Reliance on IT contractors exposes feds to risk of foreign interference, experts say, as RCMP warns against North Korean infiltration
Ottawa’s heavy reliance on IT contractors and weak safeguards around digital identity expose Canada to fraud, espionage, and foreign interference, say experts, as Canadian security agencies warn against infiltration by hostile state-linked actors.
A July 16 advisory issued by the Royal Canadian Mounted Police, Public Safety Canada, Global Affairs Canada, the Financial Transactions and Reports Analysis Centre of Canada, and the Canadian Centre for Cyber Security warned Canadian businesses of risks of infiltration by hostile actors deployed by the North Korea government posing as IT workers.
The advisory stated that in the past, North Korean IT workers have used their access to corporate systems for cyber espionage, money laundering, or to acquire sensitive materials for state-run enterprises. It cautioned Canadian firms against hiring these hostile actors, and warned that it could result in legal consequences for Canadian companies under the sanctions the government has placed on North Korea.
The joint advisory also explained that state-affiliated actors posing as freelancers based in Western countries may insert passive malware and backdoors in program codes that can collect and exploit information, exposing companies to the risk of corporate espionage and data theft. It also identifies small businesses and startups as more vulnerable to these threats.
Canada’s warning follows the United States Justice Department’s crackdown on North Korean state actors. The department announced in late June that it carried out operations across 16 states, convicted one individual, and seized laptop farms and bank accounts supporting North Korean operatives. The department reportedly disclosed that firms that unknowingly hired North Korean operatives include tech giants and at least one defence contractor. North Korean IT worker infiltrations reportedly exploded 220 per cent over the last year with freelancers fraudulently getting jobs in more than 320 companies.
With billions of taxpayer dollars pouring into government contracts every year covering everything from defence capabilities to cybersecurity to health care, experts say Canada should address the vulnerabilities that hostile actors can exploit.
Aaron Shull, managing director and general counsel at Centre for International Governance Innovation, said “there is real exposure” for this country’s procurement system.
“Canada is not uniquely vulnerable, but our dependence on subcontracted, remote IT labour combined with inconsistent identity and clearance verification creates a real attack surface that sophisticated actors can and do target,” Schull told The Hill Times in an Aug. 18 interview.
“The point is, you have got to know who’s doing the work, and you got to know who you’re paying. It’s not splitting an atom; it’s basic due diligence.”
Public Services and Procurement Canada (PSPC) did not respond to The Hill Times‘ questions about whether the department sees a risk of foreign interference through the use of subcontractors.
Schull said controls are uneven across departments and contract types, with some classified work requiring strong security screening while others include layers of subcontractors working remotely without clear verification for who’s actually doing the work.
“That creates entry points for state-linked operators to exploit,” Schull said.
Federal Auditor General Karen Hogan looked into 106 contracts with a total value of $92.7-million awarded to GC Strategies, the IT-staffing firm in the centre of procurement fraud allegations in ArriveCan contracts, in a June 10 report. Hogan found that in 21 per cent of contracts examined, federal organizations lacked documentation to show that they had confirmed security clearances.
While the ArriveCan saga does not include any state-linked actors, the lack of security clearances found in Hogan’s report is “precisely the [type of] gaps adversaries exploit,” Shull said.
Espionage, fraud, and foreign interference through contractors
Shull said state-linked actors can infiltrate government systems in several ways, including taking remote IT jobs to gain access to sensitive data, which he referred to as “good old-fashioned spying.” Another tactic is putting malicious code—called a “logic bomb”—into government systems or software. “They might not use it, but they put it there in case they need to activate it,” he explained.
On Aug. 14, CBC News reported that the House of Commons and the Communications Security Establishment (CSE) are investigating a significant data breach caused by an unknown “threat actor” targeting staff data. A 2024 CSE report found that Canada is under threat of cyberattacks from state adversaries such as China, India, Russia, and Iran.
This is not to say the federal government does not have any safeguards in place to protect procurement integrity or federal data. Measures such as security screening of contractors, and layers of departmental oversight by PSPC and the Treasury Board are already in place, but experts say additional measures can help strengthen the process.
