CSIS warns of threats to vaccine distribution chain

State actors could be looking for economic gain — or simply to undermine trust

Image | COVID-19 vaccination Toronto UHN Pfizer vaccine

Caption: Before hundreds of thousands of vaccine doses landed in Canada and started being shipped across the country, the Canadian Security Intelligence Service briefed industry players on emerging security threats. (Evan Mitsui/CBC)

The country's spy agency is warning companies in the vaccine supply chain that malicious foreign actors could threaten the largest inoculation program in Canadian history — by targeting their workers, among other tactics.
Just prior to the arrival of hundreds of thousands of vaccine doses in Canada, the Canadian Security Intelligence Service (CSIS) recently offered a briefing(external link) to industry players about the emerging threat.
One of the people taking part in that briefing was Pina Melchionna, president of the Canadian Institute of Traffic and Transportation. The non-profit association helps Canadian companies manage delivery logistics.
Melchionna said some of her corporate members are taking part in vaccine deployment, including Air Canada Cargo and Shoppers Drug Mart.
"We've been told that the Canada supply chain in particular has been the interest of many foreign actors, and perhaps bad actors in that respect," she told CBC News.
"I think ... my takeaway from that session was definitely that this isn't like TV, where spies are coming over to get our data. They are targeting people already working within companies who either have vulnerabilities, or who may be sloppy because of the tight deadlines we have in getting the vaccine to market."
WATCH | Who could target Canada's vaccine rollout?

Media Video | (not specified) : Who could target Canada's vaccine rollout?

Caption: Former CSIS director Ward Elcock says governments are likely watching for threats from organized crime and state actors when prepping vaccine security plans.

Open Full Embed in New Tab (external link)Loading external pages may require significantly more data usage.
Many foreign intelligence agencies are known to manipulate individuals abroad — often through threats, harassment or the detention of family members. It's an old-school espionage tactic described in a landmark intelligence report earlier this year.
But the threat is more alarming now, as Canadian government officials and distributors prepare to vaccinate millions of people against COVID-19 by the end of next year.
A spokesperson for CSIS said the agency has reached out to supply chain associations and industry to tell them what to look out for as they brace for threats to the vaccine rollout.
"CSIS observes persistent and sophisticated state-sponsored threat activity, including harm to individual Canadian companies, as well as the mounting toll on Canada's vital assets and knowledge-based economy," said agency spokesperson John Townsend.
"As a result, CSIS is working closely with government partners to ensure that as many Canadian businesses and different levels of government as possible are aware of the threat environment and that they have the information they need to implement preemptive security measures."
When asked which foreign actors might be targeting Canada's vaccine rollout, Townsend pointed to a July briefing CSIS gave to the Canadian Chamber of Commerce which flagged China and Russia as countries actively involved in commercial espionage.
Earlier this summer, intelligence agencies warned that a hacker group "almost certainly" backed by Russia was trying to steal COVID-19-related vaccine research in Canada, the U.K. and the U.S. And the United States recently confirmed that hackers — widely believed to be backed by Moscow — hit multiple federal departments in a months-long operation.

A bid to 'undermine confidence'?

Jessica Davis is a former senior intelligence analyst with CSIS who now heads the private consulting firm Insight Threat Intelligence. She said state-sponsored actors have a laundry list of motivations for interfering in Canada's vaccine rollout strategy.
"Perhaps to again gain access to the vaccine, or also to prevent adversaries from gaining access to the vaccine or a fully vaccinated population. There are economic and security benefits from being the first, or among the first countries to achieve that status," she said.
"If they can get into the supply chain, that demonstrates [their] capability to get into it, probably at a variety of different points. So it undermines confidence in that distribution system ... that could be one of the primary purposes there.
"Gaining access to one vaccine or one distribution site isn't necessarily the end goal, but undermining that process could be the end goal for a state actor."
Other antagonists, like terrorist organizations, might be looking to disrupt the rollout itself, Davis said.
"Or it could also be people who are actually opposed to vaccines in and of themselves who are seeking to take action against that distribution," she said. "So there's a wide variety of actors here. And with CSIS and potentially other law enforcement agencies briefing members of the supply chain, that really tells me the number of actors could be really large and the threats are very real."
Former CSIS director Ward Elcock said organized crime is also likely interested in getting its hands on vaccines as shipments fan out across the country.
"This is as valuable as gold at this point in time," he told CBC's Power and Politics last week. "If you're a criminal organization, you can make money out of anything. People make money off of cigarettes. They make money off of drugs. This is no different than any other commodity."

