Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue No. 36 - Evidence - March 21, 2018
OTTAWA, Wednesday, March 21, 2018
The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:18 p.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud.
Senator Douglas Black (Chair) in the chair.
The Chair: Good afternoon and welcome, colleagues, and members of the general public, who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce here in the room or listening via the Web. My name is Doug Black. I’m a senator from Alberta, and I have the privilege of chairing this committee.
I would like to call upon my colleagues to introduce themselves, starting, please, with Senator Unger.
Senator Unger: I’m Betty Unger from Edmonton, Alberta.
Senator Wallin: Pamela Wallin, senator from Saskatchewan.
Senator Ringuette: Pierette Ringuette from New Brunswick.
Senator Marwah: Sabi Marwah, Ontario.
Senator Wetston: Howard Wetston, Ontario.
Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.
Senator MacDonald: Michael MacDonald from Nova Scotia.
The Chair: We’re also, as we always are, very ably assisted by our clerk and our analysts from the Library of Parliament.
Today, we are continuing our study on issues and concerns pertaining to cybersecurity and cyber fraud, including cyberthreats to Canada’s financial and commercial sectors, the current state of cybersecurity technologies and cybersecurity measures and regulations in Canada and abroad. I’m pleased to welcome Dr. Florian Kerschbaum, who is the Interim Director of the Cybersecurity and Privacy Institute at the University of Waterloo and an associate professor in the School of Computer Science at that university.
I want to also report to senators that you may recall that Mr. Kerschbaum was scheduled to appear last October, but the meeting was cancelled. So, Doctor, if you can start with your opening statement, after your presentation, we will look forward to questions and answers with you.
Thank you very much for being here.
Florian Kerschbaum, Interim Director, Cybersecurity and Privacy Institute, University of Waterloo: Thank you.
Dear members of the Senate, it is my pleasure to speak to the Standing Senate Committee on Banking, Trade and Commerce on cybersecurity today. I am Associate Professor of Computer Science at the University of Waterloo and director of the university’s institute on cybersecurity and privacy, the Waterloo CPI. I joined the University of Waterloo recently, in January 2017, and before I was working for 11 years at the European software vendor SAP, in Germany.
I want to speak to three issues on the current state of cybersecurity technologies today.
First, the fundamental difficulty of cyberdefence. This means why is it so much harder to defend than attack?
Second, the unfavourable incentives for cybersecurity in industry and government. This means why do companies not invest enough to stop the problem, and how the government may help.
Third, the need for fundamental research and education on cybersecurity challenges. This means why is science a component of the cybersecurity puzzle and how it may help to change the landscape.
Let me start with cyberdefence. It is crucial to understand that cyberdefence is much harder than cyberattack. Whereas the attacker has to find only one vulnerability, the defender has to close all possible attack paths. This imbalance makes the task for the defender much more difficult and necessitates disproportionate investments in cyberdefence compared to the budget available for the attacker.
Our only strategy to deal with the inherent insecurity of computer systems is the defence in-depth. This means that, as it should be protected by multiple layers of security mechanisms, once the attacker has broken one control, there should be another in place to uphold the defence. This is rarely deployed in practice, and I will speak to this next. It is also not fundamentally understood at the scientific level, and I will speak to this later.
If we accept cybersecurity requires significant effort, we can ask: Why are we discussing this at a policy level in this specific committee?
While it is clear from a national level that we want to defend our vital and critical infrastructures from disruptions and theft by attackers in criminal organizations or agents and nation-state actors, markets do not reward good cybersecurity. Cybersecurity is the absence of bad events and not the presence of positive features.
Only niche players compete on security and privacy in their products. Major data breaches have no long-term effect on stock prices or consumer behaviour. In fact, companies have turned their bad cybersecurity into market opportunities, such as identity theft insurance.
As a consequence, companies are not innovating on cybersecurity but only make minimum investments to keep the business going and maintain a perception of privacy. As with the attacking bear, one does not have to outrun the bear but only the competitor. Again, from an outside perspective, it is clear the attacker will catch someone, and from time to time that someone will be in Canada, particularly considering how many bears there are in Canada. My apologies for the joke.
The lack of industrial innovation in cybersecurity is critical. Even when turning to the venture capital market, one is often confronted with the statement “Customers do not pay for security.”
An alternative would be regulation. However, the government’s role in this is unclear. Law enforcement and intelligence agencies are allowing for trivial access to personal data. It is important to understand that this lack of privacy correlates with weak cybersecurity and contradicts defence in-depth. When a government body can access the data, so can a skilled attacker. While this essentially zero-cost access to data clearly facilitates cheaper law enforcement and intelligence, these agencies have been solving crimes and collecting data before there were smartphones and the Internet. Even with strong encryption, it is still possible to intercept the data at the source.
If we accept that the situation of cybersecurity innovation is bleak, we can ask what we can do about it. As a researcher, I see fundamental challenges in overcoming the current situation.
First, much of cybersecurity in practice uses a “break, fix and break again” methodology. Security researchers have discovered attacks which are, in turn, fixed by modifying or patching the system to prevent the specific attack, yet the system is broken again in a short time, often by only a very slightly modified attack.
I see the need for fundamental research that addresses these challenges at the root cause and not only operates at the surface with minimal investment. These challenges to cybersecurity are fundamental scientific challenges that require basic research on the science of cybersecurity. For example, how do we develop secure software in the presence of human programmers? What does it mean to be secure?
If we look beyond Canada’s borders, the United States have established NSA Centers of Academic Excellence and funded many IARPA, Intelligence Advanced Research Projects Activity, programs that enhance fundamental cybersecurity technologies from theoretical concepts to practical useability.
My home country, Germany, has established a Helmholtz national institute, and plans are under way for a Max Planck Institute on the science of cybersecurity.
I argue that without a change in incentives, industry will not step up to these challenges. The University of Waterloo has an internationally recognized profile in cybersecurity. Its newly established Cybersecurity and Privacy Institute, the Waterloo CPI, is well positioned to tackle these challenges using the required interdisciplinary approaches. We have established a first relationship with the Royal Bank of Canada and have about 40 faculty members working on cybersecurity and privacy challenges.
Canada’s research funding is excellent at combining industry interests with scientific objectives, but we may need to do more here. In order for Canada to stay competitive in the science of cybersecurity, seed government funding may be needed, be it in the form of Centres of Excellence or Lighthouse Projects. A national Centre of Excellence could promote Canada’s reputation in cybersecurity research and help educate the necessary personnel for enhanced investment in cybersecurity. The results from basic research can then be used to change the landscape of cybersecurity in Canada’s banking, trade and commerce, for example, by leveraging the next generation of cybersecurity leaders, and overcoming the fundamental challenges we currently face.
The University of Waterloo has many computer-oriented majors at the bachelor’s and master’s level that have cybersecurity as an elective component, but no dedicated computer security major. This may change over time with increased investment by industry and the government. However, we already educate several PhDs in computer security and privacy each year. I am confident the University of Waterloo Cybersecurity and Privacy Institute can play a crucial role in fostering Canada’s cybersecurity education, science and innovation.
The Chair: Thank you very much. We will move to questions. Senator Stewart Olsen, please.
Senator Stewart Olsen: Thank you for being here. I’m very pleased to hear what you’ve had to say. That has been one of the main things I’m questioning on. It really does have to do with the need to train good cybersecurity people, and beginning at a lower level than university. I’m pleased that Waterloo is doing some training, but I do believe there should be a major, and I think we have to push for it.
What are your thoughts on how to encourage this to move forward? Is it a lack of identifying cybersecurity analyst as a job for young people? Bringing it right down to the basics, why did you get into it, or why would young people want to do this? Because we need this, obviously.
Mr. Kerschbaum: Thank you. That’s a very good question.
There are a couple of components to this. First of all, there are certainly a number of jobs that relate to cybersecurity. These jobs usually pay very well, even compared to regular computer science jobs. There is definitely a demand in the labour market. I’m not sure whether or not we need to operate on that level.
Then there is the question how can we educate people to do this? Cybersecurity is a very multifaceted interdisciplinary problem. One the challenges the University of Waterloo faces is combining the different skills from the professors on this aspect. The cybersecurity institute may help here. However, when I look at computer science, it may be necessary to strengthen certain aspects of security, for example software or network security, more than we currently have.
