THE STANDING SENATE COMMITTEE ON BANKING, TRADE AND COMMERCE
EVIDENCE
OTTAWA, Wednesday, October 18, 2017
The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:18 p.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud.
Senator Joseph A. Day (Deputy Chair) in the chair.
[Translation]
The Deputy Chair: Honourable Senators, good afternoon and welcome. Dear colleagues, guests and members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce, either here in the room or listening via the Web, my name is Joseph Day. I am the deputy chair of this committee. I am replacing the chair, David Tkachuk, who is not available today.
[English]
Today is our first meeting on our study on the issues concerning and pertaining to cybersecurity and cyber fraud. The order of reference was approved by the Senate Chamber, and we’re proceeding on it.
I’m very pleased that we have a panel this evening to help us get this study under way.
Let me introduce the panel to you, colleagues, and those watching from elsewhere. From Public Safety Canada, Adam Hatfield, Acting Director General, National Cyber Security Directorate.
From the Royal Canadian Mounted Police, Chief Superintendent Scott Doran, Director General, Federal Policing Criminal Operations; and Superintendent Mark Flynn, Director, Cybercrime, Federal Policing, both from the RCMP. From the Canadian Security Intelligence Service, Charles Lowson, Director General, Counter Intelligence and Counter Proliferation.
Charles Lowson, Director General, Counter Intelligence and Counter Proliferation, Canadian Security Intelligence Service: That’s correct.
The Deputy Chair: We are going to call on each of you to make your presentation and then we will go into a question and answer dialogue.
Adam Hatfield, Acting Director General, National Cyber Security Directorate, Public Safety Canada: Thank you for inviting Public Safety Canada to speak to today about cybersecurity as it pertains to Canada’s financial and commercial sectors. As we all know, Canadians are living in a digital age. There is no aspect of our lives that has not been touched by digital technology on the Internet. The rate of change we are seeing is continuing unabated.
Digital technology presents tremendous benefits and opportunities for Canadians and for Canadian businesses, but like any technology it comes with its share of dangers and risks. Cybersecurity is the enabler that lets us leverage digital technology to the fullest while mitigating those risks and dangers. For that reason, cybersecurity is a government and a national priority and it has been for many years.
Today I would like first to speak about public safety’s role as it pertains to cybersecurity and speak to our interactions with the financial sector. I will speak to Public Safety Canada’s role on the issue of standard and regulations.
As part of its overall mission to build a safe Canada, Public Safety Canada contributes to the security and resilience of the cyber systems that underpin Canada’s national security, public safety and economic prosperity. It does this by providing national leadership and coordination in the area of cybersecurity under the authorities of the Department of Public Safety and Emergency Preparedness Act and the Emergency Management Act.
Within Public Safety’s national cybersecurity directorate, there are both strategic policy and operational functions which fulfill the department’s mandate. The strategic policy function is responsible for the implementation of Canada’s cybersecurity strategy which promotes a coordinated whole-of-government approach to the cybersecurity issue. It is also responsible for the development of national-level policies on cybersecurity and the overall coordination of cybersecurity matters across the federal government.
This policy team, in collaboration with many departments and agencies across the federal government, is also currently developing proposals for the government in response to the cyber review, a public consultation and extensive effort that we are going through now to help guide Canada’s way forward for cybersecurity.
Public Safety’s operational functions are housed within the Canadian Cyber Incident Response Centre, which serves as a single point of contact for the owners and operators of critical infrastructure to report cyber incidents to the Government of Canada and also to request assistance.
This operational team also has a mandate to coordinate whole of government response to any significant national cyber incident. In all of this work, Public Safety Canada works closely with numerous departments and agencies, all of whom have a role to play in cybersecurity. We work closely with the Royal Canadian Mounted Police and the Canadian Security Intelligence Service who are here today. We also work closely with the communications security establishment, Treasury Board of Canada Secretariat, Shared Services Canada, Innovation and Science Economic Development Canada, Global Affairs Canada and numerous others who are leaders in their respective sectors.
One of industry sectors that Public Safety Canada collaborates with is the financial sector. We have very well-established, trusted and mutually beneficial relationships with financial institutions and associations across Canada dealing with both strategic policy considerations and operational considerations. At the policy level, there have been numerous interactions between Public Safety and the financial sector over many years where the financial community has contributed expertise and also their industry perspective to the development of policies and the priorities that Canada should be facing.
At the level of day-to-day technical operations, a number of Canadian financial institutions are close partners with Public Safety Canada and do share technical information on an ongoing basis. In our experience, the Canadian financial sector has a sophisticated, mature and very well-developed understanding of both the benefits and risks of digital technology. Those risks can range from a simple effort to crack one account holder’s account and obtain funds, to an attempt to falsely wire transfer block funds en masse to attempts to compromise financial networks writ large.
Cybersecurity is fundamentally an exercise in business risk management. Financial institutions have an acute understanding of risk management and in our experience are highly motivated and resourced to protect their businesses and the funds of their clients.
With respect to the issue of standards and regulations, Public Safety Canada is not a regulatory or enforcement body in the area of cybersecurity. There is currently no obligation for any individual or any organization to report a cybersecurity incident to Public Safety Canada. Further, Public Safety does not have the ability to compel any individual or organization to report an incident to us, nor does it have the ability to compel anyone to take an action on their network in response to a cyber incident.
Partners work with us on a voluntary, collaborative basis and we have found that approach is both productive and mutually beneficial over many years of experience.
With some exceptions, cybersecurity is generally not a regulated area in Canada or elsewhere in the world. Those exceptions include the protection of personal information such as might fall under the remit of the Office of the Privacy Commissioner or specific industry regulations as you might find in a regulated industry sector like the health, energy or financial sectors.
Some countries have adopted strategic approaches which place requirements on companies to adhere to specific cybersecurity standards and regulations. Some countries have attempted to mandate information sharing with regard to cybersecurity incidents. Other countries, the bulk, have adopted a voluntary and collaborative approach as we do in Canada.
One of the themes that emerged from the cyber review conducted over the last two years was a call for increased government leadership with respect to standards and regulations. Government is currently working to develop proposals to respond to that review.
In closing, I would emphasize that cyber-threats are constantly evolving and that Canada and Canadians need to work to stay ahead of those threats so we can continue to benefit from digital technology. As a cybersecurity agency, we would stress that digital technology is a wonderful thing, and we should use it, but we should use it safely. That is true for all sectors of our economy, not just the financial sector.
Public Safety enjoys good relationship and frequent interactions with financial institutions across Canada, and we look forward to continuing that collaboration with them as we go forward in dealing with cybersecurity issues.
Thank you for your time.
[Translation]
Chief Superintendent Scott Doran, Director General, Federal Policing Criminal Operations, Royal Canadian Mounted Police: Mr. Chair, thank you for the opportunity to speak with you on the issue of cybercrime in Canada.
[English]
Today I will provide a brief overview of the RCMP’s mandate, rules, responsibilities and law enforcement initiatives with respect to addressing cybercrime in Canada and the financial sector.
Cybercrime captures crimes where technology is the primary target and where technology is a significant enabler or instrument for other types of criminality; whether it is financial crime, including fraud and money laundering, illicit drugs or national security offences.
The RCMP plays a central role in the Government of Canada’s overarching priority to provide for the safety and security of Canadians, and as such, has the federal mandate and authority to investigate criminal offences related to cybercrime.
The investigations of cybercrime involve those targeting government systems, networks and other critical infrastructure sectors. Our criminal investigations could result in the apprehension of criminals or the disruption of their cybercrime activity.
Policing efforts in the cyber realm are facing unprecedented challenges. This is largely due to the crosscutting nature of cybercrime. It applies to all types of crime, all levels of policing and it is borderless. The borderless nature makes it possible for cybercriminals to commit their crimes across multiple jurisdictions.
