THE STANDING SENATE COMMITTEE ON BANKING, TRADE AND COMMERCE
OTTAWA, Thursday, October 19, 2017
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:33 a.m., to continue its study on issues and concerns pertaining to cybersecurity and cyberfraud.
Senator Joseph A. Day (Deputy Chair) in the chair.
The Deputy Chair: Welcome, honourable senators. We are going to be continuing our study on issues and concerns pertaining to cybersecurity and cyberfraud.
I would like to introduce our first witness this morning. Please welcome Benoît Dupont, Scientific Director, who is joining us by videoconference.
Benoît Dupont, Scientific Director, Smart Cybersecurity Network (SERENE-RISC): Thank you, Mr. Chair. Honourable senators, I would like to thank you for this opportunity to appear before you today as part of your study on cybersecurity and cyberfraud.
My name is Benoît Dupont. I hold the Canada Research Chair in cybersecurity at the Université de Montréal, where I am also a professor of criminology. As you indicated, I am the Scientific Director of the Smart Cybersecurity Network, also known by the acronym SERENE-RISC, which is one of Canada’s Networks of Centres of Excellence (NCE).
I will begin my remarks by providing some contextual information on the current state of Canadian cybersecurity before going into more details about what the Smart Cybersecurity Network does, why it is important and what future challenges will have to be addressed from a research and development perspective.
Canada is one of the most connected societies on earth, and its economic growth depends on the development of a productive and healthy digital ecosystem.
The technology is not only an asset, it has also become a major source of risks. According to PwC, in its Global CEO Survey published in 2016, 61 per cent of Canadian CEOs believe that cybersecurity is the biggest potential business threat to their organizations’ growth prospect, topping availability of key skills, volatile commodity prices and consumer spending behaviours.
Also, in a recent study by Scalar, titled “The Cybersecurity Readiness of Canadian Organizations,” published in 2017, the study shows the negative impacts of cyberattacks on productivity. In 2016, 53 per cent of companies surveyed reported an incident that resulted in the loss of sensitive information, with an average of 44 events per year and per company, and a marked increase in the sophistication and severity of attacks.
Small- and medium-sized enterprises, which have very limited resources to devote to IT and online security, are particularly vulnerable, while they contribute more than 50 per cent of business-sector GDP. Cyber risks will therefore have a disproportionate impact on this key segment of our economy.
Canadian citizens are also exposed to a growing number of online scams and cyber-frauds. Reliable statistics are missing in Canada, but the most recent victimization survey for England and Wales suggests that online fraud and computer hacking now represent the number one form of property crime and amount to half of all crimes taken together. That’s all property and person crimes.
Unfortunately, Internet users still receive very limited or even contradictory advice on what good digital habits they should adopt to minimize their chances of victimization, and they lose trust in the reliability of online transactions in the process. At the same time, Canadian police services have not yet mobilized the financial and human resources required to deal with this crime epidemic, and they are unsure of how to best tackle this massive challenge.
We now stand at the critical technological juncture where we are shifting from an industrial society, heavily reliant on manufacturing, to a digital society fuelled by information and data. We also have legacy critical infrastructures that are almost all connected to the Internet, which creates an unprecedented level of interdependency and generates an endless stream of vulnerabilities.
Meanwhile, through the Internet of Things, we are about to add more than 50 billion unsecured new devices with varying degrees of autonomy to this already unpredictable threat landscape. This will increase the complexity of the cybersecurity challenge by at least one order of magnitude.
So far, Canada has not placed cybersecurity very high on its list of economic, research and development and policy priorities, while other nations, such as the U.S., the U.K., Australia, Israel, the Netherlands or Singapore, to name a few, are forging ahead and becoming global leaders in cybersecurity.
Cybersecurity Ventures, a consulting firm, estimates that $1 trillion will be spent globally on securing cyber systems between 2017 and 2021. In our country, existing efforts to address this gap, while valuable, lack coordination and have not achieved the critical mass required to spur innovation and adaptation to this new risk landscape. Canada could very well be falling behind at this crucial moment.
The Smart Cybersecurity Network has identified more than 250 academics from 47 universities carrying out research on various aspects of cybersecurity; 65 per cent of them are from the computer science faculties and departments and 35 per cent stem from the social sciences. We have also identified 34 institutional partnerships between public and private stakeholders to mitigate cyber risks. But there is no national network that could systematically connect these fragmented resources, despite multiple ad hoc collaborations.
The Smart Cybersecurity Network’s role is limited by its current resources and mandate, which is to do knowledge mobilization, which we define as getting the right information in the right format at the right time to the right people.
Our network is made up of 33 institutional partners from industry, government and the non-profit sector, as well as 42 academics from eight disciplines based at 23 universities and colleges from coast to coast.
We deliver six key activities: We host biannual workshops that have brought together almost 850 cybersecurity thought leaders and practitioners from 250 public and private sector organizations over the past three years. We host and curate an online knowledge-sharing platform that now contains more than 800 documents, original videos and research summaries about cybersecurity. We also produce quarterly knowledge digests that summarize leading-age cybersecurity research relevant to practitioners in a practical format.
We have hosted eight relationship forums that bring together stakeholders with common interests in cybersecurity in our country’s main tech hubs. We develop and host professional development activities that engage post-secondary students and early career professionals, and we are proud to have attracted 42 per cent female participants in a field where only 11 per cent of positions are filled by females.
Finally, with generous financial support from Public Safety Canada, we developed and delivered an innovative awareness and training tool named Cybersec 101 delivered in both languages through public libraries across the country. We are targeting older users for this awareness and training tool.
By designing and delivering knowledge-mobilization activities tailored to the needs of government decision-makers, industry practitioners and the general public, the Smart Cybersecurity Network makes a strategic contribution that tries to enhance the capacities of the Canadian digital ecosystem, to understand the complexity of the current threat landscape and to try to forecast emerging risks, to address cyber risks by understanding the evidence that can support effective and efficient decision-making and to enhance the resilience of the Canadian digital ecosystem by training a new generation of cybersecurity professionals.
Although I would like to close on a positive note, I would like to stress that cybersecurity is not only a technical problem. Cybersecurity has multiple social and policy implications that are rarely addressed alongside its already complicated technical aspects. The complexity of the challenge is such that only, in my view, a cross-disciplinary network of researchers and end-users from industry and government can expect to discover, develop and implement the innovative solutions that are so urgently needed. I am afraid to say that we do not have such a network in place in our country yet.
Thank you very much for your attention. I look forward to your questions.
The Deputy Chair: Thank you very much for your comments, Professor Dupont.
Senator Massicotte: Thank you for joining us this morning to talk about a subject I see as very important. Yesterday afternoon, we had with us four representatives of the Canadian government who are responsible for security matters. They tried hard to put the subject in contact by saying that there have always been attacks, or the fear of attacks, to our security and our personal information and that this is just a different method of electronic transmission. However, I am still concerned by cyberthreats. Just think about the credit agencies, the American elections and the elections in Kenya. These are very real and it’s very threatening for our personal information, our habits, and also for companies. Is it a serious problem or is it solely the fact that we are reacting disproportionately because we feel threatened?
Mr. Dupont: Personally, I feel that it is a serious problem that comes with societal change. We are becoming a digital society in all aspects of our human activities. It is normal that the risks will also become digital.
The problem that I see is not that risks are more numerous than before, it is that the institutions that are supposed to respond to those risks are perhaps slower to adapt to this new reality. A concrete example that I use is the police, which is an institution created to respond to security problems during the industrial revolution at the end of the 19th century. It is an institution created at a different time, for a different situation, and it now has to adapt to a new revolution, one that is not industrial but digital. We may need to create new institutions to respond to those risks. To answer your question, I feel that the problem is quite serious. For me, the problem is as serious as climate change.