The third aspect is what would motivate someone to become a cybersecurity specialist? In my courses, I sometimes talk about the mind of a security specialist, which is very much this notion of trying to find flaws, thinking outside of the box and trying to break things. There are certainly people who are predestined to do this. We may want to foster this maybe even at an earlier stage, as you mentioned.
At the high school level, the first and most important thing is to raise awareness for cybersecurity. To make sure people are not bothered by having to unlock their phone or enter a password but understand this is a necessity in order to protect their data. We are very happy at the University of Waterloo to have that for the undergrad course, which is very popular with the students, but to turn this into a program, additional effort is needed.
Senator Wetston: Thank you for being here today.
I’d like to ask a couple of general questions. Your description of the cybersecurity brain and the people who have that remind me of saying I don’t want to be an actuary either. I can’t manage the granular questions in this area but I’ll ask a couple of general ones.
Obviously, you worked in Germany for a number of years. Germany is a highly industrialized nation with a great deal of science and research. Can you tell me whether or not you believe Germany is much further ahead than Canada with respect to the cybersecurity? If so, what would be the basis for you being able to support that point of view?
Mr. Kerschbaum: Let me answer that in two aspects. In the aspect of cybersecurity as a country, I’m probably not the best witness for you. I know that Germany has what is called the BSI, the German computer security institute, which is in the department of state responsible for enhancing the cybersecurity in the government and also for supporting the public sector. However, I’m not the expert to compare that.
Let me go to the second step which I can talk about, namely, research on cybersecurity. In that respect, I think Germany is way ahead. Germany has a couple of centres in cybersecurity that are internationally recognized in the universities at Bochum, Darmstadt and maybe also in Karlsruhe or Munich, whereas in Canada at the international level it is probably only the University of Waterloo. The institutes I mentioned on the fundamental aspects of security research, I think they make it easier for researchers to invest in.
Senator Wetston: Let me ask you a more practical question in the sense of attack and defend. We had some witnesses here previously and I recall asking a question about is it simply about defending as you would in a sport or is it about offence, or attacking. We did get a response. I don’t know if you have had a chance to review the transcript, but maybe you might review what he said.
The reason I’m asking this question— and I don’t mean to pick on Germany here, but obviously you have spent a lot of time in Germany and in this space— is if a German bank was attacked and a Canadian bank was attacked and if the German bank and the Canadian bank went on the offence, who would win? Who would be better prepared to deal with cybersecurity threats? Would it be the German bank or the Canadian bank, or do you know?
Mr. Kerschbaum: I think the banks we are dealing with in Canada are reasonably well prepared to take the topic seriously; so are the German banks. I think they would probably be on a comparable level. If one went to attack and the other one went to attack, I think we would be in a nuclear war and both would lose.
Senator Wetston: That’s reassuring. Thank you.
Senator MacDonald: It’s great to have you here today professor. Like a lot of people my age, I love technology but I don’t always understand it. I use it as much as I can, but security seems to be a concern of everybody now, particularly when you are not well versed and you are a little blinded by it and need some direction. You mention here that customers do not pay for security, but I would think the government should.
We always use BlackBerries around here. I was in the States a few years ago, in a congressman’s office. They had just come back from a trip to China and they were told not to take their iPhones and put them away. The only thing they were able to use was their old BlackBerries, which they dug out and took with them. In Ottawa in the last few years we’ve been given permission to use iPhones. A lot of people are getting away from BlackBerries but I’m not. I’m still with BlackBerry.
Could you comment on this? Is the Government of Canada being maybe a little reckless or sloppy, or is it there is nothing to be concerned about when it comes to the devices we use for communicating?
Mr. Kerschbaum: I think if you are in a responsible role, you have to be very careful. I will use Germany as an example again. Of course, it went to the German news that the NSA was tracking Angela Merkel’s phone. She didn’t use the phone built by the German government for that and they were tracking that phone number.
One must understand there will never be 100 per cent security. However, we also have to understand that we have to care for our security which goes back to the first question. We have to accept some inconvenience like using a BlackBerry instead of an iPhone. There should definitely be some best practices. I believe for members of the government there should be some recommendations about what device you are supposed to use for what purpose, as it was, for example, in the Angela Merkel case.
Senator MacDonald: I want to make sure. The China technology firm Huawei is a huge company and there are concerns about them purchasing high-tech companies in Canada and the United States. The U.S. security people are extremely concerned about it and said that the government should be concerned, yet the response of the Government of Canada is that we should not be concerned. Who would you side with, the U.S. or the Canadian government when it comes to assessing this threat?
Mr. Kerschbaum: Again, it is a difficult question. I’m not inside the company Huawei. I know that the company makes a lot of efforts trying to enhance the security of their products. However, their main development still remains in China. I would assume some intelligence agency has some idea of what is going on in China and I would trust that report.
Senator Marwah: Thank you, Mr. Kerschbaum, for your comments.
First of all, I would like to congratulate the University of Waterloo on their newly established Cybersecurity and Privacy Institute. I think that’s fantastic and they have always been on the leading front of IT.
In your comments, you suggested one of the ways to really make progress or deal with the issue of cybersecurity was incentives. Could you elaborate on what you mean by “incentives” and who should be providing the incentives?
Mr. Kerschbaum: That’s a very good question. As a company, I have to make some profit, so I will build a product that maximizes my profit. Now, if bad cybersecurity doesn’t impact my profit but only appears as a cost, then I will invest less in cybersecurity. So it starts with the awareness of the users that do not select products.
We had the question: If you could choose between an iPhone and a BlackBerry, and you knew that the BlackBerry would be more secure, if you weren’t told to use the BlackBerry, would you use it or would you rather go with the iPhone? So in your consideration, you’re not taking into account the security aspect, but naturally most people would go with the more modern phone, the iPhone. As a company, of course, I have to adjust to this. Now I will build the faster, nicer, better-looking phone with more features and thereby not pay as much attention to cybersecurity.
However, if you look at this from a Canadian perspective, then this is, of course, bad because vital data or data of Canadians might be broken, abused. And therefore, it is very difficult. I don’t want to necessarily propose a solution but these centres of excellence in the U.S. or these research programs or these investments in cybersecurity that are being made, in my opinion, are a response to what I would almost call a market failure in cybersecurity. And therefore, the question is, as a nation or a government, how do we respond to this market failure in some sense?
Maybe we can deal with education and get people more interested in security. Maybe it fixes itself over time. I would not predict that, but we see that other governments are investing in cybersecurity and they take the bill for industry in some sense.
I would assume that this will put some pressure on Canada in the long run. As with the bear, one has to at least out run the competitor.
Senator Marwah: I’m still confused about where the word “incentives” comes in. Incentives to whom? Are you referring to tax incentives? What incentives are you referring to?
Mr. Kerschbaum: I mean the incentives in an economic sense, to maximize your profit. If you want to maximize your profit, you do not invest as much to achieve a high level of security. The incentives for a company are on spending money somewhere other than security.
Senator Wallin: I have a follow-up related to Senator Marwah’s question about your comments that customers don’t pay for security. So whose role is it to do that? Because it’s a given, it’s a must and it’s necessary, so if you believe it’s government’s role to do that, in our particular case, then we have privacy issues. We have competence issues. We have funding issues.
We have big data operators that are much bigger than our governments, so what’s that next step? You’ve made the case that customers won’t pay and businesses aren’t incented to do it, so where does it fall?
Mr. Kerschbaum: I do think it falls towards the government. There is a need to invest in more cybersecurity, be it in a combination of agencies, in programs to enhance cybersecurity and, of course, for research and education. It is difficult for fundamental cybersecurity researchers to get industry funding. If you have a project that’s very well advanced and is the state of the art where you have an idea that it is high-risk and might leapfrog some of the problems we have, it can be very difficult to find someone willing to partner with you. And then you have to go with more competitive funding programs, whereas my German colleagues can go to the same company and can say, “I have enough money, I will do it for you for free,” and they can work on it.
Senator Wallin: That does raise the question. We’re watching the crisis — I don’t know how else to call it — with big data, Facebook and everything within the last 48 hours, but it’s every day, so they do have the money. Would you envision a tax on these? Government doesn’t have money to pay for this kind of research. It’s a huge, expensive venture. Do you get the money from those guys or how do you see this happening?
Mr. Kerschbaum: I’m not an expert on how to implement this, and I do not necessarily want to impose something but if you spend money you have to collect money.
