Skip to Content
 

Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce

Issue No. 35 - Evidence - March 1, 2018


OTTAWA, Thursday, March 1, 2018

The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud; and study the present state of the domestic and international financial system.

Senator Douglas Black (Chair) in the chair.

[English]

The Chair: Good morning and welcome, colleagues and members of the general public, who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening via the Web.

My name the Doug Black, I am a senator from Alberta and I have the privilege of chairing this committee. I would ask my colleagues if they would introduce themselves, please.

Senator Tannas: Scott Tannas from Alberta.

[Translation]

Senator Dagenais: Jean-Guy Dagenais from Quebec.

[English]

Senator Wetston: Howard Wetston, Ontario.

Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.

The Chair: Thank you all very much for being here.

We are also very ably served by our clerks and analysts.

Today is the sixth meeting on our study on issues and concerns pertaining to cybersecurity and cyberfraud, including cyber threats to Canada’s financial and commercial sectors, the current state of cybersecurity technologies and cybersecurity measures and regulations in Canada and abroad.

The second portion of our meeting will focus on our general mandate, which is the present state of the domestic and international financial system.

For the first section of our hearing, I am pleased to welcome Scott Smith, Director, Intellectual Property and Innovation Policy at the Canadian Chamber of Commerce; as well as Robert W. Gordon, Executive Director of the Canadian Cyber Threat Exchange; and Ron Green, Chief Security Officer at MasterCard.

We have a very informed and distinguished panel, and we look forward to learning from you. Each of you is invited to make a presentation no longer than five minutes, and from there we will go to questions. Gentlemen, thank you for being here.

Mr. Gordon, the floor is yours.

Robert W. Gordon, Executive Director, Canadian Cyber Threat Exchange: Thank you, Mr. Chair and members of the committee, for the opportunity to address the issue of cyber-threats to Canada’s financial and commercial sectors and the security measures in place to try to mitigate those threats.

As this is the first time someone from the Canadian Cyber Threat Exchange, or CCTX, has had the privilege of appearing before the committee, I will take the opportunity to describe why the CCTX was created and the role it plays in trying to assist the private sector to mitigate the risks posed by cyber-threats.

Approximately three years ago, the idea of creating a CCTX to facilitate the sharing of cyber-threat information was considered by a group of Canadian chief executive officers. They observed that knowledge about cyber-threats should not be a competitive issue among companies; they should all operate on the basic understanding of the cyber-threat they are facing. Companies can then evenly compete on the basis of the products and services they offer.

In December 2015, the CCTX was founded by nine companies which provided the initial funding: Air Canada, Bell Canada, Canadian National Railway, Hydro One Networks Inc., Manulife Financial, Royal Bank of Canada, TD Bank Group, TELUS and TransCanada Corporation. Today, the CCTX has grown to include members from 11 financial institutions, and industry sectors including transportation, telecommunications, energy, retail, professional services and entertainment.

There are several reasons why sharing cyber-threat information is important. Sharing leverages the knowledge of others and makes the cost of an attack more expensive. It enriches the cyber-threat information held by companies, making it more actionable. Timely, actionable information provides the means to harden cyberdefences. Sharing information is cost-effective; individual companies don’t have to do all the analysis themselves. Sharing is one way of also helping to protect clients and the corporate supply chain. The bottom line: cybersecurity is a team sport.

The CCTX is a not-for-profit organization with two mandates. First, it serves as a cyber-threat information sharing hub. Second, it enables collaboration among member companies in countering cyber-threats. The CCTX is unique in that it represents all sectors and all sizes of companies.

The CCTX information sharing hub operates by receiving cyber-threat information from member companies and will shortly be receiving information from federal government departments and threat data feeds, which will be purchased from commercial vendors. Participating companies provide what are described as indicators of compromise, which is unusual cyber activity detected on their networks.

The information provided by the member companies is anonymized; there is no attribution as to which company provided the information and it contains no personal information.

CCTX analysts review the information and prepare a variety of reports. Some are tactical, relating to attacks under way, and some are of a more strategic nature, suitable for more business decision-making. In its first year of operation, the CCTX issued over 1,000 cyber reports.

Information sent to and received from the CCTX operations centre can be processed in a machine-readable format. The objective is to disseminate the information as quickly as possible so it can be incorporated into the defences of participating organizations. To be useful, information must be actionable. To be actionable, it must be timely and contextually relevant.

The CCTX’s collaboration mandate provides cybersecurity professionals with the ability to exchange best practices and ideas. Exchanges occur within what we call communities of interest and communities of trust.

Communities of interest operate across industry sectors. Topics include trends in ransomware attacks, new technologies and data loss prevention. The exchanges occur in a variety of forms, including monthly conference calls, during which cybersecurity experts talk about the latest developments. The CCTX secure portal also has compartments where companies can post information and exchange comments on cybersecurity developments.

Communities of trust are established to facilitate collaboration among a small number of companies where there is either some particular sensitivity to the information being exchanged, or the nature of the exchange wouldn’t be of interest to the broader group. A community of trust is currently operating with some banks and telecommunications companies who are examining specific cybersecurity threats.

Most of the collaboration occurs within the virtual environment. We also provide a physical space in our operations centre where cybersecurity professionals can meet in person to collaborate on solutions to current problems.

In addition, the CCTX hosts collaboration events at various locations around the country. These half-day events feature experts addressing a range of discussions, everything from new cybersecurity legislation to how artificial intelligence can enhance cybersecurity and the latest techniques used by cyber attackers.

The CCTX is preparing to receive information from two sources in the federal government: the Canadian Cyber Incident Response Centre in Public Safety Canada and the Communications Security Establishment. CCIRC and CSE help support Canada’s critical infrastructure operators. Working in partnership with the CCTX, they extend that support to a much broader constituency.

The CCTX benefits from the expertise of permanent invitees to meetings of the board of directors. These include Public Safety Canada, the Communications Security Establishment, the Business Council of Canada and academia. Currently, Benoît Dupont from Smart Cybersecurity Network, who previously appeared before this committee, is the representative from academia.

In conclusion, the initial focus of the CCTX has been on growing the membership of large organizations and providing them with products and services. The next phase will be the development of cybersecurity products and services tailored to meet the cybersecurity needs of small- and medium-sized companies. We are exploring expanded partnership opportunities with academia to help grow the number of cybersecurity professionals that are in desperately short supply in Canada and to enable cybersecurity research that will work to the benefit of all Canadians.

Thank you very much. I look forward to your questions.

The Chair: Very good presentation. Thank you very much, Mr. Gordon. Mr. Smith, please go ahead.

Scott Smith, Director, Intellectual Property and Innovation Policy, The Canadian Chamber of Commerce: Thank you, Senator Black and members of the committee, for the invitation to appear before you to talk about cybersecurity, something that’s been near and dear to me for the last couple of years.

I am pleased to be here to represent the Canadian Chamber of Commerce. We are the largest business organization in Canada. We have a network of over 450 local chambers of commerce, which are all members of ours, that represent over 200,000 businesses of all sizes and all sectors of the economy and in all regions in Canada. My comments this morning are reflective of regular dialogue with those members.