Senator Massicotte: It is huge. We are seeing problems with confidentiality violations in a number of American companies that have been hit, like Target and Equifax. I think that it is just as serious in Canada. However, perhaps there is less transparency, less information being communicated. One might say that those companies — ones that we trust by providing them with personal information — are suffering no consequences, financial, criminal, or any other kind. Why are there no consequences? Something, some information breach, happens every week. It means that the companies have not taken the measures required to protect the confidential information that we have shared with them in complete trust. There is a breach of trust in that relationship.
Mr. Dupont: I will answer your question in two stages. Why do we hear less about this in Canada? It is because our regulatory framework for companies and organizations does not require them to disclose this kind of incident when they are victims of one. The situation is slightly different in the United States where legislation requires companies that are victims to disclose the incident. At times, there are delays in doing that. We may hear about incidents several months later and, in some cases, several years later.
But the regulatory framework is different in the United States and it requires companies to disclose that information. However, in the United States, the regulatory framework does not impose any very harsh penalties. That also partly explains why we may feel that companies are not very exposed to sanctions that could encourage them to take more robust measures to protect our personal information.
Senator Wallin: Thank you. I am following up on the issue that you have just touched on. We discussed yesterday at length the question of no reporting requirements. There is no way to force a company to admit or to report to either a police or a governmental structure that they have been hacked or in some way influenced and that our personal information might be in jeopardy. I know you come at this from the research side, but I would like your personal view on whether or not that should be the case, that we should be more like the Americans in this, that companies must be forced to report. If they don’t, there are consequences; even if they do, there may be. In that quite legalistic approach, what is your opinion on that?
Mr. Dupont: First, I like to stress that there is a law that is going to come into action very soon in Canada. It’s the Digital Privacy Act. I think the regulatory framework is being finalized, but it will force, under a number of circumstances, companies to disclose to the Privacy Commissioner cases of data breaches, and it will force them to notify their customers or their employees when such incidents happen.
Personally, for the sake of transparency, I think that it’s a positive thing. It’s a positive development. I think companies that suffer data breaches should be forced to disclose these incidents publicly, not because of the shaming dimension but because it makes things more transparent and consumers can learn about the situation of their own private information. They can make more informed choices with regard to the companies that they choose to patronize or entrust with their money or their personal information.
There are also measures that will very quickly be implemented in Europe, where the fines for such incidents will be major. I think we’re talking about 4 per cent of annual revenues. Europe is moving in a much more coercive approach to companies that suffer data breaches.
Senator Wallin: What is the fine for? Is the fine for not reporting or for the breach occurring?
Mr. Dupont: The breach occurring.
Senator Wallin: Okay.
Mr. Dupont: If the regulatory authority determines that there was a major case of negligence or lack of protective measures implemented.
Senator Wallin: I just have one follow up on this. With the reporting to the Privacy Commissioner, are they then obliged to report to the RCMP or to public safety, or what is the point of just reporting to the Privacy Commissioner?
Mr. Dupont: I’m not a lawyer, so I can’t be 100 per cent sure, but I do not believe that they will have any obligation to report to anyone else but the Privacy Commissioner, because the Privacy Commissioner is the authority in charge of enforcing the Digital Privacy Act. It’s not an act on data breach notification. It has a data breach component to it, but it’s a broader piece of legislation that is under the authority of the Privacy Commissioner.
Senator Wallin: So for actual breaches, there is still no obligation to report to any investigative body, including the RCMP or CSIS if there are international implications?
Mr. Dupont: That is correct.
Senator Wallin: Thank you.
Senator Black: Good morning, sir, and thank you for being here. I don’t know whether you had the opportunity to listen to the evidence that we would have heard last night. Did you hear that?
Mr. Dupont: I just read some of the transcripts this morning.
Senator Black: At the end of the session yesterday, I took tremendous comfort thinking, my goodness, maybe the RCMP and Public Safety Canada, or the organization that gentleman referenced, and CSIS have this file under control. I hear what you have shared with us this morning, and I’m not sure that my view is necessarily accurate or that you would necessarily agree with that.
You have pointed out a couple of things in your evidence. You have said it’s a crime epidemic, and you do not believe that Canada has the resources to address that. You have also indicated that Canada as a nation is not high on the global success file of countries that are effectively dealing with this. You mentioned Singapore, the Netherlands, the U.K.and the U.S. Yesterday, we heard exactly the opposite, which, of course, is troubling.
I would ask you to comment on that, and then I would ask you to tell us the two or three things that we should be addressing at this committee, from your point of view.
Mr. Dupont: I don’t want to contradict anyone from CSIS or the RCMP or Public Safety Canada, because I think they were probably very truthful when they told you yesterday that they had what falls under their responsibility probably under control. But that may only represent a tiny fraction of what is really happening out there.
I think that yesterday, the witness from the RCMP mentioned that there is a tiny, tiny fraction of cyber crimes that are being reported to the police by companies or individuals. In some countries, the statistics seem to show that less than 10 per cent of cyber crimes are being reported to the police. So to the extent that they are probably able to deal with the tiny fraction that is being reported to the police, yes, they probably were correct in their statement, but my worry is that there is probably more than almost 90 per cent of cyber crimes that are not being reported to the police.
They are real crimes. They have real impact on victims and on companies. They can threaten the survivability of SMEs and other companies. They are not being addressed by law enforcement organizations, but they are being addressed sometimes, from a company’s perspective, by private cybersecurity investigative companies. The government doesn’t necessarily see all the incidents, and that prevents us from having a full picture of what is happening out there and from protecting citizens and consumers on an individual basis who don’t have the resources to hire private companies to investigate a cyber fraud.
Yes, the banks are also investing massive amounts of money to protect their consumers. But again, you know, it’s a private sector effort. I think that the government probably has a responsibility to do a lot more. The countries that I mentioned are investing billions of dollars to address this problem because they have recognized that this is a strategic issue that will make or break the economic prosperity of their economies.
Senator Black: If you were going to draw our attention to two or three countries around the globe that you think are leading practices, what countries would you suggest?
Mr. Dupont: In terms of the role of government, I would say the U.K. I will pick countries that have similar political and policy experiences so that we maybe would be able to transfer some lessons from them. I would say the U.K. from a government role. I would say Israel and the Netherlands from an economic prosperity approach. They are two smaller countries that don’t necessarily have huge resources, like us, and they still manage to do a lot of great things because they have been able to network and to kind of connect industry, government and academia.
I think that’s really a message I would like to share with you today, the need to coordinate a lot better. The government here in Canada is doing great work in coordinating within government. I’m not blaming anyone. I’m just saying that there is so much more we need to do, and we need to connect a lot more different groups of stakeholders if we want to have an impact that will move the needle.
Senator Campbell: Thank you so much for being here today. I’d like to continue on. It’s like we heard a tale of two cities. Yesterday we heard that everything is great, we’re on top of this, and Canada is a leader in so many different areas. We mainly dealt with underreporting, which again is one of those areas where who knows how you act on that.
I noticed two things. You list all of your partners. It’s pretty impressive, but I note that, for instance, there are no banks in your industry partners, although you do have the Bank of Canada down as an internship. Is that an oversight? It would seem to me that the banking sector would be one that you would really want to have involved with cybersecurity.
Mr. Dupont: That’s correct. The banking sector is very mature and has been dealing with and addressing cybersecurity issues for probably the longest time compared to other types of organizations.
We engage with the banking sector through a different entity called CCTX, the Canadian Cyber Threat Exchange. That’s another great initiative where not only the banking sector but also the telecommunications sector and other large Canadian companies share threat intelligence. I sit on the board of this organization as a permanent invitee to connect this sector and this initiative with the research world. We engage with the banking industry in a different format than through the Smart Cybersecurity Network, but we’re very closely connected with them as well.
We have Desjardins, which is not listed yet in the PowerPoint slides I shared with you because we are finalizing the MOU with them, but they are joining the network. Here in Quebec, they are the largest financial institution, covering 80 per cent of consumers here in Quebec and beyond the province.
Senator Campbell: So you are saying the banks are bringing their maturity to the SERENE-RISC?
