Federal government looks to build ‘cyber perimeter’ over ‘hostile threats’ to national security
Ian MacLeod, Postmedia News Jun 23, 2012 – 4:13 PM ET
OTTAWA — Online spying and other cyber threats have pushed the government to invoke a national security exemption on trade obligations, effectively banning foreign IT companies from working on a new federal telephone system in Ottawa.
It’s the first in a series of planned contracting restrictions intended to erect a “cyber perimeter” around the multibillion-dollar overhaul of the government’s vast and aging email, telecommunications, networking and data centre infrastructure.
“These systems have been the target of hostile threats which causes grave concerns about the implications of cyber threats on Canada’s national security,” warns a Public Works letter recently circulated to the IT industry.
A “national security exception” is typically invoked for military procurements and overrides trading obligations under the North American Free Trade Act, the World Trade Organization and the federal-provincial Agreement on Internal Trade.
Now, it’s being enlisted for what might escalate into a cyber Cold War, most notably with China.
The range of available restrictions under the exception include limiting competition to Canadian companies, a preference for Canadian goods and services, withholding highly sensitive information about how some systems operate, contracting only to pre-selected firms and requiring winning bidders to hold SECRET-grade security clearances.
“The government of Canada’s email, data centre and telecommunication systems are inextricably linked to one another; they are the key tools used in the creation, transmission/communication and storage of the government’s information, and must be appropriately protected in order to create a secure ‘cyber perimeter,’” Public Works said in a written statement Friday.
In some cases, that perimeter could extend to contracts for janitorial services, landscapers, security guards and even snow plowing.
Foreign threats aren’t the only worry.
“The government is also concerned about potential compromises to security achieved through the supply chain itself,” it says.
Public Safety Minister Vic Toews was warned in a 2011 memo that cyber attacks pose a greater risk to Canada’s prosperity than the government previously believed.
The reference is to the potential for corrupt technology suppliers, “Manchurian microchips” and other Trojan hardware and gear to be unwittingly installed in the federal systems, with backdoors allowing their creators full access to the system.
For example, in addition to limiting bidding to Canadian companies, the notice of proposed procurement for a new government telephone system in Ottawa states preference will be given to bidders using made-in-Canada gear. The only alternative allowed will be for equipment manufactured in the United States or Mexico. The notice, which appears to be the first of the restricted IT contracts, was published last week.
What’s more, the Communications Security Establishment Canada, the country’s signals intelligence agency, now offers unclassified briefings on supply-chain security to companies seeking federal IT contracts.
The bidding controls were requested by Shared Services Canada, the new federal department responsible for consolidating and securing the government’s 100 email systems, 300 data centres and 3,000 network services.
Many experts, including Western intelligence agencies, have long fingered the Chinese government for supporting a web of sophisticated, global cyber espionage and online spying operations to infiltrate the computers of other governments and their advanced industries. China denies the accusations.
China also manufacturers many of the components that go into top computer brands and other electronics.
In March, the Australian government banned China’s Huawei Technologies Co. Ltd., the world’s second-largest telecommunications provider, from bidding on a contract to establish a new national broadband network, a move the Chinese Ministry of Commerce slammed as “unjust.”
It’s not clear whether IT firms with connections to China will be shut out of the future Canadian federal bidding.
Shared Service Canada last week also unveiled its plans to consolidate the government’s tangle of email systems. Its hope is to award a contract by next March, with a consolidated system operational by March 2015.
In a request for information published Friday, the government set out several preliminary security requirements for the job, including that all engineering and technical personnel who maintain the completed system be Canadian.
Another key requirement — “data sovereignty” — states all email servers and data repositories must be housed in Canada and that all internal government-to-government emails, including ones from abroad, must travel through secured networks and not be saved or stored at any stage between their starting and end points.
Treasury Board estimates for 2012-13 show Shared Service Canada, established last summer, is expected to spend about $1.5-billion in its first full fiscal year. Public Works will handle the tendering.
The national security restrictions follow the release this month of a 2011 internal government memo warning Public Safety Minister Vic Toews that cyber attacks pose a greater risk to Canada’s economic prosperity than the government previously believed, and the country lacks the tools to fight hackers.
The federal government unveiled a “cyber-security strategy” in 2010, but some experts say Canada remains a juicy target, with highly vulnerable computer systems holding a wealth of trade, economic and policy secrets in government and industry databanks.
Last fall, the Ottawa Citizen revealed that an unprecedented January 2011 cyber attack on Treasury Board and Finance computers was targeting highly sensitive information on Saskatchewan’s potash industry.
Three months before the attacks, the federal government rejected a proposed takeover of Potash Corp. of Saskatchewan Inc. by Australian mining giant BHP Billiton, which proposed to acquire Potash for US$38.6-billion. The government deemed the offer not to be in Canada’s best interest.
Around the same time, Chinese multinational conglomerate Sinochem was considering partnering with Russian interests in a bid for Potash Corp., the world’s largest fertilizer producer.
http://news.nationalpost.com/2012/06/23 ... -security/