In addition, due to the scalable nature of cybercrime, one cybercriminal can victimize numerous individuals on a massive scale in a way that is not possible in the physical world.
Hence, cybercrime is a global problem that significantly impacts the safety and economic well-being of Canadians and Canadian businesses, particularly vulnerable members of our society such as the elderly and young people. Canadian businesses and individuals are a key target for cybercriminals because of our relative wealth and Internet-dependent economy.
Recognizing the threats and challenges being faced, in December 2015, the RCMP published its Cybercrime Strategy. The vision is to reduce the threat, victimization and impact of cybercrime in Canada and is built on three pillars: First, identifying and prioritizing cybercrime threats through intelligence collection and analysis; second, pursuing cybercrime through targeted enforcement and investigative action; and third, support cybercrime investigations with specialized skills, tools and training.
The Cybercrime Strategy includes an operational framework that was developed to guide the RCMP’s actions against cybercrime. One outcome of this is the development and enhancement of a number of teams. The RCMP’s federal investigations are undertaken primarily by the National Division Cybercrime Investigative Team located in Ottawa. Divisional Serious and Organized Crime sections, as well as RCMP technical crime units, also provide support and lead cybercrime investigations when the National Division team requires assistance.
The National Division Cybercrime Investigative Team, along with our technical investigative services, also works to improve digital forensic evidence capabilities for all types of investigations.
The National Intelligence Coordination Centre cyberteam is a dedicated federal policing intelligence unit focused on identifying new and emerging cybercrime threats.
With respect to cybercrime matters related to critical infrastructure, the National Critical Infrastructure Team examines physical and cyber threats to critical infrastructure. The team works closely with a range of domestic partners, including banks and other law enforcement agencies, to identify vulnerabilities or trends in order to prevent or mitigate the impact of attacks on our critical infrastructure.
Overall, the RCMP coordinates and collaborates with domestic, private sector and international partners to target cybercrime threat actors or to identify new and emerging cybercrime threats and methodologies. Specifically, the RCMP works closely with federal departments that play an active role in cybersecurity, including CCIRC, as noted by my colleague Mr. Hatfield; the Canadian Security Intelligence Service; and the Communications Security Establishment Canada.
Coordinated and collaborative efforts are conducted on many fronts and are in line with the vision outlined in the Cybercrime Strategy.
Law enforcement activities range from identifying and prioritizing cybercrime threats based on criminal intelligence; coordinating, investigating and disrupting cybercrime activities; and handling digital evidence to support cybercrime investigations.
Operationally, the focus for our investigations include malware developers and distributors; cybercrime infrastructure developers and operators that facilitate cybercrime, for instance, botnets, forums and digital marketplaces; financial network operators that facilitate the laundering and monetization of proceeds from cybercrime; and investigations into traditional crimes under the federal mandate, such as fraud, where the perpetrators are able to use cyber systems to increase victimization.
When it comes to Canada’s financial and commercial sectors, the volume and severity of cybercrime affecting Canadians and businesses has been increasing significantly.
The advancements in technology that can be used to assist traditional crimes such as money laundering has led to a shift in the way that law enforcement must respond to large-scale financial crime. No longer are organized crime groups, professional money launderers or international money controllers bound by traditional methods of laundering and moving their proceeds of crime. Dark web marketplaces, the growth of virtual currencies and complex trade-based money laundering schemes are examples of technological advancements that have effectively eroded borders and allowed criminal organizations to set up a truly global footprint.
Cybercrimes that are reported to the RCMP reveal that many are linked to significant financial crimes, both domestically and internationally. That includes the deployment of malware such as banking Trojans, a multiplicity of online fraud scams, email compromise or through extortion events including ransomware or distributed denial of service attacks.
That said, cybercrimes are also under-reported, and one of the reasons stems from the myriad of reporting mechanisms in Canada that are confusing for the public and reduce the likelihood of reporting.
The under-reporting prevents law enforcement from connecting the dots because of a lack of appropriate data to comprehensively understand and analyze the issues. This hinders law enforcement from strategically responding to cybercrime on a larger, coordinated and more targeted scale.
While we continue with efforts to combat cybercrime, gaps and challenges remain. First, most cybercrimes are multi-jurisdictional in nature but are often addressed by domestic police services in isolation, leading to uncoordinated law enforcement efforts.
The demand in this area of criminality has surpassed the RCMP’s capacity. We are unable to realistically commence more cybercrime investigations against major threats. It’s also a challenge to coordinate joint investigations with international law enforcement partners whose capacity and capabilities differ from ours, making it difficult to ensure Canadian elements are prioritized.
Addressing cybercrime requires both international and domestic cooperation.
Lastly, there is a need for more resources possessing the knowledge and expertise to effectively combat cybercrime. This is an area that affects virtually all law enforcement cybercrime efforts.
[Translation]
Bearing this in mind, the RCMP still continues to actively take action to advance the level of readiness to respond to cybercrime and engage in effective collaboration with international partners. On the international front for example, the RCMP works with international law enforcement partners to disrupt networks such as major international criminal infrastructure platforms, used to launch and manage mass global malware attacks. The monetary losses associated with malware attacks are estimated to be in the hundreds of millions worldwide.
The RCMP participates in concerted global efforts with international law enforcement partners to take down such networks and to identify key cybercrime threat actors.
[English]
The RCMP is working with government and other stakeholders to examine a variety of reform measures that would help strengthen our ability to keep pace with cybercrime writ large. Some of the specific actions include greater law enforcement collaboration with industry partners, developing new in-house technical solutions, more domestic and international cooperation, and expansion of public awareness.
Specific to financial crime, the RCMP continues to work with its partners both domestically and internationally to understand better and to address the technological advances. This includes improving information sharing, identifying and taking joint action to address the rise of international money controllers, and sharing methods for training front-line officers on the complexities associated with modern financial crime.
Domestically, we are working with our Government of Canada partners to modernize our financial crime regime to ensure that law enforcement has the tools they need to meet today’s challenges effectively as well as those we know that are coming in the future.
I thank you for inviting the RCMP here today and welcome your questions.
The Deputy Chair: Chief Superintendent Doran, thank you very much for your presentation.
We will go to the Canadian Security Intelligence Service, Charles Lowson.
[Translation]
Charles Lowson, Director General, Counterintelligence and Counter Proliferation, Canadian Security Intelligence Service: Good afternoon, Mr. Chair and members of the committee. My name is Charles Lowson and I am the Director General of the Counterintelligence and Counter Proliferation Division at the Canadian Security Intelligence Service, or CSIS. My division is responsible for the service’s investigations of espionage, foreign influence, proliferation of weapons of mass destruction and certain threats. It also houses CSIS’ Cyber Centre, which conducts national security cyber investigations.
[English]
Mr. Chairman, the men and women of CSIS work diligently every day to keep Canada and Canadians safe, and I’m proud to represent them here today.
[Translation]
I would like to thank you for your invitation to participate in this study on cyber security as it relates to Canada’s financial and commercial sectors. I will keep my remarks brief, but I would like to provide some insight into the service’s mandate and role within the broader cyber security community in Canada.
[English]
The CSIS Act mandates the service to investigate activities suspected of constituting “threats to the security of Canada” and to advise the government on these threats. These threats are defined in section 2 of the CSIS Act as espionage and sabotage, foreign-influenced activity, terrorism and the subversion of government through violence. CSIS may also undertake measures to reduce the threats to the security of Canada in accordance with well-defined legal requirements and ministerial direction.
Our digital and interconnected world provides a powerful channel by which hostile entities can conduct espionage, foreign influence and even terrorist activity targeting the institutions, businesses and citizens of Canada. Offensive cyber operations have become a tool by which foreign hostile states conduct espionage, sabotage and foreign interference.
