On April 16, 2021 the National Security Intelligence Review Agency (NSIRA) published a statement on their website that declared they had experienced a ‘cyber incident’ that involved an unauthorized party accessing the Agency’s external network. This network was not used for Secret or Top Secret information. 

NSIRA is responsible for conducting national security reviews of Canadian federal agencies, inclusive of “the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies.” The expanded list of departments and agencies includes the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND), Global Affairs Canada (GAC), and the Department of Justice (DoJ). As a result of their expansive mandate, the Agency has access to broad swathes of information about the activities which are undertaken by Canada’s national security and intelligence community. 

Despite the potential significance of this breach, little has been publicly written about the possible implications of the unauthorized access. This post acts as an early round of analysis of the potential significance of the access by, first, outlining the kinds of information which may have been accessed by the unauthorized party and, then, raising a series of questions that remain unanswered in NSIRA’s statement. The answers to these questions may dictate the actual seriousness and severity of the cyber-incident.

What is Protected Information?

NSIRA’s unclassified information includes Protected information. Information is classified as Protected when, if compromised, it “could reasonably be expected to cause injury to a non-national interest—that is, an individual interest such as a person or an organization.” There are three classes of protected information that are applied based on the sensitivity of the information. Protected A could, if compromised, “cause injury to an individual, organization or government,” whereas compromising Protect B information could “cause serious injury.” Compromising Protected C information could “cause extremely grave injury”. Protected C information is safeguarded in the same manner as Confidential or Secret material which, respectively, could cause injury or could cause serious injury to “the national interest, defence and maintenance of the social, political, and economic wellbeing of Canada” in the case of either being compromised.

Intrusion into protected networks brings with it potentially significant concerns based on the information which may be obtained. Per Veterans Affairs, employee information associated with Protected A information could include ‘tombstone’ information such as name, home address, telephone numbers or date of birth, personal record identifiers, language test results, or views which if made public would cause embarrassment to the individual or organization. Protected B could include medical records (e.g., physical, psychiatric, or psychological descriptions), performance reviews, tax returns, an individual’s financial information, character assessments, or other files or information that are composed of a significant amount of personal information. 

More broadly, Protected A information can include third-party business information that has been provided in confidence, contracts, or tenders. Protected B information in excess of staff information might include that which, if disclosed, could cause a loss of competitive advantage to a Canadian company or could impede the development of government policies such as by revealing Treasury Board submissions. 

In short, information classified as Protected could be manipulated for a number of ends depending on the specifics of what information is in a computer network. Theoretically, and assuming that an expansive amount of protected information were present, the information might be used by third-parties to attempt to recruit or target government staff or could give insights into activities that NSIRA was interested in reviewing, or is actively reviewing. Further, were NSIRA either reviewing non-classified government policies or preparing such policies for the Treasury Board, the revelation of such information might advantage unauthorized parties by enabling them to predict or respond to those policies in advance of their being put in place.

Questions For NSIRA

NSIRA’s public statement is incredibly terse given the sheer breadth of information which may have been compromised. The absence of details in the Agency’s statement leads to a number of questions which, in aggregate, raise national security-related concerns. 

First, NSIRA has stated that the unauthorized access “was discovered” but it doesn’t identify which organization detected the activity. It is unclear whether a Canadian agency detected the activity or if, instead, NSIRA was tipped off by a private vendor or a foreign agency of a presumably allied government. 

Second, and linked to the first, it is unclear just which agencies were (or are) involved in assisting NSIRA. If this were exclusively a digital intrusion from a remote source the Canadian Centre for Cyber Security, the Communications Security Establishment writ large, and/or the Canadian Security Intelligence Service might be involved. The Royal Canadian Mounted Police (RCMP) might also be involved in assessing the national security risks linked with the cyber intrusion as well as potentially assessing whether to bring charges against individuals who assisted or facilitated the unauthorized access. While the statement indicates that the issue was addressed it is unclear if this is merely a reference to the technical breach or whether the entirety of the investigation has concluded.