Cybercrime is a catch-all term that describes a number of more specific transgressions accomplished by infiltrating computers across networks. Fraud in the form of identity theft or the spoofing of legitimate websites to lure customers is a pervasive problem. So is extortion in the form of ransomware. Destroying data or hardware is vandalism. Acquiring credit card numbers or leaking sensitive personal information for financial gain is theft. “Hacktivisim” is any one of those crimes committed in the name of a cause. Then there is the more benign crime of trespassing, which is stopping for an unwelcome look at someone’s computer.

Cybercrime costs everyone everywhere. Studies suggest that cyber attacks cost the global economy $445 billion. In Canada, the number of businesses experiencing losses from cybercrime is increasing. The Ponemon Institute last year surveyed 24 companies across all sectors and noted the average cost of a data breach is $6 million. The average cost per record of a breach is $258. And the average number of records breached in 2016 was 20,456.

We’ve seen some large, very public breaches over the last few years. In 2013, the Yahoo breach impacted more than 3 billion people. The Equifax breach last year affected far fewer, only 143 million, but that has shaken the public trust because this is the company that monitors your credit after a breach.

The most expensive breach ever was Mydoom over a decade ago. That was $38.5 billion in damage.

Cyberbreaches impact businesses large and small, but we only hear about the large ones, the household names. I want to talk about the small businesses in Canada and how they are impacted.

In Canada, 98 per cent of businesses have fewer than 100 employees, and 74 per cent have fewer than 10 employees. These small- and medium-sized businesses employ 10.5 million people in Canada, 90 per cent of private sector employees, a vital part of our economy.

They are the most vulnerable to exploitation from cybercriminals because they lack the financial and human resources to protect them effectively. The cybercriminals are organized and multi-layered. Ransomware is now sold as a service on the dark web.

The process is straightforward. You specify your bitcoin address to get the ransom, select the amount you want to collect from the ransom, anywhere between 0.01 BTC and a maximum of 1 BTC, and you get a nice piece of malicious software delivered to your inbox a few seconds later. Then you deploy it to whatever predetermined email list you choose. Once launched, that malware will encrypt files, and the unsuspecting mark will have to pay the ransom to get their files back, or at least, some of them will. The business model behind this is simple: The bad guys keep 10 per cent of the ransom; it’s almost like a distribution network for ransomware.

This has happened recently to one of our local Chambers of Commerce in southwestern Ontario. They were attacked by ransomware—someone clicked on the wrong attachment. They were smart enough not to pay the ransom, but there was a significant cost in downtime, in IT consulting and in reputation, and there were some files lost forever due to the backup cycle. It will never be a perfect solution.

There are 3.5 million emails sent every second globally. One in 40 contains malicious software. The threat is real. We have to remember — and what I hope members of this committee will remember as policy-makers — that the businesses who are impacted by cybercrime are the victims. When we are crafting regulatory policy to protect personal information, the businesses that have been breached are required to report and make amends for those breaches, and they themselves are in crisis mode. A regulatory policy should be focused on the perpetrators of the crime.

The CIA considers three things when assessing threats: confidentiality, which means protecting and keeping your secrets, so espionage and data thefts are threats to confidentiality; availability, which means keeping your services running and giving administrators access to key networks and controls, so denial of service and data deletion attacks threaten your availability; and integrity, which means assessing whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code and viruses and malware that compromise the integrity of the systems they infect.

Our focus at the Chamber of Commerce is how business needs to be aware of this triad, how cybersecurity is a vital risk-management exercise and how government can facilitate awareness and engagement and the steps companies can take to protect themselves.

Our report,Cybersecurity in Canada: Some Practical Solutions to a Growing Problem, which I think you have either a link or copy of, proposed a number of policy options the Government of Canada could undertake to provide leadership and resources for the business community to remain competitive.

We were pleased to see this week’s budget announcement included a number of measures we outlined in our report. For instance, we asked for the consolidation of cybersecurity policy under one agency. Budget 2018 proposes to do that, adding $155 million to the budget of CSE.

We asked for more focus on protecting critical infrastructure. Budget 2018 commits to that. We asked for more resources to combat cybercrime. Budget 2018 provides $116 million to the RCMP to do that.

We asked for support for small business in combatting cyber threats. Budget 2018 allocates $236 million to support a cybersecurity strategy that includes cybereducation and a cyber resilience certification program. We’re close to the cybersecurity certification program proposed out of New Brunswick. We’re hoping to make an announcement shortly that we will be helping to distribute that across the country and encouraging businesses to participate, but we were part of the development of that process. Hopefully, the government goes for that as part of the voluntary certification program.

The other thing we were hoping for in the budget, but did not see, was tax measures to make investments in cybersecurity network systems and software accelerate the speed to be able to write those off. You might want to consider that down the road. It will be welcome in the business community. We look forward to working with the government of Canada as it crafts its cybersecurity strategy.

Thank you for your attention and I look forward to your questions.

Ron Green, Chief Security Officer, MasterCard: Good morning and thank you for the opportunity to be here today. My name is Ron Green, and I am the Chief Security Officer at MasterCard.

First and foremost, I want to praise the committee for launching this study. Cybersecurity is one of the greatest challenges governments and businesses are facing at the present time, with serious implications for national security, financial stability and consumer protection. Cybersecurity is a top global priority at MasterCard. At MasterCard, safety and security are foundational principles central to every part of our business in the innovative technology platforms and services we enable.

We know that secure products and services are essential to the trust our consumers, customers, cardholders, merchants and other partners place in us.

Let me contextualize that. As you probably know, MasterCard does not issue credit cards or have a direct relationship with consumers. That is the purview of the banks that issue our cards. MasterCard is a technology company, and we provide the network that allows consumers to use their MasterCard virtually anywhere in the world, more than 210 countries and territories, and have that transaction processed in seconds.

We operate the world’s fastest payments processing network and connect 2.3 billion cardholders with tens of millions of merchants around the world. For us to provide value to banks, merchants and consumers that use our networking, we must provide safety and security. We cannot afford to have any interruptions in the operations of our network. When a bank issues our card, when a consumer takes the card out of his or her wallet, or when a merchant decides to accept MasterCard, each of those stakeholders needs to do so with the confidence that the network over which those payments will be made is reliable and resilient.

We have a solid record on that. The MasterCard network has layers of cyber defences designated to mitigate risk and protect it from being hacked. We are continually building resiliency to prevent service interruption. We at MasterCard are constantly investing in security. Over the last three years, we have invested over $1 billion in reinforcing the cyber defences of our network and developing solutions to protect participants in the payments ecosystem — issuing banks, acquirers, merchants and cardholders. This has involved taking the lead in developing new payment and commerce ecosystem standards, which are constantly being revised with an eye to security. We are investing in innovation and enhancing our capabilities in house, acquiring cutting edge technology companies and nurturing our Start Path group of curated startups, connecting them with our issuing partners to grow their business.

There are five widely accepted elements essential for cybersecurity risk management. MasterCard operationalizes them in the following ways:

Identify: We are doing interesting things here, including MasterCard’s identity check, which Canadian banks were among the first to commercialize. The priority is to authenticate the identity of the network users.