Senator Tkachuk: I had a number of questions. To go back to what you talked about in the early part of your presentation about the skills needed for cybersecurity, what are the necessary skills at the high school level? What should students be studying if they are interested in this field and what are the best areas to study if they’re interested in this field?
Mr. Kerschbaum: That is a very good question. I think cybersecurity as a field is too early for high school. Usually education starts after you have learned basic programming skills, basic skills in understanding how a computer system works and only then can you dive into the specific aspects of becoming a cybersecurity professional.
However, there is awareness for security where you understand a need for security, that you have to protect your private data, that you decide what you share with Facebook and if you decide what you share, what that means and implies to your data. These kinds of decisions need to be understood, probably even earlier than high school.
Senator Tkachuk: Do they need to know math, physics, what skill level? To be a computer scientist, what do you need to be good at?
Mr. Kerschbaum: It’s basically a combination of math and engineering.
Senator Tkachuk: Physics, geometry, all that stuff? What would you say are the most vulnerable areas in our country to cyberattacks and what are the most dangerous areas to cyberattacks, if you were going to rank one, two, three, four.
Mr. Kerschbaum: That is a very good question. When new products are being developed and deployed for innovation using computers, they usually are deployed with insufficient consideration for security. So if we’re now moving into IOT cities, cities that have sensors and actuators everywhere, I think that there would be a huge risk. With this whole field of Internet of Things, I would rank by far number one.
Most of the IOT devices by now do not have sufficient cybersecurity and we do not understand what the implications of a lot of aspects of cybersecurity will be.
The impacts are huge because they often impact on physical things, whereas if I break into a bank and a lot of money gets lost, I’m probably able to recover bits and bytes somehow. However, if somebody dies, that’s permanent.
Senator Tkachuk: Okay. So the whole technology of driverless vehicles, if what they are talking about is true and what they are trying to do is true, it would seem to be fairly easy to gum up the whole system.
Mr. Kerschbaum: Yes, it probably will be. Even the technologies used, if we think about the machine learning technologies that are underneath this — because I try to sort of understand the world around me in a probabilistic way, in some senses. I try to interpret, does this look like a stop sign? And there are ways of tricking an algorithm that tries to detect a stop sign but will see a speed limit sign. Then problems arise. Particularly if I determine the future threat to computer systems, if we talk about research, then this whole field of machine learning, security and privacy we have not understood at all.
Senator Tkachuk: I have one more question. You talked earlier about companies not having enough incentive or there wasn’t proper incentive because the stock market didn’t sort of react to cybersecurity or a problem. I’m not sure whether Facebook gave away the information, the information was stolen, it was sold by someone inside the system or sold to the profit of the company. Nonetheless, its revelation has caused huge penalties for Facebook on the stock market right now. I don’t know eventually how long that will last. Nonetheless, there was an immediate reaction.
Don’t you think a huge problem, say, in CIBC would cause exactly the same thing? I mean, wouldn’t it be devastating to them if there were tons of accounts revealed through a cyberattack? Because that means people can get into them, I would think.
Mr. Kerschbaum: I certainly assume that it would be newsworthy and that we would hear about it. However, think about when you decide which bank to use. Is your number one decision that I’m going to switch my bank now because my accounts are broken, my balances are the same, so I don’t really feel a monetary impact? If they would lose your balance and not be able to recover it, then you would certainly switch.
The Chair: It’s too late.
Mr. Kerschbaum: Then it’s too late, yes, but if you don’t feel an impact and just your data was stolen, would that be sufficient for you to say, “I will walk 500 metres more to the next ATM”? I am not so sure.
Senator Tkachuk: It would depend. If there were dozens and dozens of accounts that were stolen, you’re darn right I’d be interested in getting my money out of that bank. I think most people would.
Senator Ringuette: On another issue, we heard in this committee about hackers being used, and so far we have not talked about the attackers. We’re assuming that a lot of these hackers don’t have an engineering or computer science degree. Some of them are very young, smart and keen and are able to think outside of the box as you were talking about.
How much effort are we putting into recruiting these inquisitive minds?
Mr. Kerschbaum: There is research and there is an opinion in a large part of the research community on this.
First of all, if you want to become a security professional, you have to have a high standard of ethics. So it is actually very much frowned upon to hire former Black Hat Hackers as security professionals. You have to be very careful. You have to imagine that you’re dealing with someone who might well have attacked you before. Now that he is an insider, how do you know he is not going to attack you from the inside?
Senator Ringuette: No, I’m talking about for research purposes. They know how to break into systems, so they should know how to eliminate the potential of breaking into systems.
Mr. Kerschbaum: Now, there is another piece of research on which there is an assumption that if you are actually skilled at computer sciences and hacking, you work for the good guys. There is also a somewhat hand-waving analysis that if you are not that skilled, it pays for you to be an attacker. So I would assume the skilled people are actually working on the defence or on the good side and you don’t have to become a criminal if you can actually make a living without that.
How to get into the situation again might be one of education, but it is not likely that we have the attackers — I have a train of thought here. The reason why we still see attacks from people who presumably are not as skilled as the defenders is my first point, where I said that cyberdefence is so much more difficult than cyberoffence. It is relatively easy to take a new product like an IOT product and make a class with people who have never done cybersecurity and have them break into these products. I would assume that 10 out of 10 students would be successful if you gave them a little background. However, teaching someone to develop an IOT product able to withstand these attacks, you might need to go to the PhD level.
The Chair: Before we move to the second round, I have a couple of questions arising from what my colleagues have raised with you.
I took from what you said that your fair opinion is the state of research in cybersecurity in Canada would not be as high as other G7 countries. Canada is lagging in research in cybersecurity, I heard you just say.
Mr. Kerschbaum: Definitely compared to the top in the G7.
The Chair: Thank you very much. So let’s look at the U.S., for example, which you mentioned on a couple of occasions. When we talk about these centres of excellence in the U.S., are they affiliated with universities? Are they funded by industry? Help us understand the structure, please, of those organizations.
Mr. Kerschbaum: So these are mostly funded by the government. The government has established centres of excellence that have a clear educational purpose to educate mostly master’s students in cybersecurity and help fund scholarships and professorships in the universities.
Now, there are also funding programs, like from IARPA, for specific cybersecurity technologies. These are open to companies as well, so companies can apply for these, but often universities and companies collaborate.
The Chair: Could you refer us to the names of a couple of institutes in the U.S., these centres of excellence, either now or subsequently?
Mr. Kerschbaum: I’m a graduate of the Purdue University, which has the CERIAS institute, and that’s part of NSA Centres of Excellence.
The Chair: Thank you very much. They have a good basketball team too.
Mr. Kerschbaum: Didn’t they lose?
The Chair: They lost, but it’s still a good team. Okay, thank you very much for that.
Given that Waterloo has the germination, the 40 professionals that you have, could that be enhanced to be a centre of excellence in Canada, and, if so, what would it take to do that?
Mr. Kerschbaum: I think it could, and I think it will take some time and dedication at the University of Waterloo. It might need some additional money for scholarships to attract people, to attract good students to that program and to perhaps fund a couple of specialized additional professorships.
The Chair: Thank you very much. You mentioned something in your comment. I think you called it IRAP or IPAC or something. When I was asking about centres of excellence, you said that there’s a granting program in the U.S. called —
Mr. Kerschbaum: IARPA.
The Chair: I would like to ensure that our analysts have that so that we can see what they are doing.
Last question, if I can: If you are able to, how does the German state work with business on these issues, if you know?
Mr. Kerschbaum: I only know to a small degree, but one of the tasks of German BSI is to give recommendations to companies to evaluate and to have a standard of security. If you want to sell to the government or want to get a seal of approval, you have to meet certain security standards. These are documented. These are updated regularly, and they are something one can refer to.
The Chair: Thank you very much. It’s very helpful.
Senator Ringuette: To further that line of discussion, the ISO certification recognized worldwide, would they be working on a similar certification of cybersecurity for industry?
Mr. Kerschbaum: There are some efforts on, for example, what is called a “software-development lifecycle” I’m aware of. There are some efforts for certain mechanisms. However, in what the ISO does, its processes, there are what I would call parameters to that process, like some technical things. I will just give you an example: How long does a cryptographic key have to be? That essentially changes over time. So you have to have both. You have to have a process, and you have to have the parameters. At a European level, there is also, for example, the ENISA Institute, which also, issues some of those recommendations from time to time on these parameters that you are supposed to employ.
