Elections Canada wants someone to launch simulated phishing attack

An Elections Canada spokesperson said simulated phishing attacks “will help educate employees on ways to safeguard information and systems and heighten their awareness of cybersecurity threats.”

Thestar.com
Nov. 9, 2017
By Alex Ballingall

Elections Canada is looking for someone to run a mock attack on its computer system to make sure its security is up to snuff.

The federal agency put out a call on Oct. 26 for a contractor to conduct a “simulated phishing program.” The goal, according to the contract advertisement, is to “create awareness and assess the current state of readiness against cybercriminal attacks initiated by phishing.”

“Phishing” refers to the hacking technique of tricking email users into providing usernames and passwords to their accounts and networks.

The tactic is commonly used and often successful. It can also be quite serious. A Lithuanian man was arrested in March after he reportedly tricked Facebook and Google into wiring him $100 million (U.S.) using a phishing scheme.

And John Podesta, the chair of Hillary Clinton’s election campaign, had his password stolen last year through a phishing email that was mistakenly called “legitimate” rather than “illegitimate” in a typo by a campaign aide, according to a New York Times investigation on how the Democratic party servers were hacked during the U.S. presidential election.

In an emailed statement Thursday, Elections Canada spokesperson Melanie Wise said simulated phishing attacks are a “standard part” of cybersecurity efforts used by many employers. “It will help educate employees on ways to safeguard information and systems and heighten their awareness of cybersecurity threats,” she said.

The dry run at phishing sabotage will give employees real-time training on what an attack could look like, the contract ad says: “We want to simultaneously protect our data while providing invaluable cyber awareness.

Wise added that this won’t be the first time Elections Canada has run a phishing simulation and that, like other government departments, the agency faces “malicious cyber attempts on an ongoing basis.”

In March, for example, Statistics Canada’s internal network was pierced by an unauthorized user after a website software update exposed vulnerability and forced the shutdown of two government websites.

Canada’s signals intelligence and cyberdefence agency, the Communications Security Establishment, concluded in June that threats against democratic processes are increasing around the world and it is “very likely” groups will try to influence the next election through cyber attacks.

The agency’s report on those risks singled out phishing campaigns as one on the types of threats facing Canadian political parties, politicians and the media. The report noted that federal agencies like Elections Canada are less vulnerable to cyber threats because “federal elections are largely paper-based” and the agency already has a number of security measures in place.

Bids on Elections Canada’s fake phishing contract are due Dec. 5.