Protect: Here device security is critical. With a networked system, any device can be an entry point for a cyber attack. To this end, last year MasterCard acquired NuData Security, an innovative Canadian technology company that helps businesses prevent online and mobile fraud by using behavioural and biometric indicators. NuData enhances our capabilities, including preventing consumer device cyber attacks, account takeover and enabling intelligent friction.

Detect: Essentially stopping an attack before it begins. Here we are making major investments in artificial intelligence, including the recent acquisition of Brighterion, a global AI leader, which enhances our ability to detect sophisticated attacks. Brighterion’s AI solutions help MasterCard find the proverbial needle in the haystack when it comes to sifting through massive quantities of data.

Respond: In order to respond effectively to threats, information sharing and collaboration among industry partners, financial institutions, the FS-ISAC are essential. In the United States, cyberemergency readiness teams, or CERTS, align with their counterparts in other countries, including Canada.

Recover: Like other industry leaders, MasterCard is continually building and improving resiliency plans to ensure our backup plans work if needed.

This includes a real time machine-to-machine automated means of responding. At a very high level, this is what we are doing.

Please let me turn to our advice for governments which falls into five main areas.

First, in a networked interconnected digital world, we need cybersecurity solutions tailored to small- and medium-sized businesses. Cybercriminals will seek out the weak points in the system to launch an attack. Therefore, we need to provide a framework for small businesses to protect their operations. MasterCard is playing a leading role in defending small- and medium-sized businesses as we set up the Cyber Readiness Institute, which emphasizes the practical application of tools for small- and medium-sized businesses. The Institute also facilitates the workforce development needed to implement those cybersecurity management tools.

Second, companies frequently confront an expanding and overlapping set of cybersecurity regulations in different jurisdictions. Those need to be harmonized using a baseline framework. We understand good trilateral progress is being made here in the context of the NAFTA renegotiation, developing a common framework to align the management of cyber risk, which is encouraging.

Third, there is a need to improve identity management and authentication as more devices are connected online. We need a robust identity ecosystem to enable easier and more secure digital transactions, which safeguards the privacy of our cardholders.

Fourth, with the Internet of things, there will soon be 30 billion connected devices. This creates enormous opportunities for the digital economy, but it also increases the cyber risk. Therefore, governments and the private sector should develop standards to improve the interoperability and cyber-threat detection and prevention while removing friction from commerce.

Finally, as the cyber threat grows, governments and the private sector face a shortage of employees with cybersecurity skills. In fact, the world needs to start training the next generation of cyber experts, and government has a role to play. If you have kids or grandkids, get them hooked on cybersecurity. They can make a lot of money in their lifetime because right now the need is there, but the qualified cyber professionals are not.

I could talk for hours on this subject, but I only have seven minutes. I have provided today a snapshot of what we are doing and what we think governments should be doing. I must acknowledge that I know the Canadian government is working on a cybersecurity strategy. We took part in the consultation and look forward to its rollout. Unfortunately, we do not have the luxury of time when it comes to cyber-threats. Collaboration, information sharing, bringing all stakeholders to the table — all this is required to fight cybercrime. President Obama commissioned an expert task force on cybersecurity on which our CEO sat. That task force issued a series of recommendations. The CRI, which I mentioned earlier, is a direct offshoot of the task force emphasis on securing SMEs. I believe this is an issue so fundamental to the future of our economy and society that it needs attention and leadership at the highest levels.

MasterCard is ready to lend its expertise to the Government of Canada in much the same way.

Thank you to the committee for having me here, and I look forward to questions.

The Chair: Mr. Green, thank you very much. That was very helpful. We will now have questions from the senators.

Senator Stewart Olsen: Thank you very much for being here. It was very informative.

I admit I looked with skepticism on the government’s announcement yesterday. I think there are massive difficulties they are going to have to overcome. For instance, this is a government where we couldn’t manage a pay system, so I’m not sure how we will manage cybersecurity and provide information.

Your point, Mr. Green, on the talent pool is one I raised yesterday and it is a major concern. I would like to know what your advice would be. Where do you go to get trained? Who offers this? Should the government be putting more money into universities and community colleges, places that actually look at this and train people for this very important position?

Mr. Green: As part of the institute I mentioned, we have a number of different programs we’re working on collaboratively with the federal government in the U.S., and that includes potentially creating internships where the cyberprofessionals have an opportunity to work for the government for a while and then have an opportunity to work for us.

We do a lot with universities in the U.S., just working with them to help establish the curriculum to train a cyberprofessional.

We also work with different organizations to allow people who are thinking about leaving the military to spend time with us, like in an apprenticeship program, to give them an opportunity to see what it’s like to work in the cyber field. There are many opportunities you guys could be working on.

Senator Stewart Olsen: Do you have any idea on what Canadian universities are doing?

Mr. Green: I’m sorry; I’m limited on what I know about Canadian universities.

Senator Tannas: Thank you for being here, gentlemen. I wanted to get Mr. Smith’s comments and then anybody else who wants to chip in with respect to the amount of money invested in bringing to justice the people who are perpetrating crimes today.

We’ve heard testimony in different ways where we know there are billions of dollars being taken from people, and that’s based on what is reported and an understanding this is the tip of the iceberg. Most people are too embarrassed to report it, or it’s too small, or it’s so large and embarrassing they won’t report it.

It seems to me it should be easier to hunt these people down, so I’m led to believe there is not an adequate effort going on. I know the government pledged $116 million over five years, so $24 million a year — probably on a head count basis, 250 more officers on an annual basis out there hunting down. Is that enough? Are we actually doing enough? I get that we’re doing enough to protect our macro situation, and that’s national security stuff, but are we doing enough to track down the petty thieves, the guys who buy for .1 BTC their own little criminal enterprise, and is $24 million a year going to get that job done?

Mr. Smith: I would start by saying, no, it’s probably not enough and it never will be enough. The biggest challenge for law enforcement in tracking down and dealing with cyber criminals is in order to find them, you have to think like a criminal. And I don’t think we teach people to think like criminals. So they have a big task in front of them.

I think the most important thing for the business community and for individuals is to be able to protect themselves to a certain degree and make themselves less of a target. The reality for most of the petty cyber crimes, under $5,000 in terms of ransomware, for instance, those are not particularly sophisticated actors, and it’s not particularly sophisticated software. It’s relatively easy to deal with if you have the awareness not to click on it in the first place and, if you do, if you have the right systems in place to be able to bring your systems back up to speed quickly. It’s about resilience. To go back to your original question, is it sufficient to go after all the petty criminals out there, no, it’s not, but there are probably more important things to deal with in terms of critical infrastructure, for instance. You want to go after that first.

Senator Tannas: I’m always frustrated with the “either-or.” Why can’t have an “and,” where we do both? I think back to New York City and Mayor Giuliani who went after both the mafia and the guy who spit on the street, and that’s how New York went from being a hole to being a wonderful place we all like to go to. I remember when it was the opposite. Is there not something we’re missing here? Don’t petty criminals start out as petty criminals and become something larger?

Mr. Smith: I think what you’re chasing is the larger crimes.

