A construction company that's won millions of dollars worth of contracts with the military and other federal departments has been hit by a ransomware attack — raising questions about how the federal government does business with outside firms open to cyberattacks.

Ransomware attacks involve malicious software used to cripple a target's computer system to solicit a cash payment. Last month, a group known as Maze — infamous for publicly shaming victims until they pay up — claimed to have run a successful strike against the Toronto-based company Bird Construction, stealing 60 GBs of data.

"Bird Construction responded to a cyber incident that resulted in the encryption of company files," wrote a company spokesperson in an email to CBC.

"Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files."

The company wouldn't say whether they paid their cyber-assailants — something police forces warn against.

A company spokesperson said government officials were notified at the time of the breach.

While it doesn't appear that any secure government files were compromised in the hack, the Bird case raises concerns about how secure government contracts are as the number of ransomware incidents multiplies.

Between 2006 and 2015, Bird scored 48 contracts with the Department of National Defence totalling more than $406 million. Bird also helped build the RCMP's Surrey detachment headquarters and has done work for Public Services and Procurement Canada.

Christyn Cianfarani, president of the Canadian Association of Defence and Security Industries, said Canada could learn from the United States and Britain, countries that have taken steps to ensure the security systems of all government contractors are locked down — even those not dealing with classified information.

"When we look at the major hacks that have occurred, especially on the defence side, where you know fighter aircraft information was stolen — it wasn't stolen from the prime contractor, it was stolen in a tiny, tiny shop supplying widgets," she said, citing the 2017 theft of sensitive information about Australia's defence programs through a government contractor.

"Whether they're done by nation states or by criminal organizations or by rogue actors, it's a characteristic of these kinds of attacks to get to governments using businesses as the point of entry, especially ... small businesses that tend to be the most vulnerable."

Cianfarani said Canada needs to start working on its own cyber security certification program for vendors.

A screengrab of Maze's website from December 2019, where the group claimed to have run a successful strike against the Toronto-based company Bird Construction. (Maze's website )

Apart from federal work, Bird also has worked on renovations at multiple Ontario Provincial Police detachments and a wastewater treatment plant in Wood Buffalo, Alta., and helped to build Calgary's new emergency operations control centre. The company also has held contracts with oilpatch and potash companies, including Suncor.

A spokesperson for the RCMP said the police service is aware of the hack but would not say whether it's investigating.

Little recourse for feds after an attack

Public Services and Procurement Canada, which oversees how the government buys goods and services, has different levels of security clearance depending on whether a contractor has access to classified information.

"The government of Canada does go a long way to do that when there is sensitive information in play. When there's not sensitive information at play, companies do need to realize that this is a growing [trend]," said Aaron Shull, managing director and general counsel for the Centre for International Governance Innovation.

A spokesperson for Public Services and Procurement Canada said the department is working to ensure all companies are properly vetted.

"Ransomware and the impacts of this type of attack are monitored by Public Services and Procurement Canada in collaboration with other government security agencies," said spokesperson Stéfanie Hamel.

"Public Services and Procurement Canada is working closely with relevant departmental stakeholders to ensure that, as part of the procurement process, companies it does business with have gone through intensive screening and meet all of our security requirements before any contract is granted."

Shull said there's little recourse for government departments once their confidential information is caught up in a cyberattack.

"The problem, of course, is that once a company has been breached it's a little bit like trying to nail the barn door shut after the horse is already gone," he said.

"The tools that are available to the federal government to penalize these companies are unsatisfactory. You're going to end up with a lawsuit for breach of contract or negligence, or something like that."

The Bird Construction case is just the latest in a series of ransomware attacks hitting Canadian networks — a series that includes attacks on a number of Ontario municipalities, including Woodstock, Stratford and The Nation.

The tools that are available to the federal government to penalize these companies are unsatisfactory. - Aaron Shull, CIGI

The RCMP has reported an uptick in ransomware attacks and a recent survey of Canadian organizations found the vast majority (88 per cent) had experienced a data breach over the last 12 months.

Brett Callow, a security analyst with the anti-virus software firm Emsisoft, said any stolen data could be used to perfect a future scam. He said implementing a bolstered audit system could help the government identify information that has been put at risk.

"If data has been stolen, there's obviously no way of getting it back. The most you can do is pay the criminals for a pinky-promise that they will not use that data," he said.

Vendors need better cyber hygiene: experts

Both DND and the RCMP said they follow Public Services and Procurement Canada's directions when it comes to contracts for goods, services and construction.

"The protection of information is a priority for the Department of National Defence," said Jessica Lamirande.

"We continue to take every precaution to ensure the proper security and privacy measures are in place, including complying with all relevant Government of Canada policies."

A RCMP spokesperson said the force also reviews the security requirements for all contracts and may include security clauses that require contractors to safeguard information.

Justin Fier, director for cyber intelligence and analytics at the online security firm Darktrace, said companies need better cyber hygiene and more training to prevent human error.

"The unfortunate and sad truth is no matter how much we educate our workforce, people will get duped into clicking the link in the email or ... doing something that they probably shouldn't be doing just because it gets the job done quicker and more efficiently," he said.

"It's not going anywhere anytime soon. As long as we pay the ransoms, they're going to keep coming back."