Image | Vaccines

Caption: The first doses of the Pfizer-BioNTech COVID-19 vaccine were unloaded in Ontario on Sunday, kicking off a complex rollout plan. (Office of Premier Doug Ford)

Melchionna said CSIS also warned companies about the need to keep their data secure. For example, a smaller company with more relaxed security protocols could put others at risk if it's breached.
"A chain is only as strong as its weakest link and I think that absolutely holds true for the supply chain," she said.
"The project vaccine deployment is so large and involves so many organizations working against aggressive timelines that I think bad actors are hoping to capitalize on sloppiness in the supply chain. And [the] supply chain is very data-rich."

CSE watching for foreign threats

A spokesperson for the Communications Security Establishment, the country's foreign signals intelligence agency, said the intelligence agency has been providing cybersecurity advice as well, through regular calls with the health care sector to share threat information.
"CSE and its Canadian Centre for Cyber Security continue to work with our domestic and international partners to support the Government of Canada's response to the COVID-19 pandemic, including vaccine research and distribution," said Evan Koronewski.
"It is always important to note that we continue to monitor for cyber threats through our foreign intelligence mandate. We are working with our Canadian security and intelligence partners, including the Department of National Defence and the Canadian Armed Forces, to address foreign and cyber threats facing Canada."
Maj.-Gen. Dany Fortin, the military commander leading vaccination logistics at the Public Health Agency of Canada, said the agency is aware of the threats to their mass distribution plan.

Image | Britain Russia Vaccine Hack

Caption: Britain, the United States and Canada accused Russia in July of trying to steal information from researchers seeking a COVID-19 vaccine. (Ted Warren/Associated Press)

"So we pay attention to the wide range of threats. Agencies, the police services are paying to those threats that fall ... in their lanes, and [are] very much ensuring that the appropriate levels in the provinces and territories are made aware of what those are. And they will continue to do that moving forward," he said during a briefing in Ottawa last week.
"But I think the underlying issue that you're raising here is that we need to ensure that some information is not divulged, for obvious reasons. So when it comes to the exact routing [of vaccine shipments], we prefer not to disclose the routing, the exact location or transfer points in the cold chain to protect the integrity of the ... supply chain."

Spotting anomalies harder in 2020

While the threat is severe, industry players say they're taking it seriously and Canadians shouldn't be concerned.
"Every key player, from manufacturing to distribution, is keenly aware of the security risks inherent in this operation and is therefore continually assessing and actively preparing for the full gamut of potential threats, including [threats] to infrastructure, personnel and cybersecurity, among others," said Simona Zar, a spokesperson for Supply Chain Canada, a group which represents the supply chain sector in this country.
"An operation this complex requires collaboration and clear communication between government, the private sector and stakeholders."
Drone Delivery Canada, which has been in talks with the federal government about delivering vaccines to remote communities, said it knows immediately if a drone is tampered with or goes missing.
"Our drones are federally regulated. They have a tail number. So if you planned to interfere with one of our drones that's [not even] carrying ... vaccines, even just PPE or just regular cargo, it would be a federal offence," president Michael Zahra said.
"I think it's highly unlikely, given the security that we have at point of origin and point of destination. We are constantly tracking our drones exactly where they are. So we know what the situation is with a drone. If anything were to happen — which is, again, highly unlikely — we know exactly where everything is in real time."