In other words, if you follow the money, there are larger criminal enterprises behind those petty criminals, so that’s what we should be going after.

To your point, is $24 million or 250 new officers enough to deal with that? Probably not. But we do need to work more closely with other law enforcement agencies around the world. This is not a Canadian problem; this is a global problem.

Mr. Green: I was recently at the FBI CISO Academy. Just like serial killers, hackers actually have a background or past, so you can have a behavioural analyst analyze the hacker and see what their tendencies are.

I think the problem, as far as enforcement goes, is you just don’t have enough officers who are trained. It’s completely different and new, so a lot of training is required to bring them up to speed. Then you have hackers who work — it’s an international crime. Even for the small things, you can have international boundaries you have to overcome. Partnering with other countries, especially those where it may be more difficult to get at the bad guys, those are things that, for petty crimes, your local officers would have to contend with.

The Chair: Senator Dagenais, before you start, let’s make sure we have our earphones in place and we’re ready to go with translation.

Senator Dagenais: I speak English, but I prefer in French.

[Translation]

My first question is for Mr. Green. Often, with cases of attempted credit card fraud, consumers may have to limit their card use for a certain period of time. Though this decision may bother consumers, it is indeed necessary. For their well-being, can you tell us, Mr. Green, at what point does attempted credit card fraud become a cyber attack? Do you have a policy that aims to inform potential victims of a cyber attack? We know that many people — myself included — fall victim to attempted credit card fraud, without it being a cyber attack. However, there must be a moment when you realize that you are not dealing with mere attempted fraud, but with a cyber attack, at which point you must inform your clients.

[English]

Mr. Green: There are a couple of things I think about here. One, when it’s fraud, we will notify or provide solutions to help the issuer identify the potential fraud on the card — and that’s what people most commonly encounter. When there’s a larger breach, when we identify a point of compromise that’s been attacked, we don’t do the notification. The victim is the organization that must do the notification. The victim is the one required to notify the impacted customers that they have been breached, they have been compromised, and because of that, those cards are at risk.

So we don’t do the notification. We help in the identification at the point of compromise, but it’s on the victim to do that notification.

[Translation]

Senator Dagenais: Mr. Gordon, can you give us examples of cybersecurity products, and tell us if small companies with more modest budgets can afford them?

[English]

Mr. Gordon: Yes. Eventually the products will be. We are developing some specific products for small companies that don’t have the large IT infrastructure, so very tailored to their needs: Here’s something very practical for them to be able to do, and they will use them. It will actually work nicely with some of the efforts that Mr. Smith was talking about relative to the Cyber Essentials program. I see those two going hand in hand in terms of here are the regulations and guidance, on one side; and at the same time, here’s some practical advice, something you can do for a small company that, as I say, doesn’t have the big IT shop or the expertise to go through it. So, yes, we’re developing that, and we’re starting to get small companies joining us now.

Senator Wetston: I think Senator Tannas pursued this issue yesterday. I may be incorrect, but I think the issue we were talking about was financial market institutions yesterday and hearing from witnesses. I think it was yourself, Senator Tannas, who pursued the potential attacks on other infrastructure — hydroelectric facilities, nuclear facilities, telecommunication. Was that you or am I inappropriately pointing you out here?

Senator Tannas: You are.

Senator Wetston: If it was, it was a great question.

I want to follow that up with you. There are a couple of other questions within this.

For example, Mr. Green, where do you fit into the payment structure? Do you have any regulatory oversight in Canada or the U.S. with respect to the payment system? That’s a second question that you might think about before I get to this first one.

What are your collective thoughts around cybersecurity and cyber attacks with respect to the infrastructure beyond financial institutions?

Mr. Gordon: I think it’s critical that we look at this holistically. It’s one of the reasons why the CCTX was structured the way it was, by bringing all companies together. Because the same kind of attack that will go after a hospital or university is the same kind of attack that will go after a small business or the financial institution. So it’s critical we have all those sectors working together, because the attackers are not distinguishing between a financial institution or another type of business.

The second thing is they’re using the supply chain to access into a variety of companies. They will go after the weakest link. It may be the small company that provides services into multiple other kinds of sectors. It’s imperative we look at this holistically. Attackers are just looking for an easy door, and then they will go inside the system. We’ve got to be protecting all of them.

Mr. Smith: The other side of the equation is the critical infrastructure you’re talking about: the hospitals, hydroelectric and nuclear facilities, your street infrastructure, your stoplights, what have you. All of that will impact the cost of doing business. In other words, you want to make sure you have a competitive environment to work in; and if you can’t turn the lights on and if you don’t have access to good water, suddenly it’s no longer a good place to do business, and that affects everybody.

Senator Wetston: The relationship between the need to have cyber resilience, but also to be able to operate your business, is obviously important.

Mr. Green, I asked you a question about how you fit into the payment system, and maybe you don’t. But perhaps you also have a comment with respect to running your business and spending hundreds of millions of dollars, I’m sure, on cybersecurity or safety and security of the system. Maybe that’s an excessive amount, but I’m sure it’s quite considerable. Any thoughts about that?

Mr. Green: When it comes to the spend for security, I’ve not been in a situation where I’ve not been able to get new capabilities we thought were important for MasterCard. We spend lots, and we will continue to spend more. It’s something our CEO has been very clear and dedicated with us about.

Our CEO actually had a similar question of me, making sure we were connected to those interdependent sectors like power and telecommunications, so making sure we have close ties. If we are up and available, but our customers can’t connect or talk to one another, or they don’t have power for their businesses, that will impact our ability to do the right thing for the customers.

The other question you asked was whether we are regulated, and do we have bodies that come in and oversee us? We do. Annually, we have the FFIEC, Federal Financial Institutions Examination Council. They evaluate what it is we’re doing for MasterCard. We have other countries that do similar things. That’s where the harmonization of regulatory requirements would be greatly helpful to us.

While compliance is not security, to me — so understanding we meet the compliance requirements, those are things we have to do. If there are 25 different ways of doing it, I spend my time meeting the compliance requirement, and then improving the security of the organization.

Senator Wetston: I have a number of questions here. I would like to try, if I could — and perhaps we’ll have a second round.

As we’re thinking about this as a report and being able to usefully contribute to public knowledge, and also to provide advice to government as they’re continuing to develop rules, regulations and requirements around cybersecurity, I remember hearing a TED Talk once where this physicist said the following, “If you’re an algorithm, you have a good future.” That’s almost what you were getting at when it comes to being able to educate yourself or work in the cybersecurity space.

But if you think about cybersecurity and about the ecosystem, the broader ecosystem, which I would describe as artificial intelligence, big data, interconnectedness — and that’s my second question; I’ll get to that in a moment — where do you see cybersecurity in the ecosystem, of all of these things continuing to transform our economy: Canada, U.S. and globally? I’d like to hear from all of you, if you have a comment.

Mr. Smith: One of the things I think we should probably have a larger conversation about is the Internet of things, or the Internet of everything, as some companies have characterized it, where you have billions of devices being deployed — some of them in the homes, some of them artificial intelligence, or at least machine learning — that are not necessarily designed with security in mind. I think that’s one of the bigger challenges we’re going to see in the next 10 years. As the evolution and the deployment and the ubiquity of these devices becomes much more common, there’s going to be a lot more in the way of paths in the door. So anything connected to those devices suddenly becomes a risk, and I think we need to start thinking about risk a lot more carefully.

