion” of Canada’s domestic network technology industry, forcing it to consider external suppliers like Huawei more often in technology “supply lines” for things like cell phone networks, the report notes.
“Soon after Huawei CFO Meng Wanzhou was arrested in Canada,” the report observes, “increased [Advanced Persistent Threat] activity was seen involving Huawei devices within... Canadian critical infrastructure and business.”
The APT activity the report links to Meng’s arrest involves sophisticated, likely state-sponsored hacks that enable actors to gain control of or access to systems, such as private, corporate and government email servers. These kinds of threats, the report says, can persist undetected for long periods of time.
The report does not elaborate on what kinds of “devices” were associated with increased activity. The term “critical infrastructure,” however, is more closely associated with equipment used in computer and telecommunication networks rather than consumer cell phones, though the company manufactures both.
The author of the report, David McMahon, is a computer engineer who has held top roles in the military, intelligence, security and privacy industries.
McMahon told The Tyee via email that security concerns prevented him from going into detail about how increases in APT activity — difficult to detect by definition — were measured for the finding.
However, the trend is documented in the cyber security industry, says McMahon, who pointed to a 2010 report authored by Citizen Lab founder Ron Deibert detailing hacks that wrangled private documents from targets like the Indian government and the Dalai Lama.
The Tyee asked Public Safety Canada, who commissioned the report, to confirm the spike in hacking activity alongside other key details, but did not receive a response by press time.
The spike is part of a trend of threats dating back years, or even decades, according to the report.
“Nortel was a wake-up call,” McMahon elaborated via email, referring to a 2004 hack of the Canadian telecommunications giant that is thought to have contributed to its eventual insolvency. (Nortel was, at the time, laying the groundwork for the development of the next generations of wireless networks, which would later come to be known as 4G and 5G; hackers stole reams of documents about the technology and sent them to China.)
McMahon also cited research showing China once even successfully diverted a large portion of Canada’s internet traffic, routing it through its own country to “facilitate espionage and targeting.” China did so by strong-arming network interchanges, which typically rely on collaboration among nations to deliver traffic along the shortest route, says the research.
Christopher Parsons, a security expert reached by The Tyee who also conducts research at Citizen Lab, points to a paper he recently authored which recommends Canada conduct tests in IT supply lines to detect and mitigate vulnerabilities that may be been injected into critical hardware and software.
In other words, the threat is real. But some of the recommendations included in McMahon’s report to Public Safety Canada may give privacy experts pause.
One recommendation suggested that Canada sponsor an “empirical study of cyber crime” through “direct network monitoring at scale.”
Right now, McMahon says, government security analysts rely on monitoring reports they receive from security companies and platform providers.
“We mean that a statistically valid data set of cyber crime is required,” McMahon told The Tyee when asked to explain what the report meant by “direct network monitoring.”
Industry has shown it can gather cyber threat intelligence at a large scale without impacting privacy, McMahon insists.
Other monitoring tools, however, like the web surveillance tools the RCMP used for Project Wide Awake, have proved to be divisive and controversial, drawing calls of overreach.
McMahon’s report also includes an ambiguously worded recommendation that could be interpreted as a call to require technology companies to include “back doors,” which give government special keys to defeat privacy controls in technology.
“Law enforcement will need to abandon trying to regulate encryption or force industry to build back door vulnerabilities into commercial systems,” the recommendation reads.
Asked to clarify his position, McMahon told The Tyee that he now believes that governments should neither regulate encryption, which enables private communication online, nor force companies to create back doors. Instead, companies should assess their risks and make decisions for themselves, McMahon wrote.
If Canada did mandate back door vulnerabilities into encryption schemes in order to facilitate network monitoring, these vulnerabilities would be exploited by nefarious actors, said Parson.
The strategy has been called for by representatives of Five Eyes members including Canada, but is widely opposed by civil society and prominent tech companies. Although his report appeared to acknowledge the tactic, McMahon told The Tyee that it was unlikely to be approved in the near future.
How Public Safety Canada will interpret and respond to this, and other surprising recommendations in the report, remains to be seen.
Clairvoyance Cyber Corp. prepared the report after receiving a sole-source contract from Public Safety Canada worth $24,400, which is $600 below the threshold where such contracts require publicly bid solicitation, internal procurement documents obtained with the report show.
With files from Jared Dodds and Michael Wrobel, Concordia University’s Institute for Investigative Journalism.