Senator Ringuette: There is work being done at that international level.
Mr. Kerschbaum: There is definitely at the international level, yes.
Senator Wetston: I have a quick follow-up on the educational part. I’m pretty persuaded that science is important, and I’m also persuaded that our world is being run more and more by technology and technological advance. I think we can all agree with that. I hear, from your testimony here, you are more or less making recommendations to this Senate committee, which it, obviously, would consider in its report, but what I’m wondering about is: You’ve probably been in Canada long enough to appreciate the fact that we have under invested in STEM programs in Canada, and there have been some efforts recently to try to encourage greater education initiatives around STEM programs, which I think is probably essential. I’m not sure whether you agree with that or not, but I suspect you would.
Can you tell me whether or not you believe that advancement in STEM programs would be of some benefit because it could lead to potentially having students and scientists with greater capability in cybersecurity, and would that be a recommendation of yours as well?
Mr. Kerschbaum: Absolutely.
Senator Wetston: Any thoughts on how you might make that happen?
Mr. Kerschbaum: It is a little bit outside of my area of expertise, but let me talk from my personal experience. When I was in high school in Germany, there was no computer science subject. Now, there is a computer science subject that you can take at the higher level of high school. That’s a very good advance. I also think in a lot of cases, this awareness of things, how to deal with these types of technologies, is a very important aspect and data security and privacy should be one of the important aspects.
Of course, a computer is fundamentally a mathematical object, and the more math you understand, the easier it is to understand a computer.
Senator Wetston: So the corporate sector, particularly large public companies and not just in financial services, if you look at large forums like the World Economic Forum, when they meet and present their global view, whether it’s business or other areas, invariably, the CEOs of these international, global public companies would list cybersecurity as one of the major threats to their companies, whether it’s IP or data or financial services or climate change, which isn’t very high on the list as well. If that is the case, are you suggesting that, possibly, we’re not taking it seriously enough to invest in the education side, to invest in security, whether it be at the government level or at the corporate level? Is that your suggestion?
Mr. Kerschbaum: Yes, it is. It’s interesting you mention climate change, which is caused by pollution, as one of the big threats. Of course, without regulation, companies wouldn’t do much in order to prevent pollution. There might be an analogy to cybersecurity here.
The Chair: Very interesting.
Senator Unger: Thank you so much for your presentation.
Earlier in your presentation, you made a reference to AI, artificial intelligence. Would you speak to how closely AI is connected with cybersecurity, autonomous vehicles and so on?
Mr. Kerschbaum: This is a very good question. I particularly like the question because it is a research question. We don’t really know. What I can tell from what I understand about the problem is that there will be new threats due to machine learning, which we don’t understand yet. We don’t understand really what threats there could be. We get more of a glimpse as we go along. Of course there are many benefits to machine learning that we want to preserve, but, at the same time, we want to prevent the threats. In some areas, we might not even have the right tools yet to do this properly. This is one aspect. The other aspect, of course, is that machine learning can also change the landscape of cybersecurity because, if I’m able to, for example, find attacks and replace the attacker using machine learning, then I also need to implement similar measures at the defence level. I’m trying, for example, to undertake some research projects where we can try to identify some of the vulnerabilities using machine learning. So there are a number of levels of interactions between the two topics. All of the levels I just mentioned are not fully understood yet.
Senator Unger: Thank you.
Would you just speak about encryption. Most banks have little signs that they are encrypted. What is the relationship between encryption and more along the lines of passwords, that kind of thing?
Mr. Kerschbaum: The currently deployed encryption is excellent at protecting your data while it’s being transmitted over the Internet or while it is stored on a disk. However, in between, there always is a gap. So the data is being encrypted on your side, sent to the bank, decrypted, processed, encrypted again and stored on disk. In between, that’s where the vulnerabilities currently sit.
Encryption is very strong.
One of my research goals for the last 11 years is trying to close this gap between those two things. It’s still very expensive but theoretically doable. If you would go to something like defence in depth, and we can get encryption somewhat more cost effective in this intermediate step, then we might have a second layer that will help us protect against attacks where somebody breaks in.
Right now, we need different measures. Particularly, we need to protect this space where encryption is not present. The former director of the Sirius Institute at Purdue once said, “Encrypting data over the Internet is like sending money from one bum on a park bench to another bum on a park bench.” There is some truth to this; however, we also need to understand if we wouldn’t have encryption, people probably would have attacked the armoured car in between, which is the encryption that protected us from all of this.
Encryption is effective in mitigating this, but there is always residual risk. That residual risk is currently in this intermediate step where data is not easily encryptable at the moment. We need access to these accounts, like passwords and those things.
There are efforts under way to bring more secure encryption, to replace passwords, for example. There is an initiative called the FIDO Alliance, where you would have a chip to plug into your computer that would replace all of your passwords in a very interesting way. I hope these things find more widespread use. They are implemented in some of the large software vendors’ products, like Google and Microsoft, but I don’t think any of you have come across this. I have one at home.
Again, we need to raise awareness that people actually use these types of tools and carry around this hardware token to replace passwords with cryptography.
The Chair: Professor, you are an excellent witness. You have been helpful to us. We are getting to the end of our study, so our questions are becoming very specific in terms of where we think we might want to go, and you have been very helpful. May I also say that, in my view, Waterloo is very lucky to have you, and I think Canada is lucky to have your expertise in this field. Thank you very much for your contribution today.
Mr. Kerschbaum: Thank you.
The Chair: Before introducing our next panel of witnesses — and we have an outstanding panel — I think it’s useful if we spin around the table so you know the senators you will be interacting with after your presentations.
Senator Tkachuk: I’m Senator Tkachuk from Saskatchewan.
Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.
Senator Wetston: Howard Wetston, Ontario.
Senator Marwah: Sabi Marwah, Ontario.
Senator Black: Doug Black, Alberta.
Senator Ringuette: Pierrette Ringuette from New Brunswick.
Senator Wallin: Pamela Wallin, Saskatchewan.
Senator Unger: Betty Unger, Alberta.
Senator Dagenais: Jean-Guy Dagenais from Quebec.
The Chair: I have the pleasure of introducing to our committee members and those following these proceedings on the web, Colleen Merchant, Director General, National Cyber Security Directorate, at Public Safety Canada; Chief Superintendent Jeff Adam, Acting Assistant Commissioner, Technical Operations, Royal Canadian Mounted Police; and André Boucher, Associate Deputy Chief, IT Security, Communications Security Establishment.
I’m very delighted to have this panel here. You are the last panel we are going to be hearing from on this study, so we have a lot of questions for you, and we hope you have the answers.
We will start with statements, beginning with Ms. Merchant.
Colleen Merchant, Director General, National Cyber Security Directorate, Public Safety Canada: Thank you for inviting Public Safety Canada to speak to you on cybersecurity as it pertains to the recent Budget 2018 announcement.
As you know, Canadians are living in a digital age, and there is no aspect of our lives that has not been affected by digital technology and the Internet. The rate of technological change is continuing unabated.
Digital technology presents tremendous benefits and potential for Canada’s economic prosperity and social development, but like any technology, it has its share of risks and dangers. Cybersecurity is the enabler that allows us to leverage the benefits of the digital age to the fullest while managing its risks.
In recognition of the new digital age, Budget 2018 proposed significant investments of $507.7 million over five years and $108.8 million per year ongoing thereafter to fund a new national cybersecurity strategy.
Today, I would like to talk about how cybersecurity has evolved within Canada, and highlight what we heard through the Cyber Security Review and how it influenced the new strategy and vision for cybersecurity going forward.
Canada’s first cybersecurity strategy was published in 2010 as the government’s plan for defending against cyberthreats. It was built on three pillars: securing Government of Canada systems; partnering to secure vital systems outside the federal government, and helping Canadians to be secure online.
The 2010 strategy represented the Government of Canada’s view of cybersecurity as a defence against multiple cyberthreats. Cybersecurity has evolved, and like many of our allies, it has become a priority for the Government of Canada. The lens through which we now look at cybersecurity is one through which we acknowledge the extent to which digital technologies have become essential to our way of life and how cybersecurity is an essential element of Canadian innovation and prosperity.
Our increasingly interconnected society is one in which all Canadians play an active role in shaping and sustaining our nation’s cyber resilience. To that end, it’s critical that governments, the private sector and academia work together to secure our digital infrastructure, create new opportunities, drive investment and foster leading-edge research and development.