Mr. Dupont: No. We are collaborating with them but through a different entity called CCTX. They are sharing the maturity of their approach not only with us but with all other industries in Canada.
Senator Campbell: The second thing is under “Government Partners,” I don’t see the RCMP anywhere in there.
Mr. Dupont: We have the anti-fraud centre, which is, I believe, a unit within the RCMP. We’ve also held discussions with the RCMP. We frequently collaborate with them. They attend our conferences. They also send speakers to our events. Although we don’t have a formal MOU with the RCMP, we collaborate with them very closely.
Senator Campbell: Lastly, regarding this idea of industry, government and academia coming together, I don’t think you’re going to have that happen until you get all of these players, including the banks and the RCMP, in there. What I’m hearing is what I believe is classic silos. Each one of these organizations operates independently of each other. Although they say that they collaborate and work together, that’s not what I’m hearing. That’s not really what I heard yesterday. I agree that you need to bring all of these together, but to do that, somebody has to be in charge of this. I don’t know who is in charge of it. I don’t know if it’s the Mounties. They say no, that they’re criminal. CSIS says no unless it’s coming from outside of Canada or it’s a terrorist threat. The National Cyber Security Directorate — nobody is taking control of this.
I’d like to know who you believe should be leading this. Should it be government leading this? Should it be industry leading this? Should it be research and academia? I don’t know, but I’d like to know who it should be.
Mr. Dupont: If you look at the countries I listed as being ahead of the pack, they have all one point in common: the authority leading these efforts is the head of state. It’s either the prime minister or the president. It’s all coordinated under the office of the prime minister or the office of the president. The reason for that is to send a strong signal that this is such an important issue that the prime minister takes the leadership on this to ensure that all the agencies are aligned, that industry collaborates to the table and that academia is very much aware of the importance of this societal challenge. In all the countries that are defined as leaders, the office in charge is the office of the president or the office of the prime minister.
Senator Campbell: That’s what I wanted to hear. Thank you very much.
Senator Unger: Thank you very much for your presentation. I certainly concur with what all of my colleagues have been saying about yesterday’s meeting.
From the witnesses yesterday, it sounds like cyberattacks on businesses are inevitable and just a cost of doing business. Would that hold true for our national infrastructure? Are attacks inevitable? Do we have adequate systems to prevent them? If we do, why wouldn’t that be possible for business as well?
Mr. Dupont: I think you’re right when you state that attacks are inevitable.
We learned last week that the NSA, the National Security Agency in the U.S., was hacked. That’s probably the best-resourced intelligence agency in the world. If the NSA gets hacked, everyone will probably be hacked at one point. We learned that because the Israeli intelligence hacked into Kaspersky, another cybersecurity outfit, and they looked at Russian intelligence hacking the NSA. Everyone is hacking everyone, and businesses will not be immune to that phenomenon and wave of hacking.
To answer the second part of your question about our critical infrastructure, I think that, yes, they will probably also be exposed to hacks, but they have very limited metrics and data to understand their level of vulnerability as well as their level of protection. It’s hard to make statements that are very reliable when you don’t have strong data to back them up. I think one of the challenges in future years for critical infrastructure, companies and governments will be to be able to produce data and evidence that will tell us where we should direct our energies, efforts and investments to make sure that we reinforce our cybersecurity.
Finally, we will also need to develop a concept that is one possible answer to this new reality of everyone being exposed to hacks, which is the concept of resilience. How can we make sure our critical infrastructures in companies are still able to operate even in a hostile environment where they can assume that some of their systems are under attack or even compromised? I think that we also need to develop a complementary way of answering cybersecurity challenges, which is to make organizations more robust and resilient and able to adapt to this new environment, which is going to be here for a long time.
Senator Unger: I heard recently that one of our five national banks was sending people to Israel to be trained in cybersecurity. You mentioned that banks have very good and reliable, if you can use that word, security. Obviously this bank felt that it needed to go to a country that teaches people better. I guess that’s the new brave world that we’re in. Thank you.
The Deputy Chair: Mr. Dupont, did you have any comment with respect to banks going to Israel?
Mr. Dupont: Yes and no. I think what they’re doing, when they’re going to Israel, is they’re indicating that this is a global problem that has to be addressed globally and some of the expertise is not necessarily in Canada. My aim today is not to generate fear among us because there is expertise in Canada, and it’s not all doom and gloom, but when banks are sending people to Israel to be trained, they are acknowledging that this is a global problem and some of the expertise is overseas and we need to connect with that expertise as well.
Senator Wetston: Thank you for coming today. I wanted to pursue this area of cybersecurity somewhat differently. I asked this of one of the witnesses yesterday, and my thought was that the Internet is becoming more of the 21st century crime scene. The reason I mention that is because obviously we had RCMP officers here as well as CSIS.
The question I wanted to get your opinion on is you recall very well the financial crisis of 2007-08. It’s now the tenth year anniversary of the financial crisis. Much of what occurred in that crisis was enabled by technology. The interconnectivity allowed the risk to spread from nation to nation, which created a global recession. I think you might agree with me on that point.
My question to you is: Because the world is faster and the world is smaller because of technology, we often look at technology and say it is technology that has created the problem, when, frankly, probably technology has enabled the problem but not created the problem. The problem is with human behaviour. Are you able to comment on your views with respect to the relationship between behaviour and technology from the perspective of your work?
Mr. Dupont: Yes. I’ll try not to pontificate too much. I entirely agree with you. I would add a third component to your model of interactions. It is technology, behaviours and policies. The way technology develops can be strongly influenced by policy. So far, we have been very shy about regulating technology. The rationale has been that if we regulate technology and the Internet too much, we will stifle innovation and that will be a bad thing. Now we are learning that we have under-regulated technology, and we are paying the price because we have allowed technology to develop very chaotically, and it’s hard for us to take back control. I mean in democracies. I’m not advocating doing what China is doing or Russia is doing with technology and regulation, but there is still a level of protection that we must be providing to citizens.
To your initial question of behaviour and technology, I also agree that we probably need to do a much better job of training people and raising awareness as to what technology enables people to do and the risks that are coming out of technology. At the same time, very often people are appropriating technology in ways that were never anticipated by the designers of those technologies. The inventors of the Internet 50 years ago never imagined that the Internet would become so embedded into every single aspect of human activity.
That’s why we probably need to get — and that’s one of the objectives of our network — the computer engineers inventing the technology of tomorrow to also understand the security and privacy implications of what they are designing. There is this concept of privacy by design, security by design, and we probably need to do a much better job of training computer engineers in those practices and disciplines to ensure that the new technologies that will be deployed in smart cities, in the Internet of Things, will have much stronger security and privacy features than what we have seen in the past.
Senator Wetston: This is really to put this on the record because I don’t know the answer to this. It’s my feeling that the regulated banks and insurance companies who are regulated by OSFI, the Office of the Superintendent of Financial Institutions, might — and I don’t know and it would be interesting to find out — require the banks to report data breaches, unlike potentially other industry sectors that may not have that reporting responsibility. I’m simply following up from Senator Massicotte and Senator Wallin’s question. We should probably try to get an answer to that question because obviously financial institutions are important. You may not have an answer to that question, so I am simply noting it.
The other thing I might follow up with is that when I asked you my question about interconnectivity, which I think you agree obviously enables this, and when I was discussing risk — and the Banking Committee is often concerned about risk in the financial markets — the risk that may have been spread from country to country, from institution to institution, was not necessarily as a result of bad behaviour. Whether it’s good behaviour or bad behaviour, that risk will spread and be very difficult to control and manage in the financial markets. I’s the technology operating in the way that perhaps the initial developers did not intend, as you point out. I don’t know if you have any comments on this. I was looking at it from both perspectives.
Mr. Dupont: I also agree with you. I will add an additional layer of complexity because we are about to add to this mix artificial intelligence that will have a lot of autonomy and be making autonomous decisions and will increase the velocity of the spread of certain decisions and the interconnectivity, with very limited human control. That’s also something that we need to think about now because the progress and the speed of innovation in the field of artificial intelligence is huge, and we need to also take stock of what’s going to happen when we’re going to hand over the keys of technological infrastructure to AIs — maybe not tomorrow, but very quickly.