According to Shull, the existing safeguards work best when the contracts include high-level security requirements or when dealing with reliable, or secret or top-secret information.
“The challenge is that not all IT work is scoped that way, and so visibility beyond the prime and first-tier subcontractors can be limited,” he explained. “Once you get further down and you’re out of those parameters, then that visibility becomes more and more limited, and that’s what we have to fix.”
‘We never know who we’re hiring’: Hutchinson
According to Kelly Hutchinson, a digital government and procurement strategist at Ottawa’s Compass Rose Group, the case of North Korea is “a blip on the radar of the bigger issue,” which she said is the lack of a government platform for digital identity to reliably verify and authenticate identities.
“The government can hire freelancers and contractors. What is the government doing to authenticate and verify that people are who they say they are in the advent of these new technologies?” she asked, referring to malicious technologies used by state-linked actors such as use of virtual private networks and servers, encrypted messaging applications, and AI-enabled deepfake technologies that disguise appearances.
“There are suppliers that have been known to take freelancer jobs to increase their ability to win contracts. Unless Canada fully adopts a trusted digital trust framework to verify who we’re hiring, we’re going to be exposed to more than just foreign interference. We’re exposed to fraud,” she said.
Hutchinson argued that Canada is at greater risk of fraud and foreign interference because the country is behind in adopting digital trust and verification solutions. “We never know who we’re hiring.”
The PSPC-run Contract Security Program provides screening of organizations and their employees for solicitations and contracts with security requirements. The mechanism works with Canadian groups and foreign governments to protect national and international security, as well as Canadians’ data, which may include a wide range of things from financial records to military plans.
PSPC has rolled out new rules aimed at strengthening oversight of professional services contracts, and shifting towards “outcome-based” procurement practices amid years-long criticism over major delays in project delivery, cost overruns, and heavy reliance on external consultants. As part of those changes, a new set of restrictions on the use of subcontracted resources will be introduced.
Measures will include that contracts with a total value exceeding $2.5-million or those with a contract period of longer than 18 months issue requests for proposal (RFPs) mandating that bidders demonstrate at least 50 per cent of the core work and project management is performed by their own staff. The RFPs will also identify critical roles that must be performed by a supplier’s employees.
Those measures have not yet come into effect, but “consultations are still ongoing,” according to a statement provided to The Hill Times by PSPC spokesperson Nicole Allen.
Once they are in place, the planned restrictions on subcontractors would help the government weed out malicious actors, according to Schull, who suggested additional rules could include mandatory reporting of all subcontracting tiers, tightening remote access, enforcing Canada-only device access, and conducting random audits.
The RCMP did not immediately respond to The Hill Times‘ questions about whether any government procurements or remote IT roles have been infiltrated by state-linked actors.
While Shull said most such cases—if not all—would be classified, one recent case of a subcontractor getting involved in espionage made national headlines in the recent past.
Qing Quentin Huang, an Ontario-based engineer who worked at a company called Lloyd’s Register in 2013 and was subcontracted to do work with Irving Shipbuilding, was charged under the Security of Information Act for allegedly offering classified details of Canada’s shipbuilding and procurement strategy to the Chinese government. The prosecution process came to a halt when a Superior Court judge stayed the charges, citing an unreasonable delay in bringing the matter to trial.
Hiring external IT contractors cost the federal government at least 22 per cent more than using public servants in four departments during the 2022-23 fiscal year, according to a 2025 report by the parliamentary budget officer.
The federal government spent $18.6-billion on professional and special services that same fiscal year, according to the report. Of that, $2.66-billion was spent on informatics services, including IT-related services.
In 2022, the government had about 7,700 IT contractors across departments compared to 18,000 in-house IT employees, said Sean Boots, then-senior policy adviser at the Treasury Board Secretariat, during a meeting of the House Government Operations and Estimate Committee in November 2022.
ikoca@hilltimes.com
The Hill Times
LICENSING
PODCAST
ALERTS