You will likely recall in 2015 the Minister of Public Safety was mandated to lead a review of existing measures to protect Canadians and critical infrastructure from cyberthreats. The goal of the cyber review was to renew Canada’s approach to cybersecurity.
An internal review included a review of federal cybersecurity governance, a review of the protections to Government of Canada systems, and the above-noted evaluation of Canada’s cybersecurity strategy from 2010 to 2015.
Public consultations were conducted throughout 2016. Input was received from all provinces, two territories and internationally. Participants included government officials, the cybersecurity industry, private sector leaders and associations, critical infrastructure owners and operators, law enforcement, academia and engaged Canadians.
Three themes emerged in the review. First, participants expressed concern about the rising threat of cybercrime. There is support for law enforcement to address cybercrime while also protecting privacy in cyberspace.
Second, there is a need for improved cybersecurity skills and knowledge in Canada. Cyber skills shortages in the workforce make it challenging for organizations to improve cybersecurity. Knowledge is needed across all demographics in private and public sectors.
Third, there were calls for federal leadership on cybersecurity in several capacities. This includes clarifying cybersecurity roles, responsibilities and accountability within the federal government, as well as establishing a clear focal point for working with external partners. Stakeholders want the federal government to take a leading role domestically and internationally to foster collaboration among cybersecurity experts, drive investment in the cybersecurity industry, facilitate information sharing, and safeguard rights and freedoms in cyberspace. There were also calls for the federal government to articulate national cybersecurity standards for legislation.
The national cybersecurity strategy responds to the findings of the Cyber Review and introduces a new direction for cybersecurity. The strategy defines three goals to achieve security and prosperity in the digital age. The first is secure and resilient Canadian systems with enhanced capabilities and collaboration with partners; the Government of Canada will better protect Canadians from cybercrime, respond to evolving threats, and help defend critical government and private sector systems. The second is an innovative and adaptive cyber ecosystem. The Government of Canada will support advanced research, foster digital innovation and develop cyber skills and knowledge to position Canada as a global leader in cybersecurity. Third, effective leadership, governance and collaboration. The federal government, in collaboration with provinces, territories and the private sector, will take a leadership role to advance cybersecurity in Canada and will, in coordination with allies, work to shape the international cybersecurity environment in Canada’s favour.
This new approach reflects the dynamic evolution of digital technologies and the extent to which they have become essential to our way of life. It also recognizes that there is enormous potential for Canadian digital innovation and expertise in cybersecurity.
The strategy, which is meant to be a guiding framework, includes numerous initial initiatives. Key among them is a consolidated centre of cybersecurity operations, the Canadian centre for cybersecurity, to be led by the Communications Security Establishment and a national cybercrime coordination unit within the RCMP as a national police service.
I’ll let the respective leads for each of these initiatives speak to them.
From a departmental perspective, Public Safety received roughly $25 million over five years in support of the new strategy. While the allocation of those funds has not yet been fully determined, Public Safety Canada will retain its responsibility for leading national coordination and strategic policy-making on cybersecurity matters. In particular, Public Safety will continue to work with its provincial and territorial partners as well as partners in the federal government, private sector and academia to meet the goals of the new strategy. One of the ways this work will continue to be supported is through a grant and contributions program to encourage research and activities to advance the goals of the strategy.
Public Safety Canada is also seeking funding to deliver a comprehensive risk management approach that will enable critical infrastructure owners and operators to better secure their systems and information.
This approach would involve building upon successful programs that work directly with owners and operators to help build resilience. Owners and operators would have more access to technical training, exercises and network vulnerability assessments, providing the knowledge and skills they need to take action to secure their cyber systems.
Finally, Public Safety Canada will continue to oversee the implementation of the national cybersecurity strategy and measure its progress against the commitments made within. As such, the department will work closely with the new Canadian centre for cybersecurity as well as the national cybercrime coordination unit to ensure our efforts are coordinated and comprehensive as we deliver on this first phase of the strategy.
In closing, I would emphasize that cyberthreats are constantly evolving, and Canada and Canadians need to work to stay ahead of those threats, so that we can continue to benefit from digital technology.
Public Safety enjoys good relationships and frequent interactions with financial institutions across Canada, and we look forward to continuing that collaboration.
Thank you again for the opportunity to speak with you today. I look forward to any questions that you might have.
Chief Superintendent Jeff Adam, Acting Assistant Commissioner, Technical Operations, Royal Canadian Mounted Police: Good afternoon Mr. Chair and members of the committee. Thank you for inviting the Royal Canadian Mounted Police to speak about cybercrime in Canada and recent initiatives announced in the federal government’s 2018 Budget.
To begin, I would like to take some time to provide the broader context within which the RCMP’s activities relating to cybercrime are taking place.
Cybercrime is a significant public safety and law enforcement issue in Canada and a complex problem that no single organization can resolve. In spite of issues with public underreporting, cybercrime in Canada appears to be increasing. In 2016, nearly 24,000 cybercrimes were reported to Canadian police services, a 58 per cent increase compared to 2014.
Globally, the annual economic costs of cybercrime have been estimated to be in the hundreds of billions of dollars. When it comes to Canada’s financial and commercial sectors, the volume and severity of cybercrime affecting Canadians and businesses has also been increasing significantly.
Cybercrime includes new crimes such as hacking, network intrusions and data theft which are technology-as-target crimes. It also includes more traditional crimes that take on a new scope and magnitude in cyberspace such as online fraud scams, money laundering, child sexual exploitation which we call technology as an instrument crime.
As Canada’s national police force, the RCMP has a broad mandate to investigate criminals in the cyber realm resulting in their apprehension or otherwise disrupting their cybercrime activity. Law enforcement activities range from identifying and prioritizing cybercrime threats based on criminal intelligence to investigating and disrupting cybercrime activities to handling digital evidence in support of cybercrime investigations.
For law enforcement, addressing cybercrime requires broad-based domestic and international police cooperation, integrating new technical skills and tools with traditional enforcement measures and engagement with public and private sector organizations, including those within the financial sector. The RCMP cybercrime strategy published in 2015 reflects this role of cyber in several law enforcement areas including national coordination and deconfliction, intelligence collection and analysis, targeted enforcement and investigative action and specialized skills, tools and training.
Despite progress to date, law enforcement has faced significant barriers to combatting cybercrime in Canada. The Canadian policing model is predicated on the assumption that the offender, the victim and the justice system are largely co-located jurisdictionally. However, as we know, most cybercrimes are multi-jurisdictional if not multinational, impacting victims across traditional jurisdictions, leading to uncoordinated law enforcement efforts.
Traditional investigative tools are not designed for the volatility of data nor the fluidity of information pathways in today’s digital environment.
Law enforcement requires a means to gather information and intelligence regardless of jurisdiction, and a mechanism to coordinate investigative efforts. It is not efficient for multiple police services to be allocating scarce investigative resources on the same criminal activity in an isolated fashion. In addition, cybercrime is believed to be underreported and there are varied reporting mechanisms in Canada, which is confusing for the public. This underreporting prevents law enforcement from connecting the dots and responding to cybercrime on a larger coordinated and more targeted scale. Gaps also exist with respect to the RCMP’s capacity to investigate cybercrime limiting its ability to undertake necessary enforcement action.
To address these challenges and bolster Canada’s ability to fight cybercrime the government recently announced $116 million over five years and $23.2 million per year ongoing devoted to the creation of the RCMP national cyber crime coordination unit.
The unit will be a national police service, stewarded by the RCMP, supporting and working with law enforcement across Canada. It will act as a coordination hub for cybercrime investigations in Canada and will work with international partners on cybercrime. It will provide digital investigative advice and guidance to Canadian law enforcement, undertake intelligence and statistical analysis and forge and maintain strategic partnerships with key stakeholders, including the private sector. The recently announced Canadian Centre for Cyber Security will be a vital partner for the unit. The unit will also establish a national public reporting mechanism for Canadian citizens and businesses to report cybercrime incidents to law enforcement, which will address underreporting of cybercrime and greatly improve law enforcement’s understanding of the nature and scope of cybercrime in Canada.
Through these new investments, the RCMP will play a critical role in advancing Canada’s new National Cyber Security Strategy and will be better positioned to reduce the threat, impact and victimization of cybercrime in Canada.
Thank you for your time. I would be pleased to answer any questions.
