OTTAWA (Reuters) - Canadian security services are sounding the alarm about what they see as a potential weakness in political parties’ cyber networks just months ahead of a federal election in October, four sources with direct knowledge of the matter say.
Government officials are convinced Russian actors will try to interfere in the vote in the same way they did in the 2016 U.S. presidential election and the Brexit referendum.
One source said foreign hackers had already begun to ramp up efforts to send so-called phishing emails to Canadian legislators, seeking to gain access to their accounts.
Democratic Institutions Minister Karina Gould last month said she anticipated increasingly sophisticated “nefarious cyber activity” targeting the election, and Foreign Minister Chrystia Freeland has said she is very worried about Russian interference.
Neither minister has provided details, but sources say the proliferation of free email and messaging services used by parties’ local associations across the country exposes them to cyber attacks like the one that hit Hillary Clinton’s campaign in 2016.
Russians allegedly hacked into her campaign chairman John Podesta’s emails. They were later published by WikiLeaks during the run-up to the election. The candid emails are widely considered to have hurt Clinton’s presidential bid.
“That’s the problem and the nightmare scenario,” said a second source.
The Communications Security Establishment (CSE) spy agency says it is concerned about the potential for wrongdoing and is briefing the major parties on the importance of keeping data secure and is drawing up a special handbook for them.
It is also arranging for security clearances to be given to some senior party staff members in order to share intelligence about risks to Canada gleaned from counterparts in Australian and Britain.
While the parties’ main databases are deemed to be relatively secure, the main security challenge comes from the thousands of volunteers in the 338 parliamentary districts who will be using their own email, Facebook, Twitter and WhatsApp accounts.
“We’ve been beating along saying ‘For God’s sakes, the CSE is telling you, Microsoft tells you, the number one thing you can do to stop 90 percent of attacks, every one of your volunteers - and this is a huge challenge - has to be using two-factor authentication,’” the second source said.
“It is your weakest link to getting exposed, the email conversations about your campaign that will show up,” continued the second source, who declined to be identified given the sensitivity of the matter.
The source, complaining about “ding dongs who won’t set up their accounts right”, said CSE had made clear privately it would not be able to deal with a flood of concerned messages from volunteers during an election campaign worried their accounts had been hacked.
A third source said the security challenge for CSE was to avoid a “situation where either people are petrified of doing anything or they just start ignoring it because we are making it too hard.”
CSE is giving the parties advice but does not have a mandate to check what they are actually doing, said the source, adding that “I’m not aware of any breach of any major political party”.
One challenge is that parties can be leery of paying the money needed to boost security and identify weaknesses.
“This is all donor money and every time you spend C$200,000 on a financial audit ... you’re not out helping speak to voters,” said the second source.
The main parties have not asked for financial aid and there has been no talk of government funding to help boost the security of the parties’ computer systems, said Amy Butcher, chief spokeswoman for Gould.
The concern among security services is not so much that the result of the election could be altered through a hacking attack - Canadians vote with paper ballots - but that leaks could be used to undermine faith in the political system.
“The Russians will say ‘All those security safeguards you talk about are not going to stop us from doing what we want,’” said a fourth source with direct knowledge of the matter.
Reporting by David Ljunggren, editing by Steve Scherer and Jonathan Oatis
Our Standards: The Thomson Reuters Trust Principles.