In 2010, it was announced that the future home of Canada’s Department of National Defence was going to be at the old Nortel Networks complex, in Ottawa. Many voiced a concern over the cost of renovating the Nortel campus, estimated at over $600 million on top of the $200 million purchase of the land. The security of the campus was also a major concern for the new owners according to recent DND briefing documents. Now the location choice has again come into question over recent findings lurking in the building.
A new report by the Ottawa Citizen
reveals that electronic listening devices were found at the former Nortel campus. This report also disclosed that Defence Minister Peter MacKay was warned that the DND moving into the complex before it could be properly secured created a major problem. Keith Murphy, CEO of Defence Intelligence said “There are more than enough problems with the proposed move already. Drastic budget increases, questionable benefits, unsubstantiated savings forecasts, and now the inherent security of the location itself. This might just be the final nail in the coffin for the proposal.”
Though it is unknown if the devices are still functioning or even transmitting, this could be the problem that the briefing document was referring to. DND spokeswoman Carole Brown said in response to the recent discovery that “The DND/CAF must maintain a safe and secure environment at all of its facilities, in order to maintain Canada’s security posture at home and abroad” but it hasn’t been stated if the persons who discovered the devices were even from the DND. Another unanswered question is whether the devices were intended to spy on DND or were remnants of espionage against Nortel. “While we don’t know with certainty of any active campaign targeting DND” said Murphy, “we do know that the site was compromised for over a decade while Nortel was the primary tenant.”
Hackers allegedly based in China, using malware and stolen credentials, carried on a decade-long campaign of stealing technical papers, R&D reports, employee e-mails, and other sensitive documents from the network company. Some believe that the former Canadian technology giant went bankrupt because of the Chinese hackers. Brian Shields, the former senior systems security adviser at Nortel, stated in an interview with CBC’s As It Happens
that spying by hackers “absolutely” was a “considerable factor.”
What happened to Nortel isn’t an isolated incident in Canada. In January 2011, CBC News ran a story, foreign hackers attack Canadian government
. Computer systems at 3 key departments were penetrated, including access to highly classified information at the Finance Department, Treasury Board, and Defence Research and Development Canada. So why take the chance with moving Canada’s Department of National Defence into a site that has already been compromised?
“DND told CTV News it may abandon the move, and sources said it’s unlikely any other department would take over the former Nortel site because of the security risks.”
The full CTV story with the Keith Murphy interview can be found at www.ctvnews.ca.
This is the time of year you see the ‘best of’ lists popping
up everywhere. Lists of top breaches are no exception. Two excellent sources that
review and offer some insight into their listed breaches include Tom’s IT Pro
and Network World. Both lists include breaches that achieved fame for the
extent of the damage or publicity.
One of the more significant breaches was the Nortel breach
that remained undetected for 10 years. The hackers secured passwords for seven
Nortel executives. This allowed the hackers access to view and steal “technical
papers, R&D data, emails, plans and other sensitive corporate intellectual
property and trade secrets.” Although the full extent of the damage has not been
fully disclosed, or possibly been understood by Nortel, the breach leaves several
questions about the security measures used. Were there no noticeable changes in
Did the executives not change their password on a regular
basis in 10 years?
While reading these lists I’m left wondering how many more
breaches occurred but didn’t make the list because they were never disclosed to
the public. For example Bloomberg
published a list of breaches that weren’t previously
made public such as Coca Cola and the British energy group BG Group Plc.
How do you keep yourself off the list of 2013 breaches?
In part two of this blog we’ll follow up with a look at what
we can learn from these experiences with a compilation of tips to add to your security