Mr. Green: Cybersecurity should be like the air you breathe, as a part of anything you do. The technology we deploy, we come up with, is all meant to make things easier for humans. But as we make things easier for humans, as Scott said, oftentimes we’re deploying things without thinking about the security implications of what it is we’ve deployed. It has to be part of what we’re thinking all the time when we create these new things, because there is someone out there, once they get a hold of it, who will find a weakness if you haven’t found it.

Mr. Gordon: The other part about cybersecurity is it’s an economic opportunity. As you were saying, senator, we’re looking at big data and that sort of thing, and the processing of it. Data has now become the new currency; and if you can go to an environment where you can do that in a secure way, that’s a competitive advantage over areas that you can’t do that.

I think in Canada we’re well positioned. We have a lot of talented start-up companies that have a high level of expertise in the cybersecurity area. We have the talent pool. We have the legislative underpinning for the protection of privacy. We understand all that. So we have a great opportunity here. Yes, we have to do it to protect our business, but it’s also a business opportunity for the country as a whole.

Senator Tkachuk: Just a couple of questions on access. I’ve had a number of experiences with credit card fraud. In other words, one time some guy — it was a 7-Eleven or something — had taken out 10 bucks or 20 bucks at a time. I got a call from Visa. The other time was more serious; it was about 3,600 bucks. Because I go on the Internet to check my credit cards almost every second day, I found it right away, but it was done through a Facebook account.

How are these credit cards — are they sold by an employee in the business who is making money selling the credit card information from a merchant I used, or is it the result of some cyber attack on a larger scale I was unaware of? Where are most of them done? How are most of them done?

Mr. Green: Large-scale breaches are how a lot of it gets into the fraud ecosystem, where they breach a major merchant or processor, capture the card information, and then break it up and sell it on the dark web. But a lot of it has been, over time, captured through skimmers. There are different methods attackers or bad guys have used to collect information.

If you think about the improvements in the technology, like going to EMV,which discourages the capture of the magnetic stripe, and the things we’re doing with new data, these will create newer ways to secure the information used in the transaction to limit the availability of those things that can be commoditized and sold on the dark web.

Senator Tkachuk: Are you tough with people who do — in other words, in one case a merchant was giving out cash on a credit card or a credit card number. I’m not sure how that transaction took place. He obviously didn’t have my credit card. I had my credit card. So he either had my number or he had information on it.

Is the merchant punished? How does that work? Obviously there’s some complicity here; they work together, the employee and the guy he was giving the cash to.

Mr. Green: If they’re complicit, that’s a criminal offence, and we will work with the enforcement agencies and the issuing banks to do the right thing, if they were actually a part of the scheme. Mostly they’re not. Mostly it’s use of fraudulent means to present the credit card credential to try to obtain service or goods.

Senator Tkachuk: Do they duplicate? Is the card actually duplicated? In other words, is there a fake card with a number on it that they run through a machine, or does the guy just give them numbers and the guy gives them cash? How does that work?

Mr. Green: There are a lot of counterfeit cards. That’s why moving to EMV and to digital payments over mobile devices provides a new opportunity to reduce the availability of using the counterfeit card. So, yes, counterfeit cards are what they take into stores to actually commit their crimes.

Senator Tkachuk: I’m going to ask a couple of questions on emails, because that’s the way the bad stuff gets into your computer.

I think a lot of people do the same thing I do. I delete everything I don’t absolutely recognize, which means I miss a lot of information I should get because I delete it, and only because I’m afraid of what may happen.

How do we get past that? Do we return to the fax machine to ensure security? There has to be a way. This is becoming more and more prevalent, and I don’t know if there’s a way to stop it. I know what you’re all trying to do and everything else, but the criminal mind is a genius mind and they find ways to do it. If it’s infecting computers, they’re stealing information, they’re blackmailing you, getting your bank records, private pictures you may have, all of that stuff becomes public. Help me out here.

Mr. Smith: My first comment is I would like you to manage my inbox for me, because I’m not good at deleting things.

My second comment is all of the emails you’re getting where there is malicious software, there’s always going to be that link. If you hover over the link, you will see what the URL is, and you will know that URL is not something you want to go anywhere near. It’s usually pretty obvious. So that’s an awareness thing.

We have to be careful not to conflate what happens to individuals with what’s happening to businesses, because they’re somewhat separate. Once a business is compromised, it can be a lot more devastating to that business because it’s also going to affect all their employees.

The other thing we have to remember is many of the security breaches within a business happen because of something internally. Either somebody has clicked the wrong thing or it’s malicious internally. So there needs to be some kind of awareness amongst employers and we need to find tools to combat that.

Your point about the emails and what they look like, they’re getting a lot more sophisticated. Internally, it looks like it’s coming from either your CEO or your finance department, asking you to sign off on something. So it’s not even software anymore; it’s something where they’re actually collecting money for something.

Mr. Green: Seventy per cent of the major breaches you see hitting the headlines are the result of a phishing attack or a spear phishing attack, just like you described. So we have layers of controls to manage and control the email, but still some will get through. There’s a dependency on the employee to do the right thing.

We make sure they clearly say the security of MasterCard isn’t just on the security team. Every individual in this company is responsible for security of MasterCard.

In addition, we’ve recently enabled progressive disciplinary action for those individuals who repeatedly click or infect machines in our environment, subject to termination. So three strikes, you’re out.

The Chair: I have a couple of quick questions before we go to second round, if I may. I’m interested if any of you gentlemen can identify a country you think is best practice in managing these issues now.

Mr. Gordon: There are a variety of ways to look at that. Certainly some countries have invested significantly as a country in developing some technologies. Israel would be a good example, from incubating small companies coming up in the cyber sector. The United States, on the standards side of things, is leading the world. The National Institute for Standards is putting excellent products out and good guidance. Canada actually adopts a lot of those same practices. The United Kingdom is doing some interesting work with blending together what’s provided for by the government on some of the standards of work for small- and medium-sized companies. It’s a blending of those. Pick the best from several of those countries. I think those three are very good.

Mr. Green: The countries Robert described are things that I think about. I think most helpful to me as a protector of an organization are those areas of collaboration between the government and the industry. So I do think within the U.S. the partnership, through things like the FS-ISAC or where government is a heavy player, we, as different companies, bring a lot to the table. It allows us to do things like sending leadership from my team into another company. Canadian Tire is actually a member of the FS-ISAC. We send our leaders into Canadian Tire, understanding what they do to protect their environment. We learn from that. They then send their leaders into our environment to learn from that. There are a lot of opportunities for governments who collaborate closely with industry players, and I think the U.S. does that fairly well.

The Chair: That’s a key takeaway. Thank you very much. That’s helpful.

Mr. Smith: I don’t think I can add anything to that. That was pretty comprehensive.

[Translation]

Senator Dagenais: My question goes to all three witnesses. Do you know how the perpetrators of cyber attacks are able to develop tools to successfully carry out these attacks? Who gives them these tools?