While, by virtue of the sensitivity of CSIS’s work, I cannot speak to specific threats or active ongoing operations, I can speak to the nature of national security cyber investigations, the current threat environment and channels through which CSIS advises government partners on cyber threats to the security of Canada.
During the course of a cyber investigation, the service leverages the expertise of both technical resources, such as computer scientists, and non-technical resources, such as intelligence officers who are knowledgeable in traditional intelligence operations. It employs a range of collection techniques, which may include human sources, to better understand the trade craft and motivations of cyber threat actors as well as to determine the attribution of cyber incidents. This body of knowledge is crucial in terms of supporting the Government of Canada to assess fully and respond to cyberattacks as well as more broadly to help the Government of Canada respond to the challenges of espionage, sabotage, foreign influence and terrorism.
As an open and developed economy, as well as a leader in innovation and research and development, Canada is a prominent target for malicious cyberattacks, be they perpetrated by state or state-sponsored actors, terrorists or organizations. CSIS investigates threats Canada’s national security and provides advice to government. As such, our focus is on states and state-sponsored actors who operate clandestinely, including with cyber operations, to achieve their objectives to the detriment of Canada’s national interest.
[Translation]
In addition to stealing intellectual property, one of the objectives of state- sponsored cyber-activity is to obtain information which will give foreign companies a competitive edge over Canadian firms. This can have a negative impact on investment or acquisition negotiations involving Canadian companies and the Government of Canada, and, in turn, lead to lost jobs, revenue, and market share. Ultimately, cyber-espionage negatively impacts Canada’s economy as a whole.
[English]
With respect to specific cyber threats to Canada’s financial and commercial sectors, the topic of this study, I will defer to my colleagues at the Canadian Cyber Incident Response Centre and the Communications Security Establishment Canada, who specialize in cybersecurity. CSIS has no role in the development of cybersecurity mitigation measures or the provision of advice to the public or industry. It does, however, support its Government of Canada partners when there is a clear threat to national security or a state-sponsored actor involved.
The service does not have the mandate to investigate cybercrime, either, which is rightly a law enforcement role. Of course, the service de-conflicts regularly with the RCMP on a broad range of concerns, including cyberattacks, when the nexus to cybersecurity is unclear, a relatively common situation in the nebulous world of cyber investigations.
In the event of a cyber compromise that represents a threat to national security, the service works closely with other government departments such as the Royal Canadian Mounted Police, the Communications Security Establishment Canada and the Canadian Cyber Incident Response Centre to respond to the cyber compromise, including investigating the compromise, identifying the actor and trade craft, and informing government.
Responses may require immediate technical solutions, but they may also require a broader response. Cyberattacks perpetrated by state actors do not necessarily call for a response in kind. Instead, a variety of different Government of Canada responses may be considered, depending on the state and the gravity of the situation. Informing the development of such responses with intelligence is a key role for CSIS.
The service also works closely with Five Eyes partners and like-minded foreign security and intelligence agencies for the purpose of intelligence exchange. This supports the Government of Canada’s awareness of broader cyber threats affecting allies and partners around the world, and supports the development of well-informed Canada-only or joint responses.
For CSIS, foreign influence activity using cyber means is also an investigative priority. States can and do use cyber-facilitated activities to interfere in the lives of members of diasporas across this country and to intimidate or quell political dissent. Recent events around the world have shown the impact that foreign interference in fundamental institutions, including the media, can have, with significant consequences on political systems and outcomes. Cyberattacks are a powerful tool that can be used to release damaging information and spread misinformation that undermines public discourse.
[Translation]
As Canada and the world continue to embrace connected digital technologies to progress, cyber-attacks will remain an effective tool of choice for a range of hostile actors: cyber-attacks are efficient, cost effective and deniable. State-sponsored cyber-attacks benefit from significant, dedicated resources, and increased sophistication. This is a threat that is ever-evolving, and a threat that hangs over all sectors of Canadian society.
With that, Mr. Chair, I will conclude my remarks and welcome any questions.
The Deputy Chair: Thank you very much, Mr. Lowson.
[English]
Senator Wallin: I have two related questions, first to Mr. Hatfield. As we begin our study here and as Canadians look at this information, everybody will be a bit taken aback to discover that you can’t enforce or regulate cybercrime, that no individual has an obligation to tell you if something happens and you can’t compel somebody to do that. Do you think those rules should change? I ask that because of Superintendent Doran’s remarks that, because cybercrimes are under-reported, that such under-reporting prevents law enforcement from connecting the dots — which was his phrase — and at the same time demand in this area has surpassed your capacity. Chief Superintendent, is this a cry for budgets or a policy change, or both?
Mr. Hatfield: Thank you for the question.
First, I would say that there’s a distinction between a cybercrime and a technical incident that occurs on a computer network. When a partner contacts Public Safety Canada saying, “I think I see something odd on my network,” that doesn’t necessarily mean a crime has been committed, and it doesn’t necessarily mean that information has been breached. There is a distinction there. The focus of Public Safety Canada is technical network security information to assist our partners in securing their networks and passing on anything we can learn to other partners.
With respect to what should be done, based on the cyber review that has occurred over the past few years, which included a public consultation, there was a significant demand for government leadership in this area. Regulations, standards and all of that were prominently featured in all of the commentary that we received. All of that input is currently being used to determine a new way forward for government.
Senator Wallin: Is there a time frame on that?
Mr. Hatfield: I’m afraid I don’t have a date for you, senator.
Mr. Doran: My comments were neither a request for funding nor a request for policy change. We are well engaged with our other government partners to try to figure this issue out.
On the issue of our ability, our capacity has been surpassed. The reality is, it would be no surprise to anybody here that we could have all the resources in the world and there would still be files we couldn’t get to. That’s just the nature of cybercrime.
For us, it’s a combination of the advances in technology that are moving the cybercrime yardsticks very quickly with our inability to staff up properly and efficiently to be able to get to them. That said, our model is one that prioritizes our files based on the greatest threats, so those are the files we’re working on. I’m satisfied that we’re working on the ones that would be most concerning to Canadians.
Senator Wallin: Would mandatory reporting help or just increase your workload?
Mr. Doran: I don’t know that mandatory reporting would help necessarily. What it might do, however, is if we were able to consolidate those reports and analyze them properly, we may develop links that shore up one file in Vancouver, another in Calgary, another in Toronto, that are actually all the same perpetrators, which is something that’s not happening now. It is happening a little bit, but not on the scale we’d like to see it.
Senator Wetston: Thank you for coming today. I wanted to explore a general area with you. All can answer if you wish. It’s not specific to any particular person. From my own experience — and you would probably agree with me — the Internet is clearly the 21st century crime scene. I describe it that way in lay terms.
I read a report from the World Economic Forum, the Davos forum, the Global Risks Report. They recognize that cybersecurity is one of the top commercial risks today. I suspect none of you would disagree with that, but I just pose it as part of my question.
I’d like you to comment on whether this is just an IT issue or is it something more? If you permit me, I’ll combine the questions.
I want to pose my question this way because it’s more than an IT issue and obviously your expertise is important in this issue. The technology we have is advancing the risks to the marketplace associated with this technology. So the same technology that’s creating the benefits is also the same technology that’s creating the opportunities for cybercrime and disruption. What is the state of readiness within Canada to deal with cybercrime and cyberattacks in general terms?
Mr. Hatfield: Thank you, senator. You said that cyberspace is the 21st century crime scene and that cybersecurity is one of the top commercial risks. I would also say that cyberspace is the 21st century playground, marketplace and school.
Towards your second question, any kind of technology we’ve ever developed, be it a sail for a sailboat, a steam engine, electricity, it does bring dangers with it. What we as a society have done largely is learned how to manage and mitigate those risks while leveraging the benefits.
I notice a number of you tonight have tablets in front of you. The tablet as a market segment did not exist eight years ago. When Steve Jobs in 2010 held it up, most people thought he was crazy. That is the rate of change we’re seeing with technology.