Senator Wetston: You will have a good future if you’re an algorithm, is your point.
Senator Enverga: Thank you for the presentation. Let me go back to what you mentioned earlier, that cybersecurity is a major priority of this country. You mentioned that there are so many things we have to do. My question is, what do we have to do? Can you give me three things that the government has to do to secure our network or have cybersecurity?
Mr. Dupont: I’ll give you only one. I think that the government is doing very well in securing its own systems, but it needs to coordinate the efforts of provincial and municipal governments, certain industries and consumers. I think one thing that would probably have an impact is the creation of a new agency, probably under the Office of the Prime Minister, that would have this role and responsibility of coordinating efforts.
For now, we are suffering from an excess of fragmentation and everyone has a slice of responsibility. Because everything is interconnected and interdependent, it would be useful to have an overarching agency that would have the capacity and the authority to understand the multiplicity of efforts being undertaken, to incentivize and prioritize some of them and to collect metrics that would enable us to have a general understanding of the situation.
I would say one thing would be the creation of a new cybersecurity agency that wouldn’t steal responsibilities from existing organizations but would be the coordinating point for the whole of government.
Senator Enverga: With this new agency, are there other countries that have the same model? Is it the same thing for Singapore or maybe China, as you earlier indicated?
Mr. Dupont: Yes.
Senator Enverga: I asked this yesterday with regard to our status right now, and somehow I didn’t get a direct answer. On a scale of one to ten, how would you rate our cybersecurity, our infrastructure and our preparedness as a country?
Mr. Dupont: Well, as a scientist, I couldn’t answer your question because we don’t have any data, or very limited data. The data we have is not useful.
Senator Enverga: That’s helpful for us. Thank you.
Mr. Dupont: It’s not a direct answer either, I’m afraid.
Senator Massicotte: We were talking about breaches of confidentiality earlier. Would it not be useful for victims of a security breach to be compensated, or to have the right to sue companies that have not taken the measures required to protect confidential information? At some stage or other, we have all signed waivers releasing companies from responsibility? But should they perhaps be held responsible? If there were consequences for companies that had not taken the required measures, they might work harder to protect us in the future. Is that a good idea? Is it possible? Is it doable?
Mr. Dupont: Once again, as I said, I am not a lawyer. I imagine that everything is doable. Before allowing that type of lawsuit, it might be useful to help companies who hold those that personal information to understand what is expected of them and the security measures that have been shown to produce tangible results in terms of protection. Currently, organizations and companies have very few guidelines that let them know with any certainty about which measures they might take that will be effective.
In a few minutes, you will be hearing from two officials from the Communications Security Establishment, which is actually trying to distribute information about the issue. The information remains incomplete. That information will be useful. Before we let consumers sue large companies on their own, which is not likely to be a fair fight, it could be helpful to send companies, large and small, clearer expectations and more specific guidelines on the levels of the security expected from them. At that point, if they do not implement the necessary measures, we could then eventually foresee penalties or allow lawsuits if we see that they have not done the basic minimum.
Senator Unger: I have a follow-up question to one I asked yesterday. Researchers at a university in Flanders, Belgium, discovered a way for an attacker to read sensitive information that is sent over Wi-Fi networks using WPA2. It affected tablets and e-readers. It had significant impact — you’re probably aware of it — affecting services such as Amazon and Echo. Apparently the answer was yes, the government knew about it in February and they did whatever they had to do about it. But if this is so widely affecting people who use Wi-Fi and tablets and all of these things, why weren’t we told about this? What is the obligation? Google gets a patch and they push it through, but people don’t know that this has happened.
Mr. Dupont: I think an answer to your question might be that there are so many alerts and so many incidents and vulnerabilities that get discovered, that it’s just a matter of prioritizing. I think that government agencies have been very busy over the past few months and during the summer trying to warn people about ransomware, for example, and cryptoware, all these malicious applications that encrypt all your data and you have to pay a ransom to regain access.With the limited resources that government agencies have, they may have chosen to prioritize something that was happening to a fairly large number of people here in Canada and to maybe leave for later this case of the WPA2 vulnerability, which was more something that came out of a researcher’s lab than something that was happening in the wild.
Senator Unger: Thank you.
The Deputy Chair: Colleagues, join me in thanking Dr. Benoît Dupont, who is a scientific director for the Smart Cybersecurity Network. He’s the Canada Research Chair in Security, Identity and Technology. Dr. Dupont is also a professor at the School of Criminology at the University of Montreal.
Thank you very much for meeting with us today, Professor Dupont.
Mr. Dupont: Thank you for inviting me.
The Deputy Chair: We will now hear from our second panel of witnesses today. I’m pleased to welcome the Communications Security Establishment, which was referred to a number of times during our hearing yesterday. We are pleased to hear you are here to fill in the gaps, Mr. Scott Jones, Deputy Chief, IT Security, and André Boucher, Director General, Cyber Security Partnerships.
Thank you very much for being here. I understand that you have a presentation to make and then we’ll engage in a question and answer dialogue. Thank you.
Scott Jones, Deputy Chief, IT Security, Communications Security Establishment: Thank you very much. My name is Scott Jones, and I’m the Assistant Deputy Minister responsible for the IT Security Program at the Communications Security Establishment. With me is André Boucher, Director General of Cyber Security Partnerships. It is our pleasure to appear before you today as you undertake your study on cybersecurity and cyberfraud.
This topic is both timely and extremely important. Canada, as you are well aware, is among the most connected countries in the world. Every day we are witness to stories of how online commerce is driving economic growth and creating opportunities in all sectors of the economy, including online banking and online sales. But, of course, Canadians can only reap the benefits of online commerce when they can conduct their online activities with confidence and trust.
Unfortunately, we’ve all borne witness to cyber compromises that result in significant financial loss, loss to intellectual property and even loss to a company’s reputation. Today’s cyber-threat actors represent different threat levels, motivations and capabilities. They include state actors, hacktivists, criminals and terrorists capable of a broad range of disruption, from ransomware attacks to the exposure of personal information.
I can tell you, as the head of IT security for CSE, the government’s lead technical cyberagency, we are very concerned about the vulnerabilities Canadians face online from these threats actors. My goal today is to answer your questions and leave you with a better understanding of who we are, what we do and how we work with our governmental partners and, in particular, the private sector to help protect Canada’s important information.
As this is my first time appearing before this committee, please allow me to take a few moments to introduce CSE. CSE is one of Canada’s key security and intelligence organizations. Our mandate and authorities are defined in the National Defence Act, and we report to the Minister of National Defence.
Our mandate is comprised of three parts. The first part of our mandate, Part A, involves the collection of foreign intelligence in accordance with Government of Canada intelligence priorities. The second part of our mandate, and the work that I lead, Part B, involves providing advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada. And finally, the third part of our mandate, Part C, is the provision of technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.
CSE is Canada’s centre of excellence for cyberoperations. We use our cyber and technical expertise to monitor federal government systems in order to identify, prepare for, and respond to sophisticated cyberthreats.
Our work also extends beyond the federal government. Because cybersecurity is everyone’s responsibility, we work to support the private sector, including critical infrastructure operators, by sharing cyberthreat information and mitigation advice. This helps them better protect their systems and the important information they contain.
Partnerships are key to our success. We know that effective information sharing can help manage and mitigate the impact of cyber-threats, and that’s why we work closely with key partners, like Public Safety, the Canadian Cyber Incident Response Centre, the Canadian Cyber Threat Exchange and the Canadian Security Telecommunications Advisory Committee, amongst others, to build a stronger capacity to resist and defend against today’s diverse cyber-threats.