The Chair: Thank you. We will now hear from André Boucher, Associate Deputy Chief, IT Security, Communications Security Establishment.
André Boucher, Associate Deputy Chief, IT Security, Communications Security Establishment: Good afternoon, Mr. Chair and members of the committee. I would like to start by thanking the committee for inviting me to speak alongside my colleagues from RCMP and Public Safety. It is a pleasure to appear before you to discuss cybersecurity in Canada. As Associate Deputy Chief for Information Technology Security, this is an issue near and dear to my heart. In the interest of time, and recognizing that CSE has already appeared before you as part of your study, I won’t speak in any detail to CSE’s mission or mandate. Instead, I will briefly elaborate on cybersecurity elements related to CSE that were announced as part of Budget 2018.
As Ms. Merchant described, Budget 2018 announced significant investments in Canada’s cybersecurity, including the newly proposed Canadian centre for cybersecurity.
This new centre will form the centerpiece of the government’s planned cybersecurity strategy to bolster the safety of Canadians and Canadian businesses online. One of the main concepts behind the centre is to concentrate the government’s expertise and cybersecurity tools in one place.
The fact is that most of that expertise is already at CSE. CSE has been in the business of protecting Canada’s most sensitive information for over 70 years. As Canada’s centre of excellence for cyberoperations, CSE will house the Canadian Centre for Cyber Security, bringing together operational expertise from CSE and our colleagues at Public Safety Canada and Shared Services. By consolidating operational cyberexpertise from across the federal government under one roof, the new cybercentre will establish a single, unified Government of Canada source of unique expert advice, guidance, services and support on cybersecurity operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn to for cybersecurity advice.
For Canada, this will mean faster, better coordinated and more coherent government responses to cyberthreats. In addition, it will mean better information flow between the government and private sector partners. This cybercentre will also advance partnerships and dialogue with other jurisdictions, the business community, academia and international partners. Ultimately, it will mean stronger cyberprotection and defence for the government, the private sector and Canadians.
As set out in our earlier appearance, partnerships are key to our success. This is why the newly proposed Canadian Centre for Cyber Security is an exciting step forward for cybersecurity in Canada.
In closing, I would like to once again thank the committee for the opportunity to speak to you this afternoon and I look forward to your questions.
The Chair: Thank you all very much. We will move to questions.
Senator Stewart Olsen: Thank you all for being here. It’s most informative. I’ve come late to this study so forgive me if I ask questions that you’ve been over.
In reviewing what you have said and the budget proposal, I’m curious about the new Canadian centre for cyber security. From what you’re saying, Mr. Boucher, you’re going to be front and centre in this new exercise. How is that going to work with your collaboration and cooperation with the RCMP and different areas? I’m not 100 per cent sure that I understand how you’re going to be able to work with everyone and how much you are going to expand. This is not a lot of money for what I think you’re being asked to do. Can you elaborate on how you see this unfolding?
Mr. Boucher: Thank you for your queston. I think the key message in the budget is led by CSE in regrouping elements of the federal entities of cybersecurity. This is a recognition that separate organizations are currently operating in cybersecurity but perhaps not as efficiently or effectively as they could. To your point about the resources, we are taking existing organizations, existing manpower, and bringing them together to create that coherence and do better with the existing resources. That might explain your puzzled question regarding resources.
A lot of good is being done in the federal government today. It has grown out of necessity in different departments. A time came when we realized that there was an entire duplication. There may have been some overlap and friction between these departments, and then the coherence started to disappear. For our clients, whether it be the federal government or partners in the private sector, it became confusing. What’s absolutely central to the announcement is the fact we are now bringing these elements together all in one leadership. As to the how, we need to know the plan and build the centre.
It is reasonable to expect that the very first effort will be focused on bringing the elements fused together— CSE, Public Safety and Shared Services— and create harmony between us. Maybe the analogy is then to create a single door for the government.
When it comes to the cybercrime unit and other entities operating in cyber, they will continue to exist, but since we have the opportunity to build a centre together, we can build our activities at the same time and ensure that the synchronicity is there from the ground up.
This is an opportunity to reset and do better with resources that we have in place.
Senator Stewart Olsen: I do understand. My hesitation is there doesn’t seem to be anyone in charge. I don’t think that’s a recipe for success, quite frankly. I think this is going to have to move fairly quickly. It has been announced, and we have to bring this all together fairly quickly. We have no one really designated as in charge, and everyone is going to think they’re in charge. Could you please comment a bit on that?
Mr. Boucher: Absolutely. I would say that CSE certainly feels in charge of the portion apportioned to us.
Senator Stewart Olsen: A portion.
Mr. Boucher: Absolutely. And I think it’s inevitable for the community to work together.
An Hon. Senator: What’s your portion?
Mr. Boucher: The integration of the CSE activities in cybersecurity with the Public Safety CCIRC activities and the Government of Canada’s security operations centres at Shared Services. That’s a significant amount of resources which currently coexist.
We know we are responsible to bring this element together, and I think we are going to do a surprising amount of work just by creating this team approach.
Senator Stewart Olsen: Ms. Merchant, in your presentation, one of the key points was education and encouraging education to provide us with the expertise that we’re going to need as we develop this grant, but I didn’t hear anything in your presentation about how you will do that.
We have all kinds of centres of excellence in academics, et cetera, but those people, they’re already the experts, and we don’t have enough of them. What are you looking at, and how will you move forward to develop this?
Ms. Merchant: There are many things that we’re already doing that we will be looking to enhance. For example, we work very closely with academic institutions as they build new and exciting programs around cybersecurity, and we have our grants and contributions program which many universities take advantage of. We’ve had Ryerson and a few others that have taken advantage of that funding to perform research, build into their academic baseline some of these skill sets that we’re looking for.
In addition, education and skills development at a level lower than universities and so forth, that is the purview of the provinces and territories.
As I had mentioned, something that will be extremely important to us is to not just continue those relationships with the provinces and territories so that we’re collectively moving in the same direction toward the same priorities in academics and skills development, but to enhance what we’re already doing and through the grants and contributions program funnel some of this direction to the universities, to the lower levels of education.
I do want to point out in the cybersecurity review, we heard loud and clear that it would be very important for us to consider how we get those skills developing, even at the elementary level. So that is something we’re very sensitive to.
Senator Stewart Olsen: Thank you.
Senator Wallin: Thank you for being here today. When you talked about the $500 million over five years on a national cybersecurity strategy, as I listened to you, what I heard is that you’re constructing a framework, a bureaucracy, who talks to whom, when, how, and you’re talking about the issue. Is there any portion of that money that actually goes to tools, equipment, monitoring, or is this just setting up a framework?
Ms. Merchant: In terms of the strategy itself, there are two different things. There is the strategy itself, which lays out the three goals we want to move to, and then there was the funding associated with the initiatives to deliver on the strategy.
Senator Wallin: Give me an example of one of those things.
Ms. Merchant: The initiatives? The cyber centre or the national cybercrime coordination unit.
Senator Wallin: Are those funded? When you have a unit, does the money actually pay salaries, buy equipment? I’m trying to see where that money actually goes.
Mr. Adam: The funding for the national coordination unit will need an IM/IT infrastructure behind it so that the public can report the cybercrime in an easy, public-facing fashion. We will need the analytics behind that, which will then drive how we respond.
Right now, we have no idea what’s happening across Canada, for example. To be able to coordinate what is going on in Canada with our international allies that say, “Are you having this problem?” and we say, “Maybe”, we don’t know, and we try to find out.
Part of the money coming to the RCMP will be in support of cyber investigative teams. It’s proposed that we’ll have two —
Senator Wallin: These are actual people with paycheques?
Mr. Adam: These are people with paycheques, comprised of investigators, and technical expertise which comes from the technical operations world. So there is a law enforcement response built into this.
Senator Wallin: I ask about that, because I want to come back to the question we were discussing with our earlier witness today, which is who should be responsible for this. I will put the question this way: Can the Canadian government afford to secure itself and protect Canadians against security threats?
I know we don’t really know the degree of the threat, but how do you fund that? When you look at Facebook losing $50 billion in 48 hours and then you look at $108 million, we’re not in the same league. Can it be government’s job, and if so, how would that possibly be funded?