What is the state of readiness in Canada? Canada has a tremendous amount of capability in this field. We are world leaders in many areas related to cybersecurity. What Canada is doing in quantum research is second to none in the world. Our information communications technology sector is deep, broad and mature. Our impression from where we stand and how we have engaged with partners is we are very well positioned in this space.
So is this just an IT issue? Absolutely it is not. Cybersecurity is about people, processes and technology, of course. But no technological issue or risk is ever solved just with technology. It’s solved by the people who work together to address these issues.
Superintendent Mark Flynn, Director, Cybercrime, Federal Policing, Royal Canadian Mounted Police: I can add to the comments that Mr. Hatfield just gave. It is certainly more than IT. IT is a very large component of it. But as people adopt the new technology in their day-to-day lives and the rate at which they’ve done so, we’re in that spot where they need to balance their use with it, their understanding of it, with the access it provides and the implications it has for their privacy.
The Internet and other online systems have allowed criminals and other actors to remove the personal interaction elements, and some of those personal communication skills that we see that people use to identify when a threat is present and when a threat is not present. The proliferation of all these online systems and communications and the depersonalization of interaction with people for banking and other things make people vulnerable to that impersonal interaction and that trickery that cybercriminals are using to exploit them.
So we’re in a place where everyone is learning the advantages of the access, ensuring the privacy and access that they want to have in that space versus implementation of protections to keep them safe while they’re there. That’s an ongoing effort.
Mr. Lowson: I will largely defer to what my colleagues have said because your questions focused principally on cybercrime. As I mentioned in my opening statements, that’s the responsibility of law enforcement, not the Canadian Security Intelligence Service.
However, you did speak about your belief that cybercrime and cyberattacks are more than an IT issue. My colleagues have reinforced that notion. I would agree with that. When we speak specifically about the threats to the security of Canada with which the service is concerned — and again, those would be espionage, sabotage, foreign-influenced activities and terrorism — we’ve used cyber as an enabler. It’s a tool that allows actors to be better at what they do. It’s from that perspective that we look at it. So it’s connected to the traditional threats that we’ve always looked at, but it’s allowing those threats to be carried out in a new space and with a new velocity. Those are some of the challenges we face as we look at this evolution of the threat.
[Translation]
Senator Moncion: Thank you for your presentation. I have worked in the financial milieu, and I know that it was generally well protected, precisely because large amounts of money are at stake. You spoke a great deal about infrastructures. What type of regulation is in place to help reduce the number of investigations for businesses that operate infrastructures and websites? First of all, is there regulation to fight these famous crimes? Let’s take Equifax Canada as an example. It created a major personal information security issue for millions of people. What type of regulation is in place for these businesses, in order to lighten your workload where there are no safeguards?
[English]
Mr. Hatfield: I would say when there’s a sharp distinction between regulatory requirements that we place on companies and standards and technologies available to them. Cybersecurity is a very well-developed field. The top 20 things you should do to your network to make sure it is secure largely haven’t changed in the last 20 years. We are still trying to get people to change their passwords on a regular basis and not having great success any more than we did 20 years ago. But the basics are very well known.The expertise is there. There are extremely skilled companies with great resources available to them that can assist companies across Canada.
Changing that from a standard or best practice or available expertise to a mandated regulation is a separate question. Public Safety Canada is not a regulatory agency. I would encourage you to ask regulators in the financial sector precisely what regulations they impose on companies of this type.
Mr. Doran: In the case of the financial sector, of course, the information that is being stolen was on a paper file 20 or 25 years ago. They’re using the cyberworld to enable their business, period.
To put regulations around that — security regulations, perhaps, and it’s certainly not our area and I don’t want to espouse regulations one way or the other, but I will say that we have, generally speaking, a very good relationship with the Canadian financial institutions, and they cooperate with us and we cooperate with them, and it’s in all of our best interests to ensure the integrity of that particular infrastructure.
Senator Moncion: I agree with you, but there is now a concern about open banking, and the federal government is looking at opening the networks between banks. How are we going to work around that?
Mr. Doran: I’m not that familiar with the open banking concept. I will say, from a police investigative pursuit point of view, of course, that will make things more complicated, as are the virtual currencies that currently exist, and the emerging new cryptocurrencies that seem to be popping up on a regular basis.
It’s all more complicated. To the earlier point, is it IT? We all said, no, it’s not IT, but I don’t want to diminish the importance that exists with the advances in IT. You can imagine how difficult it is to keep up. For every tablet in this room, we need to figure out a way to get into it, or try to, and that’s just one facet of one technology.
It is an enormous task from an investigative perspective. As far as the open banking goes, absolutely, it will bring challenges, and hopefully challenges that we can deal with collectively.
[Translation]
Senator Carignan: I listened to you, and you said that cybercrime costs several hundred million dollars. It may in fact be several hundred billion dollars a year, according to the figures. I have the sense that the problem is so huge that we have lost control of it. This is a situation where individuals and businesses have to take their own security in hand by installing security software on their equipment or their own systems, because security services don’t have the means to stop the crime or to punish the perpetrators. Am I mistaken? I would like to hear your comments, because I get the impression that we are in the virtual Far West, and that no one is safe anywhere. Law enforcement cannot ensure our security. We have to take charge of it ourselves by installing security on our equipment and our systems.
[English]
Mr. Doran: Adam, maybe you can speak to cybersecurity writ large, but it is obviously on a large scale, but I don’t see this much different from putting door locks on your house. We have always had door locks. We have always had to protect ourselves unless you lived in the country and had the luxury of knowing all your neighbours and felt more secure. People will feel more or less secure depending on their personal experiences, and they will make the judgment whether they need more or less security.
I don’t think the concept of securing yourself is anything new, and I think people do have a responsibility to protect themselves online, as they would in their house and on the street, and be cautious in moving forward.
We are having an impact. To say the problem is out of control is — well, to be honest, I can’t comment whether it’s out of control. I feel the investigations we have are well in hand and we are controlling them and making advances, and we are putting people in jail. We are not, but the courts are, based on the evidence we’ve collected. I feel quite comfortable in that regard. Again, it’s a scalable issue. Could we do more? Yes. Could people do more for their own security? Absolutely.
[Translation]
Senator Carignan: How many offences were reported, and how many people were convicted of cybercrime?
Mr. Doran: I can’t give you an answer, because cybersecurity is the responsibility of all police forces in Canada, and so the statistics come from Toronto. I could not answer you.
Senator Carignan: And what of your own?
Mr. Doran: I can note the question and send you an answer later.
Senator Carignan: Do you see the dilemma? Where are we going to deploy our resources? Are we going to put more resources into police services that seem to have trouble flushing out the criminals, or should we give more resources to businesses, to financial services and to individuals, so that they may invest in their own independent protective devices?
Mr. Doran: Is that a question?
Senator Carignan: Yes.
[English]
Mr. Doran: It has to be a comprehensive approach. I don’t think you can invest in one area alone and expect the problem to go away. There has to be a balanced approach. We do a lot of prevention work. We try and teach people to protect themselves, and we do investigations, and our colleagues do the same thing, except for the investigation parts, in government.
There has to be a comprehensive, multi-faceted approach to dealing with this issue.
Mr. Flynn: We are being called upon by many of the technical resources in very capable cybersecurity units within the private sector to add the elements that police uniquely have with respect to judicial authorities, to go and attempt to remove the people who are committing these crimes from the system.
As Chief Superintendent Doran said, it is a balance of what they are able to do with the skills and authorities they have within the private sector, married with the authorities that are limited to police and other organizations to take action to augment that phenomenal capacity that exists today in the private sector.