But still, even the most secure systems can be rendered ineffective if not used properly. A core part of our work is to increase awareness and education of cybersecurity issues. We have developed the top 10 IT security actions, building on years of mitigation advice to Government of Canada departments and agencies, which help dramatically reduce the threat to all types of organizations. You can find them listed on our website along with much of our advice, guidance and alerts. We also frequently post cybersecurity best practices to our Twitter account and website in an effort to increase public awareness.
I am especially pleased to appear before you today on this important issue because October is Cyber Security Awareness Month. This annual event encourages Canadians and organizations of all sizes, including the Government of Canada departments and agencies, to promote strong cybersecurity practices.
I want to emphasize that cybersecurity is the responsibility of all of us and no single entity can do it alone. We do need to adopt a cyber neighbourhood watch. So it’s crucial that everyone get involved in cybersecurity initiatives to better protect Canada’s sensitive information. Together, we can collectively make Canada stronger and more resilient against cyber-threats.
As part this effort, today CSE is releasing a product called Assemblyline, a malware detection and analysis tool developed within CSE’s Cyber Defence program to detect and analyze malicious files as they are received. Assemblyline will benefit businesses by allowing them to better protect their data from theft and compromise. Most software of a similar nature is proprietary to a company and not available to the software development company. We change that today.
CSE is releasing Assemblyline to businesses, malware and private researchers, industry and academia. The release of Assemblyline benefits the country and CSE’s work to protect Canadian systems and allows the cybersecurity community to jointly evolve this valuable open-source software.
If I have the opportunity to appear before this committee a second time, I hope I will be able to share with members the results of Assemblyline. In the meantime, I thank you for the opportunity to participate in this study.
My colleague and I will be pleased to answer any questions you may have.
The Deputy Chair: Thank you very much.
Senator Wetston: Let’s talk about Assemblyline. Obviously you’re here and quite proud of this accomplishment. I really don’t understand it since it’s the first I have ever heard of it. Can you inform the committee what it is and what it is expected to do.
Mr. Jones: Assemblyline is a tool that has been described by some people as the Swiss Army Knife of malware analysis tools. It enables a malware analysis team to really plug in different types of tools to automate their process. It makes it easier for them to do their job. It is taking away the manual effort that they spend looking at every threat and really focuses on those new, undiscovered threats and essentially maximizes their valuable time.Wwe use that to triage a tremendous amount of the cyberactivity against the government. We wanted to make that available to others to do the same thing and not have to spend time investing in the infrastructure rather than the actual malware tools. Now we can focus on those.
Senator Wetston: It’s not for a fee?
Mr. Jones: It’s free, open-source, available for download for anybody.
Senator Wetston: We heard from a number of witnesses yesterday: the RCMP, CSIS, and Public Safety. One of the issues that we explored yesterday was collaboration and the state of readiness of cybersecurity in Canada. Can you inform the committee about where the Communications Security Establishment fits into that collaborative framework? I notice you listed a number of entities here, but other than Public Safety, I didn’t see CSIS or the RCMP. So can you comment on that?
Mr. Jones: Within the government, we absolutely work with our partners. So the RCMP, with responsibility for criminal investigations, we support with both our technical expertise, but also as we’re seeing things in the general cyber environment, making sure we keep the community abreast of everything that we’re finding out as well so that the community is as informed as we can have it. The service as well, due to national security investigations, et cetera, we partnered closely with them. In fact, they are our closest next-door neighbours in our new facility.
But where we concentrate on providing the in-depth technical expertise, this has been our bread and butter in my program for the last 70 years. So rather than duplicate that, we want to play our part. That is the in-depth expertise on how the IT systems work, how they interoperate, the knowledge of the IT environment, the knowledge of the threat actors that comes from our experience in foreign signals intelligence and what we see the foreign actors doing, and then working with the community when we respond to an incident, making sure there is one lead, but with the full knowledge of all the organizations behind. If it’s the private sector, CCIRC is the lead and Public Safety is the lead. We’ll make sure we are providing whatever support we can to help them.
Senator Wetston: I didn’t ask this of the RCMP yesterday, but I have a bit of an interest in where cybercrime is heading and the investigation tools necessary to gather the evidence, assess whether there has been a criminal violation, investigating and taking a case to court. Would your organization ever be in a position to assist the RCMP in a criminal investigation? If so, has there been one?
Mr. Jones: If the RCMP requested our assistance, they would do so under the third part of our mandate, Part C, which is the support to lawful law enforcement and security agencies. At the same time, we want to ensure that law enforcement is performed by the people who are best able to do it, and that is the Royal Canadian Mounted Police. We would provide any support they requested under their lawful authorities for that type of thing.
In terms of whether there have been any incidents, we work with the RCMP on a regular basis just for general situational awareness. If there was a particular investigation, to be honest, we would keep that very contained because it would be for the RCMP to comment on. I actually am not aware of a specific case. We have done a lot of general work with them, though.
Senator Wetston: I was just wondering whether there was a prosecution that would have been public and whether or not the various entities in government would support the RCMP because, obviously, they have a lot of tools, but they don’t have all the tools. I understand that you may not have that information, obviously.
Senator Massicotte: My thanks to both of you for joining us this morning. I am still at the stage where I am trying to form an opinion about how serious hacking is and the threats we are under as consumers, members of the public, and business leaders. Is this a really major problem? We have heard a lot of talk about it in the United States, particularly during the last elections. Recently, Equifax Canada was the target of a cybersecurity incident. As a client of businesses like that, I am frustrated to know that my confidential information has been compromised, that people I trusted have betrayed me, and that necessary measures to prevent such incidents have not been taken.
Is it a matter of bad luck or is it something very serious? As Canadians and as the government, should we be changing our way of doing things in order to devote more effort or to invest more money in order to better manage all those risks?
André Boucher, Director General, Cyber Security Partnerships, Communications Security Establishment: Good morning, and thank you for your question. Yes, this is a clear and present danger for Canadians. What you are actually seeing is a shift. Previously, it was done by people on the move. Someone went and knocked on the door of your bank in order to get your information and your money. Now, these criminal acts are done electronically. Unfortunately, I feel that it is inevitable. People with bad intentions are evolving with the technology available and are trying to make it work to their advantage. In fact, Canadians are just as much targets as anyone else in the world.
In terms of knowing whether we are making enough effort, I would say that there is still a parallel. I feel that governments definitely must play a role in implementing measures to fight cybercrime. The bad guys we knew in the past have simply evolved towards the world of technology. The CSE has a technical role to play as an expert in the field. We have gone through the technological revolution, we are part of it, we have used it in our work and, through those activities, we have watched the bad guys evolve. It puts us into a strategic position to be able to intervene in our community.
Senator Massicotte: I really get the impression that we are likely to lose the battle against organized crime. We receive emails looking for information every day and they are often very good imitations of our banks in Canada. We are on guard against those false alarms. Imagine those who are less well equipped, who are not as knowledgeable or who are less accustomed to the situation. I am sure that major amounts of money are collected every day because no one is turning these fraudsters in.
I see it as a race between yourselves, the order, and the criminal world that generates millions, if not billions, of dollars by manipulating information. It attracts better knowledge. That scares me too. We are going to lose the battle because they are well equipped, they are financially motivated and they are very well paid. What are we going to do? That is what we are dealing with, and I believe we are going to lose the battle.
Mr. Boucher: I would like to draw another parallel, because the situation can be looked at simply. We have all learned to deal with the people who come door to door to sell us products or services. We have learned to be selective, to determine whether someone is legitimate or not. Now we have to do that in an electronic world. It is more difficult, because we have to make decisions much more quickly than in the past. We have to recognize that it is a reality. We also have to raise awareness with consumers and the public, so that they learn to recognize what is legitimate and illegitimate in their activity on the Internet. More than 88 per cent of Canadians are connected. This is a very real problem.
Senator Massicotte: Thank you.
Senator Enverga: Thank you for your presentation. You mentioned foreign actors. Are there particular countries that seem to be more of a concern to us? You don’t have to say the names. I just want to know whether there are particular countries that maybe we should focus on.