[English]

Mr. Green: They create tools a number of ways. If you look at recent attacks, they leverage things that have been stolen even from nation states. The WannaCry, Petya and NotPetya outbreaks leverage technology stolen from the NSA. Just like we have corporations and companies that come up with new and innovative ways to do things, there are groups who work collectively to create new and innovative ways to take advantage of things. Any time there’s a vulnerability that’s discovered, there’s a period of time that we, as a company, have to mitigate that vulnerability before bad guys work, come up with a means to exploit that at scale, and then try to inflict that on us.

Mr. Gordon: The short answer is it’s become a business now. The cyber attackers are learning from one another. They’re sharing attack techniques back and forth. If they’re successful in attacking one company, they will send that along to everyone else. It’s become a very good industry for them. As Mr. Green was saying, perfecting this is a business model.

Mr. Smith: The last thing I could add — and it was raised earlier — is the weakest link tends to be the pathway to get to the biggest prize. The value chain, where the smallest companies don’t necessarily have the provisions in place to prevent or recognize those attacks have happened and have some kind of actionable intelligence, they end up going through those pathways to the larger companies where they’re network connected. That’s one of the things we need to deal with.

Senator Wetston: I’d like to use the sports analogy here. I see cybersecurity being all about defence. Any offence?

Mr. Smith: There are tools in the chest governments have access to and the Government of Canada now has access to. The Anti-terrorism Act, for instance, that was brought in in 2015 — most people know it as Bill C-51 — provides the opportunity for the RCMP or CSEC to engage in an offensive way on cybercriminals, where they’re actually infecting the criminals. Maybe that’s something we should take better advantage of.

Mr. Gordon: In the legislation that’s currently before Parliament, expanding the powers of CSE in the offensive capability. That would give them the authority to actually undertake some of those operations.

Mr. Green: You’re right. It’s a defensive game. We have to be right all of the time. They only have to be right once. There is an opportunity to work with governments to figure out or delineate where that line is to go offensive. We won’t go on the offensive, but working with government agencies, they could go on the offensive to protect what it is that we have.

Senator Wetston: This question is about cross-border activity. You’re global. We have a lot of cross-border activity in all aspects of our business and financial markets. Are we weaker than the U.S. in cybersecurity? I’m putting you on a limb here. It’s not about fairness, right?

Mr. Green: I’ve grown up in the U.S. and I’ve been in the financial sector for a long time. It suffered so much in the way of attacks that it was forced to Darwinism; it was forced to adapt earlier.

Senator Wetston: I don’t mean to be unfair, but just give us a sense of it. I don’t want to put you on the spot.

The Chair: Now that you have.

Senator Wetston: In a cross-border environment, it would be helpful if we were on the same page or close to having the same capabilities. For MasterCard, which is a global company that does a lot of business, for example, in Canada-U.S. in cross-border transactions, you probably hope for that, I would think.

Mr. Green: There are a lot of advantages to the interconnectedness. Our ability to see the transactions worldwide gives us an ability to protect things that aren’t even in the U.S. For example, with our safety net we can see when an adversary, a hacker, has taken over a processor and is about to launch large cash-out gains. We can see that because we can see it across the globe. Our interconnectedness gives us an advantage to help our customers globally, no matter if they be in Canada, or Africa, or things of that nature.

The Chair: Well handled, Mr. Green.

Gentlemen, that was extremely helpful. You obviously did a lot of preparation to bring you here today and we very much appreciate that, because we’ve taken very good notes of what you’ve said, so thank you very much.

It is my privilege and pleasure to welcome individuals from the International Monetary Fund to brief the Standing Senate Committee on Banking, Trade and Commerce. I have the privilege of welcoming Cheng Hoon Lim, Assistant Director and Mission Chief for Canada, Western Hemisphere Department, International Monetary Fund; and as well, Troy Matheson, Senior Economist and Kotaro Ishi, Senior Economist.

We have had the opportunity to review your recent review on Canada and we’re very interested to hear you comments today, and don’t pull any punches.

The floor is yours.

Cheng Hoon Lim, Assistant Director and Mission Chief for Canada, Western Hemisphere Department, International Monetary Fund: We are delighted to be here this morning to present the IMF’s view on Canada’s growth outlook for 2018-19. Before I jump ahead to that assessment, I think it will be useful to start with a brief recap of what happened in 2017 in terms of economic developments.

The final fourth-quarter data will be released tomorrow but we expect the economy ended 2017 on a high note, with Canada posting a growth rate of almost 3 per cent, the highest among G7 economies. Now the first half of 2017 was stronger than the second half but overall, the positive outcome reflected the confluence of expansionary, fiscal and monetary policies, a strong U.S. economy and stable oil prices.

Private consumption continues to be the main driver of growth. Now we expect the growth momentum to slow in 2018-19 as policy levers tighten. We project GDP growth to moderate to 2.3 per cent in 2018 and 2 per cent in 2019. At these levels, the economy will still be growing above capacity. An important reason is our assumption on U.S. growth. Now, this is important to our baseline projection and we assume the cut in U.S. corporate taxes from 35 per cent to 21 per cent, with immediate expensing of investment, will have a positive demand effect on Canada. The U.S. economy will grow faster and this will increase the demand for Canadian exports and narrow the current deficit. Overall, we expect the U.S. tax cut to contribute roughly 0.3 percentage points to Canadian growth, over 2018-19.

The second important assumption underlying our baseline projection is investment.

Here, we expect non-residential investment to recover. As you know, investment had declined for two consecutive years in 2015-16. Last year was the first year in which business investment resumed. We expect this to gradually recover and the reason we think the recovery would be more gradual is because of uncertainty related to NAFTA and the fact interest rates are likely going to increase over the course of the next two years.

The third assumption underlying our projection is on oil exports. We expect that to remain fairly constant as a share of GDP over the projection horizon. We assume oil prices will fall somewhere in the range of $50 and $60 per barrel, and pipeline and other supply constraints do not significantly impact the spread between the Canadian Western Select price and the global benchmark, WTI. We expect investment in the oil sector next year to remain flat.

Fourth, we expect interest rates to rise in response to inflation pressures. This will slow consumer spending as debt service costs rise. Similarly, we expect higher interest rates with tight macroprudential policies to dampen residential investment.

Last, we assume fiscal policy will remain broadly neutral, with the federal deficit at around less than 1 per cent of GDP.

So this is essentially the gist of our baseline projection for 2018 and 2019. As you can see, in the near term, prospects are bright primarily because of a very strong U.S. economy with positive demand spillovers to Canada.

That being said, there is considerable uncertainty around the outlook, particularly with regard to assumptions on NAFTA, the U.S. tax reform, household debt and the housing market. Let me briefly go through these three potential sources of uncertainty to our outlook.

As you know, the seventh round of NAFTA negotiations is ongoing in Mexico City. Although there has been significant progress in modernizing NAFTA by including developments in digital and e-commerce, several proposals put forward by the U.S. such as minimum U.S. content requirements in the auto sector, eliminating the dispute resolution framework, placing a cap on government procurement and introducing a five-year sunset clause represent major points of contention for the negotiations.

