The Canadian government has said it will take it a year to build a more secure IT infrastructure after the National Research Council (NRC) was hit by a recent cyber attack it’s blaming on Beijing.
In a brief statement, the NRC said that intelligence agency the Communications Security Establishment had recently “detected and confirmed” an intrusion into its infrastructure.
“Following assessments by NRC and its security partners, action has been taken to contain and address this security breach, including protecting its information holdings and notifying the Privacy Commissioner. NRC has also taken steps to inform its clients and stakeholders about this situation,” it added.
“NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure. This could take approximately one year however; every step is being taken to minimize disruption.”
A separate statement by the Government of Canada CIO went further, claiming the attack was perpetrated by a “highly sophisticated Chinese state-sponsored actor”.
“While the National Research Council's networks do not currently operate within the broader Government of Canada network, since the detection and confirmation of the cyber intrusion, the National Research Council's networks have been isolated from the broader Government of Canada network as a precautionary measure,” it added.
“We have no evidence that data compromises have occurred on the broader Government of Canada network.
China appears to have assumed its typical stance in response to such allegations – outright denial.
Yang Yundong, a Chinese embassy spokesman in Ottowa, emailed Bloomberg to angrily refute what he described as “groundless allegations”.
The question now remains whether, after potentially a whole year, the NRC’s newly fortified security systems will be up to the task of defending against the next generation of advanced attacks no doubt currently being developed by nation states.
Amichai Shulman, CTO of security firm Imperva, argued that any “meaningful change” to IT infrastructure takes time.
“It is quite obvious today that adopting a technology across a large organization takes more time than it takes for the next technology to emerge,” he told Infosecurity.
“This is the reality and we should embrace it. Organizations find different ways to handle this risk in the general IT domain and particularly in the IT security domain.”
Planning infrastructure changes with “visionary consultants” and installing products from vendors who have capabilities “on top of market requirements” are just two ways to future-proof systems, he added.
“Moreover, by working with vendors who provide holistic solutions rather than niche products and system integrators who provide the integration between products of different domains the organization is better fitted for the unforeseen challenges of the day after deployment ends,” claimed Shulman.
Richard Cassidy, senior solutions architect at Alert Logic, argued that auditing and continual review of "security systems, practices and data" can help organizations stay one step ahead of more advanced threats.
“It is positive that the need to review existing infrastructure and practices has been identified, but more importantly for NRC is in the understanding on why the incident occurred and how they can assure they put in place processes around existing available technologies to continually monitor, review and respond to anomalies, suspicious activity or unauthorized access attempts to critical assets once the new infrastructure is implemented,” he added