Senator Ringuette: Thank you, gentlemen. I have to question what, from my perspective, is practical. The first is the case of Equifax where the personal data of 100,000 Canadians was gathered through cyber intrusion, and so we have a situation where there is a possible identity and financial theft for 100,000 Canadians. Who manages that file? Who investigates that file? Equifax says they are talking with those Canadians, informing them that their personal information was gathered, but there is an entire follow-up to that, more than an Equifax letter.What is the process that you do in such a situation?
Mr. Flynn: From the RCMP’s perspective — and I’ll speak in a general sense around a situation like that, just so I’m not going too deeply into an individual incident — when something like that occurs, particularly in a global fashion as did occur with Equifax, we collaborate closely with the other international law enforcement agencies that are responding. We are looking at where infrastructure is, where victims are and where potential actors are, and we work collaboratively with the law enforcement community around the world to try and target those individuals, determine who they are and prosecute them within the authority of the laws in whichever country they are acting or within Canada, if appropriate.
With respect to the victims and the long list of people whose identities were potentially compromised, we monitor what is occurring within that effort to make sure they are informed. However, our primary goal is to investigate it and ensure their privacy is protected as much as we can going forward.
The ability of the RCMP to take the list of hundreds of thousands or millions of individuals whose identity was potentially compromised is a very challenging feat for us, so we are very pleased when the private sector takes appropriate action and notifies people so that they are aware of what has occurred with their private information and can take appropriate action.
Senator Ringuette: There is more to this than the immediate follow-up. Within this case, Equifax shared with you the personal data that was stolen so that you know and you can work with the Canadians involved in this to help them protect themselves in regard to financial and identity theft.
When you talk about victims, there is also a proactive process that needs to be followed. Are you doing that?
Mr. Flynn: In many situations where private information was stolen by a cyber actor, individuals’ information is not necessarily shared with police or other entities. That is still private information, and I would assume many would not want that information shared directly with police.
The information that police are given or to which police gain access through different judicial authority is the information necessary to gather evidence to hold to account the people who perpetrated the offence.
Senator Ringuette: So in other words, you have no knowledge of the victims.
Mr. Flynn: In many situations, we do not know the private information of all of the victims, that is correct.
Senator Ringuette: Wow.
Mr. Doran: You must understand that from an investigative perspective, not a policing perspective writ large, we don’t necessarily need to know it to conduct our investigation. We are looking for the administrator, the infrastructure and the money. Those are our responsibilities.
However, to your other point about public awareness and letting potential victims become aware of the threats potentially related to them, we do that predominantly through the Canadian Anti-Fraud Centre, which is located in North Bay. They are responsible for receiving calls on fraud, scams and things of that nature and collecting the information and trying to develop an intelligence picture. They actually have a seniors’ program where they will call seniors who have been victimized, give them information packages and tell them of the most recent frauds are so they are aware. They will do that coast to coast.
As far as there being a public awareness and prevention campaign, we do that as well, but Mr. Flynn is talking specifically about the investigative process. We are after the people behind the machines. With the victims, it’s unfortunate, but Equifax is the primary victim. They’re the ones we need to deal with, because they have the information we need on their systems to backtrack to where we need to get to.
Senator Ringuette: There is a loophole into this cycle, and the loophole is the victims that I find.
Chair, may I go with my other practical question?
The Deputy Chair: We will put you down for your other question for round two. Have you finished your first question?
Senator Ringuette: We need to acknowledge that in the current spectrum of protection from cyberattacks, there is no real mechanism in place for the victims of cyberattack.
The Deputy Chair: We can get into that more on round two. It will give them a chance to think about it.
[Translation]
Senator Massicotte: Thank you for appearing before our committee. First, I am trying to understand the scope of the problem. You say, Mr. Doran, that we lack resources to react. I feel like I am on the telephone with a representative from HP or Microsoft who is trying to explain to me how to operate my computer, and I have trouble understanding the gist of what he is saying to me.
I’d like to do a little exercise with you. Suppose you had two minutes with the Prime Minister of Canada and the provincial premiers to explain the importance and seriousness of the problem, and to talk about your budgets and the regulations you need in order to do very good work. I feel we are facing a very big problem and that we are in a race with criminals, and at this point, I wonder if they are not winning the race. I’d like you to give us an overview of what you need. Is this a major, significant issue? I think it is very important.
[English]
Mr. Doran: The problem is important. I would have to get back to you on the scale of the cybercrime-enabled losses versus what the losses were before cybercrime existed. Clearly, they would have increased, but I’m not comfortable saying they have increased exponentially to the point where the problem is out of control, as your colleague mentioned earlier.
More public awareness? Absolutely. Having people secure themselves? Absolutely. Having people be aware of the various scams and attacks that happen is very important. It is being done. Can we do it more? Probably.
Investigations, per se — at the end of day, that may become a policy decision on what is reasonable to go after and what is too much as far as — we’re never going to eliminate it entirely.
Senator Massicotte: I’m hearing it’s another problem among many others you have, it doesn’t deserve any particular attention or additional monies, and it is run of the mill. Is that the right impression?
Mr. Doran: No, it’s a problem we’re extremely concerned about. It’s an evolving issue that evolves as quickly as the technology is evolving and as quickly as people can get their hands on and become bad with the technology.
It’s not a small problem; it’s a significant problem. I just can’t tell you compared to organized crime and other criminality how much bigger it is, but I would say it is definitely bigger than it was.
Senator Massicotte: I have a fear — and you can respond — that you don’t know what you don’t know. So you are talking about things you have seen. I am concerned that this thing is huge, and I bet you a lot of old people respond to those emails, lose a lot of money, and never report to their kids, to you or local police. They are so good at it. How do you know what you don’t know? I suspect what you don’t know might be a lot.
Mr. Doran: We think there is a significant under-reporting problem. I completely support that proposal. I also think under-reporting is an issue that has existed for every type of crime we’ve known about, whether it’s break and enters or others. We know sexual assaults are under-reported and so on. That’s a pervasive issue when you are investigating crime.
That said, are reporting efforts getting people to report more? Yes. Our cybersecurity strategy involves that. The government writ large is trying to get people to report more, to get a better picture of what is going on. You are right that we don’t have an absolutely clear picture, but we have a picture of what we know and we don’t have a picture of what we don’t know. We can estimate. I think the Canadian Anti-Fraud Centre estimates that the under-reporting is well over 50 per cent.
Senator Massicotte: As a Canadian citizen, given that it’s like a competition, the bandits have a lot of money and they can hire the best computer hacker. Your team has limited funds. I hope you win. It’s important stuff.
Mr. Doran: In fairness, we’ve never solved all crime. We try and solve enough to keep good people good and keep things rolling the way they should be in our communities so that people can feel safe. I think we are accomplishing that. But we are under no illusion that we are going to stop cybercrime or crime at large.
Senator Unger: Thank you for your presentations. I would like to add another problem, or maybe it’s many problems, I’m not sure.
You’re probably aware that at a university in Belgium, an announcement was made that hackers have discovered a way to completely defeat the encryption that WPA2 provides on Wi-Fi networks. It is serious, of course. It affects all modern Wi-Fi equipment from mobile phones, tablets, workstations, routers, printers and the usual suspects. Would any of you like to comment about this? How do we even begin to ensure cybersecurity when vulnerabilities like this are possible?
Mr. Hatfield: That particular issue was actually identified by the technology community at least the early part of this year. Many manufacturers have already issued fixes and patches to mitigate the problem with their equipment.
What we see generally when this kind of thing is discovered — and it is discovered, no one can build a perfect system so there are always flaws — is the technological community and the international, global community of cyberexperts tend to respond extremely quickly.
This particular issue within the Government of Canada, when the announcement came out, many questions were asked. Our IT people were well aware and already on it.
I would recommend the technical lead for cybersecurity technology issues of that type is the Communication Security Establishment. They would be able to speak to that question in detail.
Senator Unger: Mr. Hatfield, you said we are world leaders when it comes to cybercrimes and cybersecurity. How do we compare to the U.S.A.? From the cyber review that was done, there was a call for increased government leadership on this. What would that be?
