Canada’s spy agency warned Canadian universities in August to be wary of using Chinese technology, including a service offered by e-commerce company Alibaba to help students based in China take online Zoom classes in this country.
Alibaba, which has come under close scrutiny from China’s ruling Communist Party after its billionaire founder, Jack Ma, ran afoul of President Xi Jinping, provides an accelerated virtual private network server so students in China can attend Zoom classes without lag. Alibaba’s “Alibaba Global Accelerator” service is marketed as a solution to avoid network congestion and reduce delays in communication.
Officers of the Canadian Security Intelligence Service briefed the Canadian University Council of Chief Information Officers (CUCCIO) in August on cybersecurity concerns with Alibaba’s online service, according to two sources with knowledge of the discussion.
Lori MacMullen, executive director of CUCCIO, confirmed the briefing took place, but said her organization simply facilitated the discussion with universities. She was unable to say how many of Canada’s 64 universities participated.
Unlike Western online video and audio chat platforms such as Microsoft Teams and Cisco Webex, the sources say, CSIS noted that Alibaba’s service could be used by Chinese security agencies for surveillance or monitoring.
The agency pointed to a 2017 law that allows Beijing to order Chinese companies to “support, co-operate with and collaborate in national intelligence work” if requested by security agencies, the sources said.
The Globe is keeping the identities of the sources confidential because they are not authorized to talk about national security issues.
CSIS would not discuss Alibaba, but a spokesman said the spy service regularly talks with universities and business organizations about state-sponsored efforts to gain information and intelligence in Canada.
“Our recent outreach to postsecondary institutions and affiliated associations is a good … example of how CSIS is connecting with important stakeholders to ensure Canadians remain safe and our interests are protected from foreign-based threats,” CSIS head of media relations John Townsend said in a statement.
Andy Ellis, a former assistant director of operations at CSIS and chief executive officer of 3 Sixty Security, said Alibaba is not be trusted, and Mr. Ma’s recent troubles with Beijing’s rulers make that abundantly clear.
Mr. Ma, the chief executive officer of the e-commerce giant, publicly criticized China’s regulators at a forum attended by Chinese Vice-President Wang Qishan last October. Mr. Ma was immediately summoned to a meeting of Chinese financial regulators, and the stock market debut of Ant Group, an online finance service, was cancelled. Beijing also indicated it may nationalize Alibaba.
“While there are disputes occasionally between Alibaba and the Chinese government, that is not unlike any family, but at the end of the day, the family is the family,” Mr. Ellis said. “If the Chinese government has expectations of Alibaba, then Alibaba will deliver.”
Stephanie Carvin, a professor of international affairs at Carleton University, who was previously a national security analyst in the federal government, said the concerns become acute if the Chinese state takes over Alibaba.
In 2018, Beijing took control of China’s giant Anbang Insurance Group for two years after charging its former chairman with fraud.
Prof. Carvin said the amount of data that could be captured would be of use to the Chinese state. This could include passwords, which are valuable because people commonly use the same one for several accounts, as well as voice and video records of the video conferences.
In a statement provided to the Globe, Alibaba Cloud, a subsidiary of Alibaba Group, said the company does not have access to the information transmitted as a result of the service they are providing to universities and students.
“With the COVID-19 backdrop, we continue to provide stable, fast and secure network to help connect schools and universities with students remotely. As a technology provider, we do not have access to the content provided by the education institutions, nor student information and the exchange between the institutions and students,” Alibaba Cloud said in the statement.
The CSIS outreach to universities is a sign of how worried Canada’s security agencies are about cyber risks from states such as China, Prof. Carvin said.
The COVID-19 pandemic triggered a rapid transformation in how universities do business, and this means “we’re just so much more vulnerable – and down the line we could be paying the price for some fairly lax security policies that we had to put in place because it was the most convenient situation in an emergency,” she added.
The Globe also asked Mr. Townsend whether CSIS had national security concerns about the involvement of Huawei Technologies Co. Ltd. in a data-sharing arrangement used by Canadian university researchers. He referred The Globe to the Communications Security Establishment, which is responsible for cybersecurity and signals intelligence. CSE declined to comment.
As part of a 2017 contract, Huawei Technologies Canada provided network switches to connect four new national data centres. This arrangement, the Compute Canada Federation, is funded by the federal government. The data centres support researchers from many Canadian universities and research institutions.
Simon Fraser University was the lead university in this 2017 effort to procure new equipment. SFU spokesperson Angela Wilson said, “Huawei was selected after a rigorous procurement process that followed all applicable regulations.”
Asked whether SFU had spoken to CSIS about this, Ms. Wilson said: “SFU takes computing security very seriously. We regularly work with partners, including the federal government, to evaluate risks before making purchases of this type. Since this procurement, SFU and the Compute Canada Federation have continued to work with partners to ensure the security of the network.”
Mr. Ellis said universities should not put sensitive research on supercomputer systems using Huawei gear.
“Anything with Huawei in it is dangerous. I would highly recommend that there be a reconsideration of that,” Mr. Ellis said. “The research and development of all the universities that use this system is at risk, unquestionably.”
He said private-sector companies that deal with universities to get access to the research are also at risk, as well as foreign universities that may share research with Canadian institutions. “There is no question this is a risk,” he added.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.