Mr. Jones: I think with regard to countries, both the power and the problem with the Internet is that it can come from anywhere. There are certainly countries that represent a greater challenge for the RCMP when they are going to do investigations, et cetera. This is one of the greatest challenges, I think, when rather than take technical counter measures, which we typically focus on when we’re talking about cyber and use law enforcement, it’s interjurisdictional and a significant amount of work just to get to the cyber criminals. You can hide on the Internet. You can jump around, jump through countries.
I would say while it looks like there are countries where the origin is, they will very quickly migrate, depending on the circumstances and where they think they can better hide. That’s for cybercrime where they will go to the jurisdiction that is the best fit and the easiest to work in. Then when you go to states, it’s the exact same problem, where you have states that have different objectives, depending on what they are looking for on the Internet. But the fact is it is very easy to hide.
One of the things people really look for is attribution. That’s the first question I get any time there is an incident: Who did it? It is difficult now to tell states from criminals. Their level of sophistication, as has been pointed out before, has gone up. So it’s not really a matter of which state or country makes it easier or which cyber criminals. It’s whether we can make ourselves more resilient and how the world needs to react to the fact that the Internet is a boundless environment where territoriality doesn’t really apply. You can hide. It’s almost a new domain that we haven’t caught up with yet.
Senator Enverga: You mentioned Assemblyline. Is it going to be available to almost everybody? I mean, it’s going to be some sort of a freeware for everybody.
Mr. Jones: Yes.
Senator Enverga: With your experience and expertise, would you expect this to help in every way, as in replacement of other anti-virus or anti-spam software? Is that how you think it is going to be used?
Mr. Jones: It doesn’t replace any commercial products that are out there, the things that we should all be doing, running good anti-virus products that are up to date, patching our systems and making sure that we are continuously upgrading our technology.
What it does is it will allow malware researchers, malware analysts, people on the front lines of bigger organizations, to plug different tools together so they don’t have to do it manually. You don’t have to run through tool A, then take it manually and put it through tool B. Assemblyline lets you assemble all these different components and tools in a way that automates that workflow. It really is a tool that is focused on academia for malware research, businesses who are cyber-defence organizations or large companies that need to do this type of thing.
It wouldn’t be something, for example, that I would run at home if I wasn’t a cybersecurity nerd. It would be something that I would look for a larger company to take on and to really run this. It’s not a tool that us as citizens would each be looking for. It’s something we are really looking to try to boost the whole level of the industry, knowing that we rely on them to provide us service.
Senator Enverga: With all the issues right now with cybercrime and cybersecurity, what is the first point of entry? Do you think our provider should be keeping an eye on this? Is there a way they can secure this so everybody else will have a secure line?
Mr. Jones: The real issue is the devices at the end of the link that are the vulnerable points, running out-of-date systems, old versions of operating systems, for example, not applying that patch to your smartphone when it is required, things like that. It is the Internet of Things, like the thermostat they put into our houses, et cetera. Those things are the points where they are vulnerable. For somebody in the middle as the defender, you would actually have to censor a tremendous amount of the activity. You would really start to get in the way of the use of the Internet.
What we really have to do is make the systems at the end more resilient and easily updated. You shouldn’t have to worry about whether you are running a new software. How do we do security by default? Meaning we don’t have to think about it as consumers. The device is secure by default, not secure because I have to take some sort of complicated action to keep it up to date. Right now, most of the things need a complicated action.
Senator Enverga: Can the provider stop the user from using his or her device so that everybody can be secure?
Mr. Jones: For example, with your e-mail provider at home, most of them are doing a lot of work to try to decrease spam, decrease known malware types of things, and they will try to protect you. At the end of the day, it’s a balance between letting people do what they want to. There are some things they just can’t prevent. They certainly can prevent things like e-mail, et cetera, as you use their services. That’s the easy one. When the thermostat you have installed in your home actually is vulnerable to an external cyber-attack, there is very little they can do on that. They can maybe protect the rest of the world from your device, but probably not you from what your device is going to do.
Mr. Boucher: It’s really a complex problem because it is the inter-ecosystem you have to address. In addition to the device that you put into the system and your own responsibilities for using it properly, and as you point out, the people that bring the information to your house or to your home with your car, there are also those that make the devices or that provide the systems, that manufacture them, or those that operate certain systems on behalf of others. Every person involved in delivering and operating and supplying the ecosystem has the responsibility of creating the state of security that we need to have.
Senator Enverga: That’s scary.
Senator Unger: Thank you, gentlemen, for your presentation. Mr. Jones, you mentioned that together we can collectively make Canada stronger and more resilient against cyber threats. What do we need to do to be more resilient?
Mr. Jones: I think there are a number of things that we can build on. One is, this is a team sport. The first thing is we need to work as citizens, us being better and more aware of what technology we are using. We need to demand better products as we’re buying them. We should demand that security come in, just in the same way we expect certain things to come in, for example, if we buy a vehicle for safety. We should be asking for the security features to be in the Internet-connected devices.
We need to work with industry to make sure that we’re applying that ecosystem we talked about and finding a new way of having a relationship. Right now, it tends to be very much based on an adversarial regulatory environment that, unfortunately, the Internet is outpacing how quickly those types of formal arrangements can react, which means we have to work together. We have to find a way of working together —win-win — to work on this problem as a whole collective, all the way from citizens, from information, asking the right questions, buying the products that have security built in from the start, making that something that the market values, all the way to figuring out how the government can make sure we do our piece with industry altogether.
It sounds a little Pollyanna-esque. I know it seems optimistic, but in reality with cybersecurity, it’s going to be the only way that we can make it more resilient, by partnering and working together and finding ways to boost everybody up and looking for those opportunities. That’s something that we really have been working on the last few years.
Senator Unger: There is a proposed CSE Act which will eliminate the ambiguities about what we’re permitted and authorized to do in cyberspace. Could you talk about that?
Mr. Jones: The current National Defence Act provides CSE with its mandate. That part of the National Defence Act was written in 2001, and technologies have evolved quite extensively. The mandate we operate under is basically a single line in that act that says: Provide advice, guidance and services to help ensure the protection of information and information infrastructures of importance to the Government of Canada.
That was really before cybersecurity. Well, we didn’t use the term “cyber.” Smartphones had not been invented. We didn’t know an iPhone was coming. Technology has changed quite remarkably. Frankly, we were very much focused on, “Well, our only job is the Government of Canada.” As that has expanded and we started seeing what the impact could be on critical infrastructure on the various sectors, including finance, transportation, et cetera, we have realized, number one, we have some tools that we have that we use to defend the government that are world class. We haven’t found anybody who defends their organization in the same way that we’re able to defend the Government of Canada. For example, on many days we take up to a billion actions per day to protect the Government of Canada from malicious activity.
We would like to make that available. Right now the CSE Act would allow us, with the request of the company, the critical infrastructure provider, and the designation of the Minister of National Defence that it is important, to deploy those tools to protect, to use classified techniques to defend if we needed to. We don’t have that authority today. That’s the first ambiguity that would be resolved, and it would provide that authority. There is a belief that we can do that today. We can’t. I am restricted to the Government of Canada only for those services.
Second would be how we share information. We never anticipated needing to share things like indicators of compromise, tools, techniques, how somebody would be compromising a system. We imagined our role in 2001 as being: Here is how you secure your home Windows 95 system — it would have been Windows 95 back then — Windows 2000. It would not be: Here is a quick indicator of compromise we need to release. By defending the government, sometimes we detect that Canadian infrastructure has been compromised. We need to be able to share that. It was never envisioned. This just clarifies our information-sharing components.
The third piece is adding the role of defensive cyber operations. That’s taking action to protect Canadian systems but in foreign space. If something needs to be done, the defensive mechanism that needs to be done is to stop the activity before it hits the Canadian infrastructure and to be able to do that with obviously appropriate authorizations and oversight and the proper review mechanisms in place. That’s the third piece of the mandate that is clarified.