Ms. Merchant: In terms of the funding, I’d like to have an answer for that myself. But in terms of whether the government can do all of this, absolutely not. The federal government can’t, and that’s why partnerships are so important. And it’s not just partnerships — federal government to provinces and territories or federal government to the private sector, critical infrastructure owners and operators — it’s amongst all of us.
What we heard from the review was that these organizations or these entities are looking for a leader. Who is going to be the force multiplier? Who is going to get out there and figure out the best partnerships, the best way to connect the needs with those who can supply some of the answers? Obviously that’s kind of the step that we’re taking with the new cybersecurity strategy.
Mr. Boucher: If I may add to this. The government has a responsibility to protect itself today and it is doing so. There is already a large amount of money being spent protecting the government.
This money helps us bring together those pieces and create that efficiency and effectiveness that perhaps we could do better at, and not become victims and not make the news like private sector companies have done this week.
So these numbers are not the only numbers, and it’s important to remember that.
Senator Wallin: I realize that. But you’re talking about protecting government, and I did have a second part of the question which you can answer in the course of other questions, which is: What about Canadians?
Senator Dagenais: I have a supplementary question for Mr. Adam about budgets. Over the past five years, the RCMP has inherited a number of mandates, including the fight against terrorism and cybercrime. Can you give us an overview of the change in your staff over the past five years and in the number of individuals who will be mobilized in the cybercrime file? You are relocating staff to use some people to fight cybercrime and others to fight terrorism.
The investigations unit can be overlooked because I assume it requires more people and a bigger budget. Are you being given a bigger budget and more employees, or are you only relocating people, which may inadvertently lead to some files being overlooked?
Mr. Adam: It’s a well-known fact we are in the hole on investigators. We are recruiting as fast as we can to maintain the level which we are funded at. There will never ever be enough money for police to catch every single criminal, every single speeder; not possible.
So we, within the RCMP, must prioritize our activities based to the greatest threats to both public safety and to Canadians including the economy.
There have been times where we have had to respond in one direction, trying to leverage and average those out. In this case, this is not just for the RCMP, although the funding is directed at the RCMP at this time. I am currently the chair of the Canadian Association of Chiefs of Police’s Electronic Crime Committee. One of the subcommittees reporting to me is cyber, so that is the law enforcement of Canada trying to figure out how to address cyber, right to the detachment grassroots level. And it is not necessarily a new type of crime, like terrorism was. This is a new way criminal activity is happening.
While it may appear if you turn your head and think of cyber as a thing, most of the criminality is just using cyber vectors to conduct their criminal activities. It’s not really a change in how or what we’re doing, it’s a change in how we’re doing it. Some other initiatives we are looking at are — and I speak frankly — do I need a gun to investigate cybercrime? Frankly, it’s nice to have, but I don’t need one.
We are looking at changing how we do business on that investigative frontier where the perpetrators could be anywhere in the world and they may be, for all intents and purposes, kids that have never left the basement of their mother’s house.
So we have to change how we look at how we investigate, who we investigate with, and what is the outcome of an investigation. To answer your question the long way, we’re getting two new teams, new analysts and new abilities to analyze what’s happening, to direct our efforts in the best way we can.
Senator Dagenais: Is anything set aside in Budget 2018 for your staff?
Mr. Adam: What we got was, in part, what we asked for.
Senator Tkachuk: I just have a couple of questions. Ms. Merchant and Mr. Boucher, do you have a background in cybersecurity?
Ms. Merchant: My academic background is in aerospace engineering and I have a graduate degree in theoretical physics. However, I have worked in cybersecurity for many years.
Mr. Boucher: Thank you for the question. I have a bachelor’s degree in computer science, a master’s degree in software engineering, a graduate degree in defence studies. I spent 32 years in the military, of which the last 15 years have been focused on cybersecurity.
I’ve been in the Communications Security Establishment for five years.
Senator Tkachuk: You have no idea how that makes me feel better. I’m a little confused because Ms. Merchant is the director general of the National Cyber Security Directorate, and then we have the Communications Security Establishment.
Are you interrelating? Who is the boss? Who is in charge of all this? Are you in charge? Is Ms. Merchant in charge?
Ms. Merchant: “In charge” is a very loose term. In the Canadian government, I really honestly believe that it works better inside than it looks like from the outside. There are at least 14 departments and agencies with a direct influence or responsibility related to cybersecurity, so it depends on each minister’s mandate and their responsibilities under the relative acts of the ministries. But Public Safety has been accorded the responsibility to coordinate amongst those departments and agencies, and also externally within the private sector as required in the event of an incident.
So both for policy matters and for operational incident matters, we have a coordinating role at this point in time. And I say “at this point in time” because for the operational piece, incident management piece, that will transfer to the centre when it is created.
Senator Tkachuk: I don’t know for sure if there is, and you’re going to tell me, but is there a unit in Canada Revenue? There are probably people interested in cybersecurity in CPP, I would think, where personal information can potentially be taken, or perhaps National Defence. Is that kind of the way it’s structured ?
Ms. Merchant: How it is structured, in general, is every department is responsible for the securing its sensitive information, personal information they’re dealing with and that’s dealt with through the Office of the Privacy Commissioner.
In terms of cybersecurity, there are departments. We have 10 critical infrastructure sectors and there are departments who have a responsibility for those critical infrastructure sectors, for example, Transport Canada for transportation, Natural Resources Canada for energy and so on. So those 10 departments are interested in cybersecurity from a critical infrastructure perspective.
In addition, you’ve got departments such as Global Affairs where they have a vested interest. For example, the Budapest convention on crime that Jeff had mentioned is something that is international. We want like-minded countries to gather and be a part of this so that we can work internationally. Global Affairs would be responsible for those types of things.
Then we have the Department of National Defence, which is responsible for the military aspects of cybersecurity, both domestically and internationally and the Communications Security Establishment, for example. There are many departments involved from many different perspectives and it does require a close coordination.
Senator Tkachuk: What do you see as the greatest threat? Is it domestic, is it foreign governments? Where do you think the greatest threat is to attacking government systems? We’ve had a lot of debate about this. There has to be something that worries you guys and that you spend a lot of time on.
Mr. Boucher: There are a lot of things that worry us. If I complement Colleen’s description, at the operational level you have a number of departments protecting themselves, defending themselves, integrated together. Most are under the umbrella of Shared Services, which is also monitoring and defending themselves, and wrapping this together is CSE, monitoring and detecting for bad actors.
I would say our biggest threat frankly is — but we’re about to fix it — the seams between these entities. There are a lot of seams and entities and currently we are exposed because of these seams, and the more we bring these seams together, the less exposed we are and the more we have a bubble we create, and a better chance we have to detect and respond.
Who are the threat actors of concern? There is a myriad of threat actors and we have to characterize them to better understand their attitudes and how they will operate, what they are interested in, their likely motivations. They range from the basement kids who want to show their friends that they can, all the way to state actors who are well organized and well resourced.
In the range between these two entities is a spectrum including cybercriminals, those activists who are motivated by a vision of the world that is alternative to ours, so all of these have not only different intent but capacities. But I would say we are worried because many of these negative cybercapacities are becoming commercially available. You do not have to be as sophisticated as you used to be able to create a grave impact.
Senator Wetston: To follow up on Senator Tkachuk, there are a lot of seams in the country, not just federally, and what are you able to accomplish when all of the provinces are also dealing with cybersecurity issues? How do you propose to interface with the provinces? And, of course, Mr. Adam, you obviously need to do that regularly on a law enforcement basis.
Can you give me insight as to how this strategy, in some way or another, might assist, influence the ability of the provinces to also be able to respond to cybersecurity threats?
Ms. Merchant: Within Public Safety Canada, since we do this broad coordination role, we have what we call “sector networks.” I will start small. We start with a sector, and this is where we get together with members of the federal government, provinces and territories and the private sector, within that sector, to exchange information and make best use of all the collective knowledge within that sector.
We also have a multi-sector forum where we gather all 10 of the critical infrastructure sectors— the federal government, provinces and territories and the private sector— so that between the sectors they can share information and best practices. Our deputy minister is a co-chair of the national cross-sector forum, which gets together the CEOs of associations representing all 10 sectors; so in a more formalized fashion is how we work together.
In something that’s much more optional, public safety houses, the Canadian Cyber Incident Response Centre, CSIRC, and they came in October and talked to this committee.