Mr. Hatfield: In terms of how we compare to the United States or other partners, we spend a great deal of time — myself and my organization within the cybersecurity policy domain and I know my counterparts in their respective domains — talking to international counterparts. We ask, “What are you doing? How are you addressing this problem? ”The answer we usually get is, “That’s a really good question. What are you doing?”
We have found we are very much at par with international allies in terms of understanding the problem and the kind of initiatives we are putting forward to deal with these things. Everyone on the planet is using the same IP protocol on computers. We all have the same Apple iPhone designed in California. We all are dealing with the same technological issues. We are at par if not leading in many areas with respect to cybersecurity. In some niche areas, for example quantum computing, Canada is breaking ground globally.
The cyber review has been running over the past two years and its purpose is to elicit a wide access across Canada and what the next step for government should be. All of that input is being used to find a new way forward for government.
Senator Unger: Lastly, should we be worried about Russia?
The Deputy Chair: Did you expect an answer to that or are you just putting it out there?
Senator Unger: If anyone wants to answer, please do. If you don’t, that’s okay.
The Deputy Chair: We should be worried about everybody.
Senator Unger: I am thinking specifically about the Senate inquiry in the United States. They have some interesting issues to deal with that they are trying to get to the bottom of and I’m wondering if we should have those concerns as well?
Mr. Doran: That question is out of our purview. However, when it comes to cybersecurity and cybercrime, I would worry about a lot of people in a lot of different countries.
Senator Campbell: Thank you for coming today.
When I push the print button, I’m amazed that a machine across the room spits something out. That’s my level of this.
My concern isn’t about Equifax. My concern isn’t about elderly people being ripped off. I’m obviously concerned about it, but that has taken place forever. I was a Mountie at one time and we dealt with it differently.
I’m concerned about the threat where we have the super imposition of organized crime, foreign governments and terrorism all wrapped up in the same ball of wax. When I look here and I see three or four or five different agencies, plus the private sector who all have a responsibility in it, I worry about how we’ve organized that, whether we are in a position for the rapid deployment of it. I would worry about finding out that we have no electricity. For instance, is WikiLeaks criminal? I don’t know, but it seems to be. I believe you can get into anything you want. There is not a system built that someone can’t get into.
How do you coordinate at our level when all of these come together? We know that they all come together. People sell drugs which gets money that then goes to terrorism or to foreign governments that have no trade with the world. How do we deal with that when we come upon it?
Mr. Hatfield: The coordination question is an excellent one. It’s an old saying in cybersecurity that it is everyone’s problem and everyone has a role to play. The Government of Canada has looked to Public Safety Canada to coordinate cybersecurity policy writ large across government. We do have mechanisms in place where multiple government departments regularly come together. I could probably name 14 that are regularly engaged in cybersecurity matters, be it law enforcement, national security, intelligence, protection of critical infrastructure, foreign affairs issues, financial issues, et cetera. There is a very deep understanding of the requirement to coordinate and to ensure that the many facets of cybersecurity are being addressed in a holistic way.
It is true that specific agencies have specific mandates, roles and responsibilities. That also applies to the private sector.
Everyone does have a role to play. Your own system, your own information and intellectual property, no one cares about it more than you do. The private sector and citizens do have a responsibility to educate themselves and to use what they buy in a safe way.
The engineer can put the seat belt in a car, but you have to put it on every time you get in the car. We have learned to do that and accepted that as part of using a car safely.
The coordination is absolutely there. As was noted earlier, the need for more government leadership and clear leadership on this issue was a strong theme that came out in the cyber review. Another strong theme was concerns about cybercrime. All of those issues are being examined right now; a new way forward is being looked at.
Senator Campbell: How do you do that when things change so quickly? How do you keep out in front of this? I’m not asking about the investigational techniques. Every day we read that somebody’s discovered this or been able to do that. There are people who spend their lives trying to break into things just for the hell of it, just to be able to get inside there. How do we deal with that with technology changing so quickly? Do we ever get ahead of it, or are we always on the trailing edge?
Mr. Hatfield: Something that we have observed is exactly what you’ve described, there’s always a news item about there’s been another attack, another breach, some other hacker has accomplished something. I feel it is very easy to lose sight of whether there are unfathomable amounts of innovation that have occurred across the globe because of digital technology and the Internet. Every year that has gone by has seen more hacks than the year before, but every year that has gone by has seen more commerce done over the Internet and more users and activity on the Internet. Canada leads the world in per capita usage of computers and Internet time.
The negative headlines are easy to see, and it’s easy to look at the numbers that always seem to go up, but all of the positive numbers are also going up. The benefits we receive from the Internet, we don’t notice them so much, but this particular presentation is being webcast. That would not have occurred 10 years ago, but today it is, and we don’t even think twice about it.
It is easy to see only the negative. As part of our cyber review, the reason we asked those questions was to say to Canadians, “How bad is this problem really, and what is the right next step for Canada?” That is the work being done now to put forward a new strategy.
Senator Black: I would like to build on the excellent questions my colleagues have been asking you, but, first of all, I want to thank you all for being here but more importantly for your service to Canada. You’re doing important work. We rely on it, and we know, in large part, it must be successful because we haven’t heard a lot of things from you. I’m glad about that.
I liken what we’ve heard today to a hockey game. You’re the good guys, and there’s a team of bad guys. I’m sitting in the stands watching the play move back and forth. Are the good guys or the bad guys winning this game? It’s a general, high-level way to put what I’m hearing. Who is winning?
Mr. Doran: One of your colleagues mentioned earlier we may not know what we don’t know. In the game we’re playing, we’re doing pretty well, I would say, from what I know. But I would also point out that as the game and season evolves, and as the year turns into another year and a different game, we have a new generation of good and bad players coming up.
The bad players are what we’re trying to deal with now. We have a bunch of young hockey players who are just as smart and just as switched on as the bad guys. They are keeping pace. The things we don’t know, however, that’s the ringuette game going on at the next rink, and we’re not sure what’s going on over there.
Senator Black: I assume, though, from what you have said that we also have pretty good scouts out there trying to understand the game. I would assume that when North Korea hacks Bangladesh’s national bank, you figure out what’s gone on there and adjust your game plan. That would be a fair assumption, I would imagine.
Mr. Doran: Yes.
Senator Black: Can you tell us what your obstacles are? Give us your three obstacles to continuing to win the game. We’re having these hearings because we want to be helpful to this cause.
Mr. Flynn: One of the most significant issues we’re having is around having better coordination with all of our other partners. We’re undertaking to do that better. We’re undertaking to work better with local police.
I will tell you that, as you have four of us sitting here from three different organizations, this is not the first time that we have all sat at the same table. The one distinct element of what we’re doing around cyber, the seriousness that we’re all applying to it, is that we have a collaborative relationship with all the government departments engaged in cyber. We’ve moved far beyond any competitive element of whose mandate is this and that and where is the overlap. Whenever we see elements of overlap, we look at that as an opportunity and a very good thing of where we can work together and make things much better.
Anything we can do to improve the coordination and collaboration, better communication with the public in raising the awareness and skills of the individuals that we require to target this crime, we welcome those things.
Senator Black: Obstacle one, coordination, although you say you work well together, but it’s still an ongoing challenge. Other obstacles?
Mr. Flynn: It’s always a balance for us of the number of resources versus the problem we have and the ability to tackle it. Looking from my primary role of coordinating governance and oversight of operations, we always want to tackle more. When we look towards the collaboration and identification of the resources, the private sector, we’re looking for ways to use as multipliers for the existing things in place. “Coordination” is a word I use. It’s more than just a single word that says we need to communicate better. It’s applying the resources that exist, and potentially new, if appropriate, to tackle the problem in the most effective way.