Senator Unger: One more quick question: The government is really pushing studies on automated vehicles. I live in Edmonton, and it’s a city that is wanting to push this agenda as well. In Edmonton, there are poles and high buildings that already have this special lens that will communicate with automated vehicles. I’m thinking this is still a few years away, but will it be that much easier?These cars can be hacked into for specific reasons. As we move into that, will that cause a huge increase in cybercrime?
Mr. Jones: We see the trend coming. The industry is starting to react, and that’s part of the partnerships. We need to build security into those from the start. There are some things in your car, for example, the entertainment system, that if somehow somebody hacks into it, that’s probably not great, but not detrimental, whereas if they hack into the brakes and lock the brakes up or lock the steering or change its course, that’s a much bigger issue.Part of the security design needs to include the fact that pieces of this infrastructure need to be very heavily defended, protected and also isolated so that they can’t be hacked into very easily.
Typically, what we see with any sort of cyber compromises, you usually don’t hack the system directly that you’re looking for. You hack something attached to it. You want to make sure that the control system of the car is very heavily defended and probably quite isolated. You’re probably not going put the same level of security effort into the entertainment system. I’m using that as something that’s probably the least important thing in your car from the automated car perspective. You have to design it properly. You have to apply the proper isolation and security design and also not let things be the jumping point. That’s something also that we apply in today’s environment as well.
I think there’s a way forward. We’re supporting the Department of Transport as we’re working forward with that. We have a partnership with them. I know they’re working with the auto industry as well, andI think that’s something that is going on because it is the future.
Senator Unger: That’s good to hear. Thank you.
Senator Maltais: Let us talk today about ordinary Canadians who just have cable, the Internet and Wi-Fi on their computers. They keep their personal accounting there. They access their bank accounts, their holdings, they follow the stock market, just like everyone does in Canada. If I understood you correctly, people like that are not at all safe. A lot of people could go and play in their computers.
One thing intrigues me. Drones are an awful source of information for criminals. They just have to position a drone over your house and they can then photograph and record everything. We now see that happening in airports. We had an example in Quebec City on the weekend, where a drone almost caused a disaster. How is it that, with all the security measures we have available today, we are not able to detect on basic radar or destroy them before they cause real disasters? We were lucky in Quebec City, because there was no disaster. However, things could well have been different. How is it that we cannot protect one of the most important modes of transportation, in Canada and everywhere else, from a small object that can cause the deaths of hundreds of people? How can you explain that?
Mr. Boucher: I am going to expand on your question, which is somewhat similar to that of Senator Unger on the various devices that are emerging and that are all connected electronically. It must be a two-pronged conversation. There are malicious users, and that responsibility is related to public safety. In your example, was there a problem with the design of the drone?
As Mr. Jones mentioned, I think we have work to do to ensure that the various devices that are built and connected to the Internet for various purposes, including the transportation of goods, meet minimum safety standards. These protections will make autonomous vehicles, drones and heating systems reliable, like a host of other devices.
I think it’s a matter of safety standards. We see the problem arising, and we are already committed to solving it. People in research and development are working on it. Manufacturers are aware and they have everything to gain by doing things properly. I think it’s a real problem that we understand and that we can do something about.
Senator Maltais: I understand what you’re saying. However, a drone is much more dangerous. I can stop my thermostat manually or I can turn off the electricity if it heats up. If I’m one of the 125 passengers in a Q400 aircraft, I cannot stop the drone.
Drones are nothing new. They have been around for a few years. Why is it that we are not able to stop them or to identify the sources? I do not know how many millions passengers travel by plane in the world. I cannot believe that research organizations have not already found a way to identify and destroy them, and to prosecute the individuals or groups who have put them into circulation. I have trouble understanding this phenomenon. It’s 2017, it will soon be 2018. It’s about protecting millions of people.
These days, we go to Mars, to the moon and everywhere. However, we are not able to destroy a small drone that can cause the death of a few thousand people. Can you tell us whether, in the near future, instead of developing the iPhone 3 to the iPhone 14, airports will have a small device that can detect nearby drones so that planes can land safely?
Mr. Boucher: I do not have a specific answer to your question. I think prioritizing our critical infrastructure and the related security measures will probably be in line with what you are asking. Thanks to the work we are doing right now, planned jointly with public safety agencies to be in a better position to work with the private sector in terms of critical infrastructure, this problem should come up and be examined. I agree with you in terms of the extent of the problem.
Senator Maltais: Someone whose bank account is drained may die, but it will take a little more time. A drone striking a plane causes death instantly. I think human beings are more valuable than bank accounts.
Senator Wallin: I am sorry that I was out of the room for your presentation. Ironically, I got a fraud call from my financial institution and had to go and deal.If you have dealt with this issue, please just say so and I will look at the records.
I know this is not your line of work, but I want your opinion because of your expertise. Do we actually need to make reporting of incidents mandatory, and if so, to whom?
Mr. Jones: That’s actually a very complex question. There are a few things.
Right now, the victims of any cyberincidents are actually the ones paying the brunt of the cost. There’s a significant reputational damage that happens with any sort of reporting, as well as a certain amount of panic. Unfortunately, this is part of the whole lack of security in the industry. We are trying to deal with the rapid growth and the economic incentive that comes with cybercrime.
Mandatory breach reporting is something that has to be done very carefully because it can actually have the opposite effect where you start to create some panic. In a lot of cases, what we have now is breach reporting, which doesn’t allow you to actually take action.
The key thing is we have to really work on taking away the stigma of being the victim of cybercrime, helping to reinforce and really focus on enhancing their resiliency against it and looking for what those common causes are. It’s almost always the same set of actions that have led to the breach. Very rarely, especially if you’re looking at the financial sector, is it the financial industry themselves; it’s usually buried down in the supply chain where the breach started. How do we look at the resiliency and start to apply those lessons as we’re going forward?
Senator Wallin: We heard from our previous witness that there will be some requirement to report some breach activity through the Privacy Commissioner, but it’s not clear to what end. Is it helpful to go to the RCMP, your institution, CSIS or anything else with this information? Is there anything you can actually do about it? What we are also continually hearing is that we’re on circuit overload for this stuff.
Mr. Jones: One of the things we’ve tried to do is be the best victims possible. The Government of Canada does suffer compromises no matter what we do. That’s kind of the sign of the times. What I advise when I go and give speeches to companies, I always say, “No matter what you do, you can suffer a cyber breach.” There’s no way of avoiding it other than disconnecting.
We are trying to be the best victim possible. So we come out, we inform people what’s happened, and we take all the measures to protect and ensure what the privacy impacts are. We work with the Privacy Commissioner. We try to show the way so that hopefully it can start to reduce the stigma of being the victim of cyber and determine how to deal with this. How do we make sure we’re more resilient? We should be held to make ourselves more resilient so the same thing doesn’t happen again.
Breach reporting is actually a really difficult topic just because of that. It tends to take away from the response and actually dealing with the privacy incident. You deal with a communications event and start to minimize it rather than actually exploring what the true event is. What I’ve learned in doing a number of incident responses is that what you thought on Day 1 is not how you end on Day 30. It’s always something different and much more complex.
Senator Wallin: Maybe there has to be a process, because the answer is, “Well, it’s complicated so therefore we shouldn’t do it,” right?
Mr. Jones: I think the goal would be let’s do it in a way that we can help with the response, help with protecting whatever private information is breached and help with figuring out what happened. That’s what stance we’re trying to take. For anybody who comes and asks for help, we want to try to make sure the government is doing what we can to help them or provide advice.
I really want to put the emphasis on how do we look to make sure we never have to deal with that same type of breach again, but it’s a really difficult topic to decide. It’s one of those where there are pros and cons in every column.
Senator Wallin: Which way should we be leaning at this point?
Mr. Jones: I think we need to really focus on holding people to resiliency and to doing the things that make them stronger.
Senator Wallin: But how can you hold them to resiliency if you don’t know anything happened?