So uncertainty related to NAFTA, whether it’s going to be a good or bad outcome, is already affecting investor sentiment in Canada, and failure to forge a new agreement or have at least as good an outcome as we have today, could impact investment for a much more prolonged period. To summarize what I’ve just said, there’s a downside risk to our projection on investment.

There’s a further source of uncertainty on investment, and that comes from the U.S. tax reform.

While we anticipate the U.S. tax reform will boost the U.S. economy and that will have positive spillovers to Canada from a demand perspective — they will buy more Canadian goods and services — what we have not taken into account in our outlook is there is a possibility certain aspects of the tax reform that go beyond just the tax cuts, there are other aspects that could result in profit or production shifting away from Canada and to the U.S.

These effects are extremely difficult to estimate, but if the net effect of these changes leave Canada less competitive as an investment destination, then we could see an outflow of investment from Canada to the U.S. So this is another downside risk to our investment forecast.

Finally, as I said earlier, consumption has really been the primary engine of growth for the Canadian economy for the past few years. We have seen business investment quite lacklustre, and non-energy exports have not increased to the extent we would have expected, given a depreciation in the Canadian dollar.

So private consumption and residential investment are the main contributors in our growth outlook for 2018-19, and they are a function of the state of the housing market. With household debt continuing to rise — and I think we’ve seen household debt to income rising by 3 percentage points just in 2017 alone; it has now gone up to 173 per cent of disposable income — households become more vulnerable to unemployment or interest rate shocks. So a sharp correction in house prices will reduce housing growth, reduce consumer confidence, raise borrowing costs and lead to lower consumer spending and lower residential investment activity.

If the housing market correction is accompanied by a severe recession, bank balance sheets could be impaired, triggering negative feedback loops in the economy.

This presents another downside risk to our assumption in our growth outlook for 2018-19. The good news is macroprudential policies are beginning to bite and slow down real estate activity, but a significant decline in vulnerability may take several years because of the large stock of outstanding debt.

Let me stop here. We’re happy to take any questions from senators.

The Chair: Thank you very much. A tremendous overview.

Senator Tkachuk: I just have a few questions on household debt in Canada. There seems to be some concern by your organization about Canada’s household debt. I have a couple of questions on that.

Is household debt mostly driven by real estate or is it driven by the purchase of other commodities?

Ms. Lim: It is mainly real estate. Eighty per cent of household debt is essentially mortgage debt and home equity lines of credit, which are lines of credit that households draw on to withdraw equity from the value of houses to spend on education, durable goods and so on. So those two combined make up most of the household debt. It’s related to housing.

Senator Tkachuk: How is that affecting savings rates for Canadians?

Ms. Lim: It has declined to about 4 and a half per cent.

Senator Tkachuk: Is that above normal or normal? Do you think that’s too high or too low?

Ms. Lim: Compared to what we have seen in Canada in the past, it is low.

Senator Tkachuk: Is the debt driven by optimism or is it driven by lack of cash?

Ms. Lim: That’s an interesting question. I don’t think —

Senator Tkachuk: It’s the only question, actually.

Ms. Lim: I think in some respects it’s driven by optimism. Households see house prices going up, so they basically want to get into the game, so to speak. They think if they don’t get into the housing market today, they won’t be able to afford houses in the future.

So given the fact interest rates are so low and have been for the last 10 years, in some sense it is rational for Canadian households to buy property. It has been cheap. Even though the average mortgage has increased in value because house prices have gone up in value, the debt servicing costs, if you look at a chart, have actually declined because interest rates have been so low. More Canadian households can afford more expensive properties because of the low interest rates.

Now, the risk, as I said earlier, is that the high household debt makes the average Canadian household more vulnerable to an unemployment shock or to an interest rate shock. If U.S. long-term bond units go up, for example, that will spill over because Canadian long-term yields are closely tied to U.S. bond yields. With the U.S. economy growing at a much faster rate — they are expanding beyond maximum capacity — that could lead to increases in interest rates in the U.S. and could spill over to Canadian interest rates. So if mortgage rates were to increase, this would change the equation on the debt servicing capacity for Canadian households.

Senator Tkachuk: So when the Bank of Canada comes to visit us here and they issue their report and tell us about how they are concerned about the household debt of Canadians, they’re really stimulating household debt by their monetary easing policy, which has been sort of the way for America and Canada to try to solve the problem of the market crash in 2008. They’re actually stimulating consumers. They’re enticing them to incur more debt because their interest rates are so low, lower than market.

Ms. Lim: Yes, and we’ve seen that not just in Canada but everywhere in the world. That is an appropriate response to unprecedented prices in 2008, when economies around the world, particularly the advanced world, were going into recession. So the right response would be to lower interest rates to stimulate the economy.

Now, in terms of household debt and housing risk, the IMF recommends macroprudential policies as a way to deal with vulnerability from the housing sector. Interest rate policy is to take care of the economy, and macroprudential policy is to take care of financial sector risks that might come from an overextended housing market.

Senator Tkachuk: All I’m saying is governments have tried to fix the problem with monetary easing. As you say, it was the right response, but sooner or later that response has to end. You can’t continue pumping the money out and then all of a sudden worry about the housing crash that’s going to happen because you’re forcing the housing crash to happen. That’s what governments are doing.

Ms. Lim: I think the process has already started. You have seen the Bank of Canada raising the policy rate twice last year because the economy grew by a lot last year. As the economy gains strength, you will see interest rates continuing to rise.

Yes, you’re right. I think as they do that, the incentive to borrow will be reduced.

Senator Tkachuk: Thank you.

Senator Stewart Olsen: Thank you very much for appearing before us. I don’t see as rosy a forecast as perhaps the IMF. I see the downsides as being perhaps a bit more gloomy.

In your report you released summer, you raised concerns about individual Canadian debt levels. You said it was mostly mortgage but as well government and business.

Are you still concerned with that? When you have debt levels such as we have with government — and I’m not 100 per cent sure with business — any changes that push that teeter over to the other side are going to be quite devastating. Do you still have concerns about those other debt levels and could you explain a little bit?

Ms. Lim: Sure. In the report last year, we were mainly concerned with household debt because we think that is the main macro-financial vulnerability for the Canadian economy. When you refer to other debt, I presume you’re referring to the government debt.

At the federal level, the government has actually been very prudent. The debt level, which on a net basis is even lower than the gross debt of about 30 per cent of GDP, is extremely low compared to the benchmark we’ve seen in OECD countries or G7 countries. Our assessment last year essentially said there is some fiscal space for the government to spend more — to invest more in the economy in terms of infrastructure, education and training and to promote innovation. We are not concerned about the level of federal government debt.

I think at the general government level, the debt is bumping at about 90 per cent of GDP. There we would recommend — and we did so in our report last year — that the provinces with high debt levels do take measures to rein in spending and to put that debt on a downward path.

Senator Stewart Olsen: Following up on the provincial debt, my province is heavily in debt. Are you seeing a response to that report by the provinces to reduce their debt?

