Canada’s valuable COVID-19 research vulnerable to Russian, Chinese hacks

August 4, 2020

Originally printed in The Chronicle Herald, July 30, 2020

In late March, Canada’s Communications Security Establishment (CSE) warned researchers across the country to secure their COVID-19 data because “sophisticated threat actors” — read state-sponsored hackers — were exploiting the chaos of the pandemic in an effort to steal critical vaccine research, some of which is now ongoing in Halifax.

In mid-April, Google’s threat analysis group announced that it blocked almost 18 million COVID-related malware and phishing emails … per day. On May 13, the FBI and U.S. Cybersecurity and Infrastructure Security Agency warned that Chinese hackers were attempting to steal data from a number of organizations conducting coronavirus research.

So it should not have come as much surprise when the Trump administration recently charged two Chinese nationals with cyber-crimes and also ordered the country to close its consulate in Houston. It also shouldn’t have shocked observers when the CSE, in a July statement with its U.S. and U.K. counterparts, determined that a well-known Russian hacker group known as APT29, “the Dukes” or “Cozy Bear,” was behind a number of recent digital attacks aimed at stealing information and intellectual property from Canadian labs working on pandemic-related research.

The Great Cyber Game is afoot. From Russia targeting the 2016 U.S. election (and apparently the U.K., too, if its recently released parliamentary intelligence and security committee report is to be believed) to China’s penetration of the U.S. National Security Agency and the ongoing digital disruption of Iranian weapons programs, there is no denying the strategic importance of the 21st century’s virtual battlefield.

What is shocking is how slow Western democracies have been at fully appreciating the way in which COVID-19 has expanded the cybersecurity theatre to include global public health, despite months of warnings. Canada’s leaders — national, provincial and local — need to start taking these attacks seriously.

Instead of awarding multi-million-dollar security contracts to deploy IT systems across all Canadian embassies — made by the Chinese state-owned “Huawei of airport security” (yes, that just happened) — our country’s political, law enforcement and national security leadership should be communicating and implementing a multi-pronged plan to deal with digital threats to Canada’s COVID-19 research.

For example, Canada has a National Cyber Security Strategy. It is only 40 pages long and it was written in 2018. Of course, it does not mention COVID-19. It ought to. The prime minister should prioritize an immediate rethink and revitalization of this plan. All parties should pressure the government to have it updated in the face of how dramatically the playing field has shifted as a result of the pandemic.

Demands for actual engagement of local and provincial resources to implement such a strategy at the ground level should also be front and centre. This type of local, provincial, and federal co-operation is critical — especially in the Atlantic region — given the extremely important COVID-19 research happening here in Nova Scotia.

For example, the federal government announced in May that the Canadian Center for Vaccinology — a joint centre led by Dalhousie University, the IWK Health Centre and the Nova Scotia Health Authority — would lead the first Canadian clinical trials for a coronavirus vaccine. This is a remarkable opportunity, which must be protected with robust cybersecurity resources. We know state-based hackers in Russia, China and other countries are mounting a full-court press to steal or disrupt public health efforts aimed at finding a vaccine.

However, there has been little to no discussion beyond the CSE’s repeated warnings as to just what is being done to protect the important work of our local health and science experts.

Since Canada’s new federal rules for data breach reporting went into effect in November 2018, privacy commissioners across the country have pushed for public- and private-sector leaders to appreciate the risks associated with collecting, using and disclosing personal information without having a data breach plan and cybersecurity measures in place.

The same advice ought to apply to our local researchers, government agencies and burgeoning health and technology sectors. Engage your IT security leaders to understand the risks. Investigate and assess internal cybersecurity measures presently in place (or which need to be implemented) to ensure programs and patches are up-to-date. Review your insurance policies and question if data breaches are covered. Consider speaking with privacy experts to help build internal policies and plans for when a breach happens.

Because the hacks will come, if they haven’t already. After months of warnings, local, provincial and federal leaders will have no excuse if our hard work and research aimed at beating COVID-19 is stolen. Sophisticated threat actors are already making global public health another victim of 21st-century cyber-attacks. We must be ready.

Related Services

Cybersecurity & Privacy

Related Articles

Legal Authority and Consent in Generative AI: Ensuring Compliance and Building Trust

As businesses in Canada continue to uncover the potential of generative artificial intelligence (AI), understanding the legal underpinnings of authority and consent becomes paramount. This article explores these concepts within the framework of the Office of the Privacy Commissioner of Canada’s principles, providing actionable insights and practical examples to guide businesses in their compliance efforts. […]

read more

Privacy Law and PIPEDA: Common questions asked by businesses

As someone practicing for several years in the field of privacy law, I am asked to provide advice and to answer a variety of questions from both clients and other legal professionals on a myriad of privacy, access to information, and cyber liability related topics. The purpose of this article is to provide insight into […]

read more

Introduction to OPC’s Generative AI Principles: A Guide for Canadian Businesses 

In late 2023, the Office of the Privacy Commissioner of Canada (OPC) introduced a comprehensive set of principles aimed at guiding the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies. This initiative reflects a proactive stance by Canadian privacy regulators to address the complex challenges and opportunities posed by the […]

read more
view all
Cox & Palmer publications are intended to provide information of a general nature only and not legal advice. The information presented is current to the date of publication and may be subject to change following the publication date.