Senator Enverga: Thank you for the presentations. We’re wide-eyed here. We want to listen to you, of course. I worked with computers for the longest time in my previous life. I know there are multiple points of attack all the time. It could be just your cellphone or your printer or something else in the airwaves. Those are the things we are looking for.
How prepared are we? How protected are we? On a scale of 1 to 10, where are we right now in terms of preparation and protection?
Mr. Hatfield: I would hesitate to put us on a scale. As we’ve said, we don’t know what we don’t know. What I will say is that in working with critical infrastructure sectors, for example, across the country — all sectors, not just the financial sector — the importance of digital technology and what it means for automation, for efficiencies, for improving service, many of us now have a smart meter in our house that lets us save power across the province in ways we never imagined. All of those innovations, it is well understood that when you put a piece of digital technology in your smart meter in your home, your fridge or, for some reason, your toaster — you can get an Internet-enabled toaster that burns the weather forecast into your toast. I’m not making this up. Every time you do that, you introduce something that could be exploited by somebody. The critical infrastructure sectors across Canada are acutely aware of that.
What I would say in response to this — and it’s somewhat in response to previous questions as well — Canadians are smart people, and we shop online and spend a lot of time on the Internet, and our companies automate and leverage technology, and we’re still here. We’re enjoying it and benefiting from it, and I don’t think Canadians would do that if it was imperilling them. I don’t think if they were losing money hand over fist they would continue to do it.
There are problems and risks, but looking at the expertise and level of awareness we have and the coordination that my RCMP colleagues have spoken of, I won’t put it on a scale, but I think we’re doing this the right way, and we’re among the best in the world at doing it.
Senator Enverga: Is it 50-50 or in the middle? You are basically unaware or have no clue what’s happening in the future. Is that what it means? I know you’re ready, but how ready are we? If you can’t scale it from 1 to 10 . . .
Mr. Doran: But when you say “how ready are we?” —
Senator Enverga: How protected are we?
Mr. Doran: Maybe it would be helpful to clarify. Are you talking about the Canadian public writ large or my neighbour, who is far less ready than I am?
It’s a scalable thing, and it’s an individual thing as well. Some people are careless; some people are very careful; some people are paranoid. From a systems perspective, as Adam said, I think we’re doing very well, but that doesn’t prevent people who are being careless from becoming victimized or becoming victimized because of carelessness.
That’s why it’s a difficult question to answer on 1 to 10 scale.
Senator Enverga: How about Canadian government infrastructure? Are we 100 per cent protected? Are we 100 per cent ready to defend?
Mr. Hatfield: That is a question you should direct to Shared Services Canada and to the Communications Securities Establishment. Based on our experience, the security of Government of Canada networks is the envy of many of our allies, and we are doing an extremely good job in that respect. They can provide you the details, but we have very much to be proud of in how we protect our own information.
Senator Enverga: One last question about this —
The Deputy Chair: You’re challenging your time here. Is this a new idea or a clarification of something? Say “clarification.”
Senator Enverga: It’s with regard to making it 100 per cent secure.
Do you propose any legislative tools that we can propose?
Mr. Hatfield: Regarding the discussion of what mechanisms and legislation to put forward, the cyber review process going on right now is examining exactly that question. The government does intend to come forward with a new way forward for Canada on that.
[Translation]
Senator Maltais: Thank you for being here, gentlemen. My comments are for Mr. Lowson. In your brief, on page 4, in the second and third paragraphs, you refer to state-sponsored intellectual property theft for the purpose of obtaining information that would allow foreign companies to have a competitive advantage. I will quote you: “This can have a negative impact on investment or acquisition negotiations involving Canadian companies and the government of Canada, and in turn lead to lost jobs, revenue, and market share.” I agree with you on this 100 per cent. Are these “pirate states” on a list, and is their name given to the executive branch of the Canadian government, that is to say the Prime Minister’s Office?
Mr. Lowson: Thank you very much for the question, senator.
[English]
As I explained in my opening comments, one of the roles of CSIS is to provide advice to the Government of Canada, which we do on threats to national security. That includes threats that come from foreign state actors. Yes, the people within the government who need to be aware of who those state actors are do have that level of awareness.
I would add that foreign investment in Canada is an important issue. It’s vital to our economy that we continue to have investors from abroad who are interested in investing in the Canadian economy. But we have to be cautious. It’s for that reason that, under the provisions of the Investment Canada Act, there is a clause for a national security review. It’s something the government takes seriously, and when there are actors about whom we have concerns who are proposing to make investments in Canada, we will take a look at that under that national security review process.
[Translation]
Senator Maltais: Thank you for your comments on the governmental aspect. Now I will speak about enterprises. Let’s say a Canadian business negotiates a contract in good faith with another country that is on the “pirate state” list. Will your service be in contact with the business to warn them to be very careful? Do you do that? The enterprise is negotiating in good faith with a country that sanctions piracy.
[English]
Mr. Lowson: Perhaps my colleague from Public Safety Canada would like to comment on this, because they are also responsible for the administration of the Investment Canada Act. But when there’s a national security review going on, all the parties involved in the transaction are part of the process.
Senator Tannas: Thank you for being here. We’ve been reading a lot about artificial intelligence over the last few months, and I’m wondering if you could give us your thoughts on the idea of all of this switching from really bright people duking it out, good guys and bad guys, to all of a sudden really bright machines that are constantly changing their methods of attacking and so on, and correcting themselves based on the reactions and so on. Is that going on now? Is it a likely trend that we’ll see artificial intelligence in this area develop and expand?
Mr. Hatfield: Senator, whether we have artificial intelligence is not an on-off switch. It’s not a destination that we’re going to arrive at; it’s a process of development of technology.
Absolutely already today there are examples of malicious actors who have attempted to automate attacks. In turn, we have automated our defences. Right now today, a great deal of Internet is machine speaking to machine to make everything work, and folks are trying to disrupt, leverage or exploit it, and there are machines that are combatting that in real time to ensure that doesn’t happen.
Many organizations could give you statistics of the hundreds of millions or billions of spam emails they get every day, which are stopped at a firewall. The number of reconnaissance probes across networks are in the hundreds of millions, and machines stop those in real time, and they never touch a human.
That is already going on today, and any new technology that has come into the high-tech field has been used for the good guys and unfortunately also for the bad guys. That will simply be a trend we see continue.
Senator Tannas: But in terms of machine-driven creativity, I guessing is what I’m getting at — I know there are bright guys that construct something that will go and attack 50,000 targets and on and on. But the creativity that comes from humans, the bad guys and the good guys who figure out — are we ever going to move into an area, or are we already, where you’re actually seeing machines replace humans in the creativity around how to do this?
Mr. Hatfield: I would say that a lot of things humans used to do are now being done by machines, both offensively and defensively, but the humans haven’t gone away; they have simply gone to another level of work and obstruction. I will tell you that my team spends a lot of time trying to tell our very smart computers what to do, and I still need a lot of people to help me tell computers what to do.
Senator Tannas: I have one more question, and it’s for fun. I loved the movie that Leonardo DiCaprio played Frank Abagnale, one of the best fraudster-counterfeit guys. At the end of the show, it turns out he goes to work for the FBI. Do we have bad guys switching to the good guys’ teams the way we always hear about and read about in books and movies, where you catch some guy who’s particularly talented and, instead of sending him to jail, you give him a chance to work for the good guys?
Mr. Flynn: I can say that from our recruiting, retention and engagement of employees, we’re fortunate that we have enough very bright and talented individuals working on the problems that we’re working on.
Senator Ringuette: You were saying that Equifax was the victim. However, when an entity says that your personal data you give us is protected, they’re no longer the victim; they’re also the perpetrator because that commitment has not been fulfilled. How do you handle that? Earlier you were saying they’re the victim, in a way, but there’s another series of crimes that occurred.