Third, the statement makes clear that the Privacy Commissioner and Treasury Board are involved in the investigation. This suggests that NSIRA is either unsure of the potential privacy ramifications of affected persons but does realize there are implications and requires advice due to their gravity or, alternately, that harm has occurred and assistance is needed to gauge the relative damage and appropriate ranges of responses.

Fourth, the statement does not indicate when the unauthorized access began, how long the intruders potentially lingered in networks, or the intent of the operations that were being conducted against the Agency. Was this an activity that began at the birth of NSIRA or is it a much more recent intrusion? Does NSIRA or other federal agencies know how long the unauthorized party was in their networks, whether information was exfiltrated, or if the unauthorized party was either trying to burrow deeper into NSIRA’s networks or into other Government of Canada networks? Was the totality of NSIRA’s external protected network compromised or only segments of it? More broadly, what was the intent guiding the actors responsible for the incident?

Fifth, it’s not clear what provoked the incident. Was this the result of work from home policies, or the failure to abide by them, or did it involve a third-party compromising NSIRA’s networks from either the pre-Covid era or when NSIRA staff have been working at reduced in-office capacity? Did the intrusion leverage vulnerabilities in end point devices, a managed service provider, or other attack surface? The answer to this may have implications for the security of work from home policies (and which may have lessons for other agencies that also have employees working from home), the security of in-office policies and procedures, as well as broader security of government services and infrastructures.

Sixth, to what extent has this affected NSIRA’s ability to conduct its operations? While the statement asserts that, “NSIRA was able to address this issue quickly and resume normal business operations” it is not apparent whether this breach has affected how the Agency is able to interact and receive information from the agencies that it reviews. Further, even if work has resumed did this cause delays or impede some of NSIRA’s activities during the investigation, or has it hindered trust to the point that it is more onerous to access certain material from hesitant parties which are under review?

Implications

While it is perhaps to be expected that NSIRA would be guarded about the implications of the incident that struck them, the result is that it is challenging to assess the implications of what has occurred. Is the breach minor in nature, or is it particularly damaging, or does it accentuate the risks posed to the Agency’s staff? Was either targeted or bulk information exfiltrated, or was this incident caught quite early? Is this a remotely targeted effort or did it potentially involve localized actors? Was this a failing of a work from home policy, or did it either predate those policies or involve targeting in-office equipment or government infrastructure and contracted services more directly? 

For NSIRA, the broader question is to what extent has this incident affected their ability to build trust and relationships with the agencies that they review? It is already the case that trust building can be challenging for relatively young agencies, and incidents like this may not promote faith or trust between NSIRA and the agencies it is tasked with reviewing. 

What might be done moving forward? Ideally, NSIRA itself would present further information about the incident that would answer at least some of the aforementioned questions as information becomes available. Alternately, another government agency such as the Office of the Privacy Commissioner of Canada or Treasury Board might provide information.¹ 

The outcome of at least one of these reports would be to maintain trust in NSIRA’s capabilities, provide relevant lessons, and help to clarify the actual significance of the cyber-incident which has affected NSIRA. Doing so would also, importantly, bolster NSIRA’s efforts to present themselves as a relatively transparent government agency and consequently build trust and faith with the public who rely NSIRA’s activities to confirm the lawfulness of the actions which are undertaken by members of Canada’s national security and intelligence community. 

While it is never pleasant to undertake a review and have the results made public, doing so would demonstrate NSIRA’s commitment to transparency and accountability while at the same time showing the agencies they review that no member of Canada’s national security and intelligence community is beyond public accountability. 

Footnotes

1. It is questionable whether this audit could be performed by the National Security and Intelligence Committee of Parliamentarians (NSICOP). The National Security and Intelligence Committee of Parliamentarians Act explicitly excludes review agencies as departments that fall under section 8(1)(b) of the Act, and it is debatable whether section 8(1)(a) (authorizing the committee to review “the legislative, regulatory, policy, administrative and financial framework for national security and intelligence”) captures the activities of NSIRA. It is possible that 8(1)(c), where a minister of the Crown can refer a matter to the NSICOP, could pertain but this would not authorize the Committee to act on its own prerogative. ↩︎