Ms. Lim: I believe that’s a conversation we will have with them in the next consultation round. I think all provinces we have engaged with understand the problem. They are fully aware of the fiscal position they are in and they’re also aware there are contingent liabilities that are not coming today, but maybe 10 or 20 years from now, from rising health care costs. I don’t think we are preaching something they are not already aware of.

What we would emphasize is perhaps they consider more seriously some fiscal rules in order to inject more discipline in meeting fiscal targets.

Senator Tannas: Do you do anything with respect to per capita growth in the economy? Canada has fairly robust growth in population as a result primarily of immigration, but also I guess for getting the job done a little bit on our own, compared to other countries. Does the growth of the economy when you normalize for population growth change the position of Canada in any way in terms of its ranking in growth in GDP amongst the G7?

Ms. Lim: Essentially, we looked at labour productivity and how labour productivity is affected by demographic changes. We don’t do a ranking, but Canada, like most advanced economies, is facing an aging population. That’s going to continue to weigh on labour productivity growth.

We think it will be important for Canada to invest long-term in education and training to attract skilled immigration in order to address this demographic gap.

That’s the extent to which we’ve done our analysis.

Kotaro, do you want to add anything here?

Senator Tannas: As you look at the U.S. economy, and the extent that it’s growing, are U.S. consumers levering up again? How much of that growth is as a result of rising household debt?

Ms. Lim: I think the U.S. economy had significantly delevered after the 2008 crisis. Although some parts of the housing markets have rebounded, we still don’t see a releveraging in an alarming manner. The recovery we have seen in the U.S. has actually been a rebound of investment in the U.S.

Senator Wetston: I cannot take issue with your assessment, but I do have some discomfort, and have had for quite a while, with respect to the tools that you rely on for your assessment.

I have discussed this issue with other Canadian economists. While I have a great deal of comfort with microeconomics, recently I have more discomfort with macroeconomics and the economic tools and models you rely on. I want to ask a couple of general questions around that.

What’s your track record like in forecasting GDP growth for Canada and the U.S. since the financial crisis? Are you bang on? Have you missed by 1, 2, per cent, half a per cent, which is a lot in an economy? Can you help me with that?

Ms. Lim: You know, we’re terribly sensitive about that.

Senator Wetston: Don’t be, please. There is nothing to be sensitive about.

Ms. Lim: I think as a general point, you’re right. Sometimes we economists tend to rely too much on fancy tools and models. But we realize that. We don’t only rely on models and tools to make projections. We look at a lot of data, we talk to a lot of people and we study surveys before we come to projections.

Now, have we always hit the mark in our projections? No. There was a chart, but I can’t remember the numbers off the top of my head — Troy might know. We had a chart that was shared which showed how the real world economic outlook projections for global growth was revised systemically revised downward, in each publication. So, yes, we have missed our projections. It could be up to 1 percentage point; I can’t remember the exact numbers now. However, I think that is the nature of forecasting.

Senator Wetston: Sure, and I don’t want to put you on the spot because, frankly, I have a lot of respect for the work of the IMF. Central banks and other financial institutions and many other institutions rely on similar models and data. I’m not suggesting that is the case, I’m just trying to understand it in the context of your assessment.

Since the financial crisis, I think you would all agree with me that globally — but I’ll talk about Canada and maybe the U.S. a bit — we have been in uncharted territory. I don’t think we’ve experienced a period of quantitative easing as long, nor have we experienced the impact the financial crisis had on the global economy.

Are we still in uncharted territory, from your perspective? Are you now able to say, based on some of the discussion today in your presentation, as well as the answer to the questions? My own personal belief is I still think we are somewhat in the area of uncharted territory, but that’s just my personal view. I’m wondering what yours would be.

Ms. Lim: In some ways we’re in new uncharted territory with U.S. fiscal stimulus happening at a time when the U.S. economy is operating at full capacity. I think that is a new uncharted territory. We’re not really sure what’s going to happen in terms of the impact of the tectonic change in the U.S. corporate taxation, the impact on investment and on consumption.

Senator Wetston: We understand the monetary policy tools you have at your disposal, and we’ve learned a lot in the financial crisis. We’ve learned a lot about when I think fiscal policy tools are necessary, mostly because monetary policy tools are no longer effective. Have we exhausted monetary policy tools with respect to dealing with matters like the new uncharted territory that we’re entering into?

Ms. Lim: One of the consequences of this uncharted territory, as you put it, is the fact we have pushed monetary policy beyond the zero lower bound. Some central banks in Europe and Japan have used negative interest rates as a policy tool, and Canada, as Troy pointed out, has negative real rates at the present time. We have the toolkit on quantitative easing that has provided a way for central banks to inject liquidity in an unprecedented way.

So all these suggest we haven’t run out of tools per se; we have just become more creative about using them.

The Chair: I have two or three quick questions, if I may, please.

I think my notes must be wrong, but did you say that business investment into Canada will continue to recover?

Ms. Lim: Yes, in the sense they will recover from a low base. Business investment resumed in 2017. The investment figures we’ve seen for the first three quarters suggest a 7 per cent increase, I think, in business investment.

We’re waiting for the final quarter data to be released tomorrow. My guess is investment numbers will be lower in the last quarter so the overall upturn for 2017 will be lower than the 7 per cent we saw in the first three quarters.

What we’re saying is investment is going to continue to recover but, as I said, at a very gradual pace, because of the uncertainty surrounding NAFTA and the impact of other aspects of the U.S. tax reform.

The Chair: That’s interesting, because anecdotally, in my conversations with investors and CEOs across Canada, particularly in the province of Alberta — my home province — I have the very clear sense that investment into Canada at this moment has stopped.

Ms. Lim: It’s not looking good, yes. The FDI numbers came out this morning and show a decline in foreign direct investment. I think for Alberta in particular, investment in the oil and gas sector will probably be flat at best going into 2018.

The Chair: I’m encouraged only in that my notes weren’t incorrect. Thank you very much.

What number are you forecasting to be the price differential per barrel of oil being exported from Canada in 2018?

Ms. Lim: We essentially take what’s currently in the market, which is about a $20 differential, and this has widened significantly.

The Chair: You bet.

My last question is: Are you able to offer any opinion as to what the effects on the Canadian economy would be in terms of our numbers for our potential growth in 2018-19 if there were a complete failure of NAFTA?

Ms. Lim: That’s a tough one. We did some analysis last year where we looked at the impacts of Canada’s going to MFN rates.

If NAFTA is abolished, and Mexico, Canada and the U.S. will have to trade with each other on the MFN tariff rates, we did some simple simulations that shows this will have a negative short-term impact on Canada’s real GDP — the level of GDP — of about 0.4 per cent. But in the long term, consumption and investment will be lower by around 2 per cent, I believe. So there will be a negative impact.

The Chair: Thank you very much.

Are there any other questions around the table?

All that’s left is for me to thank you all very much for doing the work you’ve done and making yourselves available today. I’m hoping you found this to be a pleasant experience, because we’d like to continue this on an annual basis, so you have a number of months to consider.

This was extraordinarily helpful in large part because you’re looking at Canada from the outside in and you don’t have a dog in the race, in that sense. We very much appreciate your insight.

We’re indebted to you.

Ms. Lim: Thank you. It’s been a pleasure.

(The committee adjourned.)