Hacking attacks on government growing more sophisticated, intelligence agency warns

The motivations for such attacks vary widely, he said. Some criminals play for small stakes — trying to pick off individual government employees for their SIN numbers and passwords, for example.

“Then there are the more organized [attacks] that see the government as a target and they’re looking for financial gain, and those would be more sophisticated. They would tend to be looking for access to be able to do reconnaissance-type things,” said Jones.

To protect itself, the federal government has something called a “host-based sensor program” installed on over half a million computers across more than 50 federal departments. 

While the CSE typically says nothing in public about its defensive capabilities, and cites operational security when keeping those details private, the agency recently published details of the in-house host-based sensor program.

“Host-based is really about what we can see to make sure that nothing … is happening inside of the government networks that we don’t want and expect,” Jones said.

‘Hundreds of thousands of events a day’

The CSE’s cyber centre provides the outermost layer of the government’s online defences by detecting threats at the network level. The host-based sensor program is the inner layer of defence, warning system administrators when it detects something out of the ordinary on a government server. 

While most malware and phishing attempts are detected by the government’s frontline security, Jones said, those types of scams are becoming more sophisticated.

He said that if a piece of malware somehow made it past the palace gate and a government worker clicked on it, the host-based sensor program would send up a distress signal.

“We see hundreds of thousands of events a day across the government, not all of them malicious. Sometimes it’s just software that is just starting to behave weirdly or somebody has chosen to do an upgrade,” he said.

“And then yeah, absolutely, we see malicious software installed. We are able to stop it and make sure it doesn’t happen again”

When asked how successful the program has been in stopping attacks, a spokesperson for the CSE said that while “no network is fully impenetrable … we are very confident in its defence capabilities.”

The program also serves a canary-in-a-coal-mine function, helping Canadian gatekeepers detect new methods being employed by those looking to infiltrate government technology — and giving them a chance to warn others, said Jones.

“It sees things that we’ve never seen before. So it’s not in our threat intelligence feeds from commercial providers,” he said.

“So yes, you can try and use your malware against us, but we’re going to publish and we’re going to make sure that people know about it so that you can’t use it against anybody else.

“Which means cyber criminals would have to go back and they would have to redevelop some of their software. They would have to look at how to change the path they use to steal information. Our strategy is really about how do we make it more expensive to come after Canada.”

British counterparts now adopting program

The host-based sensor program officially launched about eight years ago — when the agency came to realize that most government workers would soon be working off their smartphones and connecting to their offices remotely.

The agency has decided to go public now to explain more of what it does to Canadians, said Jones.

“I can’t hide the fact that our genesis is from a sort of intelligence organization that prided itself on really not being known,” he said.

“It was really time to start showing people, ‘Here, this is one of the things we do for the government, we are good at this.’ I know it’s not Canadian to say things like that, but we’re really good at this.” 

The success of the program recently won over the CSE’s British counterpart, the National Cyber Security Centre, which partnered with the cyber centre to implement a version of the host-based system on U.K. government systems.