Mr. Doran: Absolutely. I would agree with you. I didn’t mean to isolate Equifax as the only victim. Clearly, those who had their personal identities stolen or harmed in that case or in any case are victims as well.
While it is unfortunate, it’s not necessarily a crime. It’s a contract entered into between a corporation and a citizen, and the breach of the contract does not constitute a crime, necessarily. So a security breach on Equifax or the number of companies we’ve heard over the last number of years, while unfortunate and maybe a breach of some arrangement between client and service provider, doesn’t necessarily make it a crime that we would investigate per se.
My point was that the evidence that we need to pursue is within Equifax holdings. Unless, of course, the victims’ material is needed as well, then we would, of course, see the victims. But from an investigative point of view, not a holistic, policing, crime prevention point of view.
Senator Ringuette: If there was a piece of legislation that would say that it is a crime that if a company says that your personal data will be protected by us, and is not, because you’re in the process of reviewing all your mechanisms. Again, there’s another loophole there, from my perspective.
Mr. Doran: Whether or laws are created is certainly not within my purview. We will enforce the laws that exist. Any laws that are enacted that provide us with extra tools in the toolbox are certainly welcome.
[Translation]
Senator Carignan: In the same vein, I am trying to assess what resources are needed. There are different types of cybercrime offences. Certain criminals use technology to commit an offence, and others target the technology needed to commit one. Do you make a distinction between the two in your investigations? What percentage of your resources is focused on technology as a target, as opposed to technology being used to commit fraud?
[English]
Mr. Flynn: We look at both types of offences, and we do use that separation to help us understand the problem better. We’re very concerned with both the targeting of technology and the criminal use of technology, as my colleague Chief Superintendent Doran said, to increase their victimization, their global access to move ahead.
We’re continuously analyzing how we raise our game and capabilities internally to address both of them. We’re seeing a significant rise in both areas. We’re seeing criminals adopt the use of technology very quickly. They don’t have those internal large government entities or elements that we have to slow our adoption of technology. We’re trying to overcome those and seek out the appropriate resources and apply them to the problem to enable our traditional investigators to move ahead better.
In cybercrime, we’re fortunate with the large private industry investments in cybersecurity, the other government organizations in cybersecurity, that if we do it right, we have a lot of areas that we can leverage to help us tackle the problem, and we’re making strong efforts to do that.
Senator Wetston: We’ve been touching on a lot of areas in our discussion today, and the area that I’d like to pursue in my last question is around Mr. Lowson’s area, if I may. We talk a lot about hackers and cybercrime and cybersecurity and states of readiness. We know that Canadian industry, whether financial institutions, insurance and others, have spent billions of dollars protecting themselves against cyberattacks. I think billions would be the right number, although that’s not a number in itself, but it’s a lot of money.
Are we seeing increased attacks to national security? Is it on the increase from the point of view of CSIS and its experience to date? I’m not asking for specifics, but what are you doing about it with respect to dealing with these potential attacks to national security, which, of course, are state-specific rather than business oriented?
Mr. Lowson: As I mentioned previously, cyber is viewed by the service as a tool which enables actors to carry out threats to the security of Canada that have always been there. The CSIS Act was created in 1984, and it identified the categories of threats that I outlined for you in my opening comments. Those threat categories haven’t changed since that time. What has changed is how the actors who are perpetrating those threats carry them out, and cyber certainly has become a tool that has enabled them to carry out those activities in a new and different way.
It is a domain that is evolving rapidly. It’s a domain, as I said, that allows for actors to fly under the radar. It’s difficult sometimes to attribute who is responsible for those activities. Is it posing a challenge? Yes, it’s posing a challenge. But what I would also say is that this is what we do — this is our job — and looking at those threats to the security of Canada is fundamental. It’s what the men and women of CSIS do every day, and we work in collaboration with our partners in the RCMP, CSE, CCIRC, and other organizations, to make sure we are responding adequately.
Senator Moncion: Can you give us a comment on prevention versus reaction? Are we more preventive or are we more reactive to cyberattacks?
Mr. Hatfield: I would say all of the above. I mean that very deliberately. Because we have seen situations where a technological breach occurred in a network, and it was the organization’s ability to respond quickly, as a team of people, not just as computers, that enabled them to detect what was happening, stop what the malicious actor was trying to do, and ensure that there was no business or human impact. It simply remained a technological event.
So cybersecurity, not unlike emergency management with natural disasters, goes all the way from prevention through mitigation to preparedness for something to go wrong, the ability to react rapidly and the ability to recover and get things back to normal quickly. So the answer is yes.
Senator Enverga: It’s a very quick question, if you don’t mind. A few months ago, Hytera Communications of China bought Norsat. It’s a communications satellite company and I’m just wondering have you been consulted on this? It is a high-tech Canadian company that was bought by the Chinese. Should you be consulted on these activities? Was that something that you did?
Mr. Doran: That would be out of my purview. I don’t know about others.
Mr. Lowson: I would go back to the comments I made earlier about the national security review provisions.
Certainly, the government would have been alerted to that acquisition and it would have been examined through the lens of whether it requires a national security review.
However, I’m not in a position right now to respond as to whether or not that took place.
Senator Enverga: According to the report there was no formal national security review. However, would you suggest that in the next instance where we are selling our industrial secrets that you should be consulted?
Mr. Lowson: I think there is a process in place already that makes that determination and I would rely on that process to arrive at that conclusion.
[Translation]
Senator Maltais: I am going to play devil’s advocate. Is the banking sector not to some degree the artisan of its own misfortune? Today, almost everyone uses computers. However, certain people of 55 or more cannot use computers to deposit their money in their bank account. If they want a statement, they have to pay for it. These small devices, such as cell phones, for instance — are they totally risk-free in financial transactions?
[English]
Mr. Doran: I can’t speak to the level of security of devices, I’m sorry. Any system is potentially a victim of a cyber-attack. A good defence system may prevent it and a clever hacker may defeat it. I can’t really say specifically whether or not your system or others are secure.
[Translation]
Senator Massicotte: We’ve discussed things all evening from a defensive position, like goalies. On occasion, it is good to take up an offensive position.
[English]
You don’t score any goals if you don’t do it offensively. Under what circumstances would we be offensive in terms of national security? What are the criteria by which we will take action against someone as opposed to simply protecting our interests?
Mr. Lowson: As I mentioned in my opening comments, one of the provisions that is available to CSIS is threat reduction measures. That was something that was made available to us in some recent legislation, and we’re expecting that, as part of Bill C-59 that’s going through now, that’s part of the reexamination. But assuming that those powers remain with us, it does provide us with the ability to be more proactive against any of the threats to the security of Canada that we may face. That is a tool that we do have in our tool kit at the moment.
Senator Massicotte: That is on the basis that it reduces the eventual threat to us. Is that the only condition or the only time we can be offensive if it is a threat reduction mechanism?
Mr. Lowson: I would say that we would probably need to define exactly what we mean by “offensive.” I would argue that the reason for having an intelligence service like CSIS is to be able to gather information, analyze that information and provide advice to the Government of Canada on what to do about these situations. That is not always in reactive mode, to come back to a previous question. That also does provide some proactive ability.
Senator Massicotte: Thank you.
The Deputy Chair: Thank you, Senator Massicotte. Just before we conclude, we had an undertaking by the chief superintendent to provide us with some statistics. You made a note of that. Can you give us indication as to when we might hear back from you?
Mr. Doran: When would you like to hear back from me? From an RCMP perspective, I think we can manage that.
The Deputy Chair: We will diary it for a week forward. Colleagues, we will continue tomorrow at 10:30 with the same topic.
I would like to thank our witnesses this evening from Public Safety Canada, the Royal Canadian Mounted Police — thank you, gentlemen — and the Canadian Security Intelligence Service. You helped us get started on this new study. Thank you.
(The committee adjourned.)