Mr. Jones: That’s by working with the industry to define some standards and to determine what good cybersecurity practices look like. The industry is getting better at starting to set baselines for those types of things. That’s where I would put my emphasis, in really determining how we collectively define the bar so the bar is high enough. That would prevent a significant amount of cybercrime.
For example, the government is a victim of cybercrime as much as everyone else is. We’re able to stop almost all of it. We’re almost immune because we’ve built in enough resiliency that we can take blocks and can take actions. The government is getting better at implementing our basic top 10. It’s not perfect — anybody who claims perfection in cybersecurity is lying — but it is getting better.
So that starts to take entire classes of bad activity out of the equation. Once you do that, your IT security resources can start to focus on the really sophisticated, the things they really should be looking for. Right now, the industry is being eaten alive by really low-quality cybercrime, except it is incredibly impactful.
Senator Wallin: That’s an interesting point.
The Deputy Chair: Mr. Jones, before I go to round two and the two names on my list for second round for follow-up questions, we’ve had a lot of discussion about how you are supporting and working with the private sector. I think it would be helpful for us if you could explain, just briefly, these various partners that you list. You’ve listed several key partner organizations and what their mandates are, if you’re able to help us with it. The Canadian Cyber Incidence Response Centre is the first one you referred to.
Mr. Jones: Absolutely. Adam Hatfield, who was here yesterday answering your questions, is the director of that organization within Public Safety Canada. That is the overall lead for cyber incident response, Canada’s national cyber incident response team. That is what CCIRC is.
The Deputy Chair: If industry had a problem, they would know to contact that entity, and they’d have the phone number or e-mail address right on their desk?
Mr. Jones: That’s what our hope is. Certainly if any industry asks us who they should contact if there’s an incident, contact CCIRC and we’ll make sure we work with them as part of Team Canada to respond.
The Deputy Chair: The Canadian Cyber Threat Exchange?
Mr. Jones: The Canadian Cyber Threat Exchange is a not-for-profit organization that was set up by Canadian industry to promote the sharing of cyber-related information. For example, it could be indicators of compromise. It’s a way of removing that stigma of being the victim but sharing when the breach has happened, so sharing what happened, how it happened and what are the things that everybody else should be looking for to try and facilitate that. It was an initiative that the industry had started and that we are certainly supporting. We are an adviser to the board of directors. We also try to contribute our indicators to that organization to try to foster the sharing of information to make us all a little bit more resilient.
The Deputy Chair: Would the work be duplicated by the Cyber Incident Response Centre?
Mr. Jones: No. Actually, I was negligent; I should have mentioned we partner with Public Safety on that as well. We’re both advisers. We make sure that we do not duplicate the work there. We support CCTX in also making sure that that information is being shared as widely as possible.
The Deputy Chair: The final one, the Canadian Security Telecommunications Advisory Committee.
Mr. Jones: That is an organization of the federal government and all of Canada’s leading telecommunications providers where we work collaboratively on issues such as cybersecurity standards, the things that we all need to be preparing for. We try to share information on where the industry is going so we can get ahead of the technology trends. It’s a very open, collaborative forum. It’s led by Innovation, Science and Economic Development Canada.We partner there, as well as CSIS and Public Safety, to try and facilitate a productive dialogue with the telecommunications partners to share best practices and build on what things we should be doing together to make Canada more resilient at the foundation.
The Deputy Chair: There have been a number of questions here over the last two days to make sure there is not duplication of effort and silos going on. You’re satisfied that each of these organizations perform a distinctive function that is best operated separately from the others?
Mr. Jones: The one thing with cyber is it’s very pervasive. When you start to look at cyber issues going to pipelines, pipeline security goes into electrical distribution, all of which are sectors with regulation into crossing over federal-provincial-territorial-municipal boundaries, et cetera. I think cybersecurity is one of those issues that is just so horizontal that it does require a lot of collaboration.
We work very hard to try to ensure that we don’t duplicate. We’ve gotten better. It’s something that we’ve been working on trying to improve in the federal government. Many years ago, I used to describe cybersecurity in the government, when something would happen, as being like six-year-olds playing soccer; everybody would run to the ball and nobody would really be playing. We’ve gotten better about saying, “Okay, who is playing which position” and working on that.
Right now, it’s a matter of where the mandates are set. We’re trying to maximize what we can do to support the industry, but it continues to be a challenge, especially with how quickly technology evolves and how quickly industry is changing to represent that.
The Deputy Chair: Who is taking the lead in saying you play that position and you do this and you do that? Who is taking the lead there?
Mr. Jones: We do it collaboratively with the departments, depending on the type of incident.For example, if it looked like it was something that was a compromise within the Government of Canada, we would work with Shared Services Canada and the Treasury Board to make sure we were responding. If it was an incident impacting critical infrastructure, a general cybersecurity incident, depending on whether it was a criminal investigation, RCMP, or general, it would be Public Safety.If it was a national security incident, for example, a state trying to corrupt our critical infrastructure, we would look to support the Canadian Security Intelligence Service in that lead. But really it depends on the type of authority. That’s one of the things that we work diligently on, and it’s on a constant basis. Whenever any incident comes up, the first thing is who is going to take the lead and how will we work together.
Senator Massicotte: We talked earlier about citizens and consumers. Let’s talk about the big picture. What is the level of threat? How comfortable should we be that there’s enough resiliency that we should not be threatened? For instance, there is critical infrastructure, hydroelectric plants and nuclear plants, and you referred to pipelines and as well as organizational things. For instance, you talked with your own government, Shared Services Canada. This summer, Revenue Canada was shut down for a couple of days because it was being attacked. All of us certainly were worried. That’s a lot of information. We could be exposed. How comfortable are we that we’re not exposed in those very serious areas of infrastructure or government information?
Mr. Jones: Actually, it is a sector-by-sector approach. If you look, the level of threat is growing. Cybercrime especially is growing rapidly. There’s a huge financial incentive for the criminals to spend money to do this.In many cases of cybercrime, there’s a 24-hour hotline to buy tools, where you can get support, ask for help, et cetera. It’s quite astounding how much infrastructure there is. The threat level continues to grow.
In the Government of Canada, we have done a lot to increase our resiliency. The incident you’re referring to with Revenue Canada also impacted Statistics Canada. We took proactive measures to make sure we weren’t breached. We had enough situational awareness that we could take a proactive measure when we found out that the system was vulnerable.
Depending on where you go, some organizations are quite mature in cybersecurity and some aren’t. That’s something that is a big concern. I’m not going to try to say that the level of cybersecurity in Canada is high. There are some places that are quite behind that we have to work with. There are some organizations that invest quite heavily in protection and in increasing their resiliency.
The banking sector is one of those where they do invest. They see this as something that is not only a threat but something they have to stay ahead of to ensure confidence. We work with them and with a number of banks organizations. They continue to invest. In fact, many banks have a larger cybersecurity organization than I run for the Government of Canada.
When you go to different pieces of critical infrastructure, it’s really variable, but I would say that the level of resiliency in general in Canada is probably low.
Senator Unger: Mr. Jones, you talked about your mandate. Part A involves a collection of foreign intelligence in accordance with Government of Canada intelligence. Through your presentation, you talked about who you work with. How large is your organization?
Mr. Jones: The IT security portion of CSE or CSE in general?
Senator Unger: Your specific overall area.
Mr. Jones: Right now, 497 is the number today. That is growing slightly. We have responsibilities ranging from what we’ve talked about today, which is primarily cyberdefence, but also we provide all the cryptographic equipment for the Government of Canada as well. For every piece of Canadian Forces communications equipment, we provide the cryptography for that, the equipment that they use to secure, the keys, et cetera, and we do that in a very tight partnership.The number is a little deceptive. Most of the cybersecurity side of things is probably on the order of around 200 or 250 people.
The Deputy Chair: Thank you very much. That’s a good note to adjourn on. We very much appreciate the Communications Security Establishment representatives, Mr. Jones and Mr. Boucher. Thank you for being here. Keep up the good work. We’re counting on you.
(The committee adjourned.)