CSIRC has partnerships with provinces and territories with critical infrastructure. That is a construct. It is a one-stop shop where they can not only report incidents or provide, in an anonymous way, malware or problems on their network where it is anonymized and then CSIRC is able to issue reports or alerts or warnings to the broad partnership, which is over 1,200 various entities.
There are operational mechanisms to share information on short notice such that the whole community can deal with incidents, issues or threats. Then there is a more formalized way to get up through the management structure, the bureaucratic structure, of all of the provinces, territories and critical infrastructure sectors.
Mr. Boucher: Take CSIRC and the experts in the federal government, bring them together in a cyber centre, a new place, where you open your doors— and it goes to Senator Wallin’s question— to private sector entities, to Canadians, citizens, to small firms, and you can share this knowledge about cybersecurity, about the threat and the measures you can take and sharing that expertise and create the workforce and the tools and do it together.
That’s the vision of the cyber centre where we create this place to bring these folks together.
Senator Wetston: We have heard from other witnesses who we are a bit behind in the establishment of this kind of centre. I will not ask you to comment because you will probably disagree, but that’s fine. Read the transcripts.
Is CSIS excluded from the national cybersecurity strategy? Are they getting any of this largess being spread among the entities before us today? According to Senator Stewart Olsen, it is not enough money. We have heard that.
Ms. Merchant: Aside from what has already been announced in the budget, we have to wait to see what further detailing there is within the funding that was allocated to other initiatives.
Senator Wetston: Chief superintendent, have you ever prosecuted anyone in this space yet, for cybersecurity?
Mr. Adam: Yes, I have.
Senator Wetston: Has there been a significant number?
Mr. Adam: When I was prosecuting in New Brunswick, and working as the first member in the Atlantic provinces of the Technological Crime Unit— that was me— and Mr. Cabana was in Proceeds of Crime at the time.
Senator Wetston: I did some work with him.
Mr. Adam: Excellent. My time there was just a couple of years before I moved out. Most of my work was about digital forensic recovery in support of other crimes, or to get evidence off of computers. However, there were two cases that I’m aware where it was a hacker selling passwords and the other one was someone who had wiped out a web space of a company in the States.
Senator Wetston: Thank you very much.
Senator Ringuette: The half billion dollars— you’ve talked about sharing knowledge and so forth— are you going to have a portion of these funds leveraged with the private sector for research purposes?
Ms. Merchant: For us that comes through our grants and contributions program, which is open to provinces, territories, the private sector and academia.
Senator Ringuette: The purpose of creating this bubble and this communication of knowledge and problem issues, could you not use that as a trigger point for developing funding research for that problem issue as you move along?
Mr. Boucher: That is already being done now. At CSE, we are already encouraging private partnerships. The issue is not about finding resources, but about finding and correctly identifying the problem and bringing together academics.
Senator Ringuette: So what you are creating should help you identify the problem.
Mr. Boucher: Yes.
Senator Ringuette: Okay.
We have Health Canada that labels what is in the food that we consume. We have the electrical stuff, the CSA, with the appliances that we use. Is there any project in Canada to help Canadian consumers when they buy phones or laptops, a rating system in respect to cybersecurity?
Ms. Merchant: There is an entity in New Brunswick called Cyber New Brunswick, and they have promoted something called “cyber essentials.” I believe it is starting to get off the ground. It’s a way in which companies or manufacturers can have a certification applied to their product.
Senator Tkachuk: I think she knew that.
Senator Ringuette: You can understand the synergy I have with my constituency, though.
Ms. Merchant: Yes. I want to mention that is something, as I had mentioned in my notes, we had heard through the review is that there is a desire for legislation, standards or guidelines that would help consumers and would help the accessibility of these products to consumers. That’s something we are aware of and taking into consideration.
Senator Ringuette: Into consideration to do what?
We’re talking about cybersecurity for government apparatus and the private sector, but the citizens out there and consumers of these Wi-Fi products and all the technical gadgets that we buy.
Ms. Merchant: ISED is very interested in this particular topic.
Senator Ringuette: Are they part of your bubble?
Ms. Merchant: Which bubble?
Senator Ringuette: Mr. Boucher’s bubble.
Mr. Boucher: They are definitely among the people with whom we develop great ideas we mean to use to move forward. The problem is that some things may still be in development and have not been announced yet. We will have more material to provide over the coming months. These types of ideas are definitely at the forefront of our discussions.
Senator Dagenais: I have a second question for Mr. Adam. Just before you, a specialist from the University of Waterloo talked to us about very interesting and advanced research being conducted at the university. If I was a hacker, why wouldn’t I enrol as a student at the University of Waterloo to stay abreast of what is happening? Are any security actions performed to avoid the piracy of our knowledge and of what is being taught at universities?
Mr. Adam: We have trouble security clearing our own folks without considering university students.
In fairness, I would hope the universities are cognizant of the students to which they give some of this information, but frankly I think if they are registered at the university then, frankly, they should have access.
We, like our partners, also engage universities to do research projects, but we do security clear the students. We do work with the instructors and we do partition the information that the student gets access to. There is no guarantee ever of anyone not going pirate, but our experience has not been that that’s the case. There is nothing to stop anyone from learning anything, anywhere and then using it for criminal ends.
Senator Dagenais: Thank you, Mr. Adam.
Senator Marwah: It’s really quite reassuring to hear all the activities that are taking place, but I think each of you have mentioned this is a highly evolving and rapidly developing space. Given that, how do you fight the war for talent? All the kids want to go work for start-ups or Google or Facebook, notwithstanding their problems.
Another way to put it is: What percentage of your budgets would be recruitment, training and research so you can keep abreast of what is going on?
Mr. Boucher: I can certainly start for CSE, because we have on-the-ground experience today.
It should not surprise you that Canadians are driven by things other than money. So the appeal of start-ups and the appeal of a life on the West Coast of any country certainly attracts an individual, but the noble cause of being here, defending the nation and ensuring the security and safety of Canadians also attracts some back.
It is CSE’s experience we do lose some really good talent at times. I’m proud to say that often times they do come back because the appeal of working for someone else’s revenue quickly fades and once you have the sports car and the nice apartment, you realize you are lacking meaning in life. They literally come back.
This is a point of success, today. I won’t lie; it is a constant challenge and we need to keep offering a place of employment that is attractive to young people, that adapts to the changing cultures of the younger generations, that keeps pace with technology and offers constant training and so on, and I think you are very much aware of that. It is on us to offer the environment. I apologize, I do not have the numbers for how much we resource this effort.
Senator Marwah: Is it a small, medium or large number? Is there any sense? Would it be 5 per cent of your budget, or 25 per cent?
Mr. Boucher: I will have to come back with the number.
Senator Marwah: I would like to know what the number is.
Mr. Boucher: It is a successful amount.
Mr. Adam: I can give you an estimate for the total recruiting efforts of the RCMP but that is not specifically tailored to meet the needs of a small technical contingent that wouldn’t necessarily need to go through Depot.
I do have a permanent resource tasked with recruiting for technological purposes across Canada. Like my friend said, what the RCMP does offer the students is in two different ways. On engineering side, instead of working for a big company where they’re producing one small aspect of an entire component, our employees are working from the start in the design and conceptual stage right to the deployment of a sharp end tool in the field. That gives them a great deal of gratification as well.
The additional thing we have is called handcuffs. Not that we handcuff our people. What we do is we put handcuffs on bad guys. If we can, we attribute the efforts of any single person within the civilian core working for engineers, technicians, cyber-fighters and hackers, et cetera, to an arrest, and we make a big deal about it, because the uniqueness that we offer to any employee is to catch a bad guy. It’s very successful in retention of our employees, those who are driven by that.
Ms. Merchant: I interact a lot internationally with our allies and so forth, and this is not a unique problem in any way, shape or form. One of the things we’re finding is that we need to start influencing the youth at a very young age because the more we are interconnected and the more things are relying on this digital technology — our financial systems are going to a digital monetary basis and we are going to automated vehicles — there are several things that are coming in the future where we will need more people who are savvy in this area.
We are reaching out to private sector companies and non-profits who do make it their mission to incite in very young people and children this interest and love of digital technologies in every way, shape or form. It’s not just the technology piece. We need lawyers who are savvy in this and people who understand accounting. Cyber-insurance is mind-boggling. It’s not just a technology piece.
Senator Stewart Olsen: Why can’t you start seconding from different areas? You will be taking up a lot of the responsibilities of different departments, such as FINTRAC. I would think the people who work in FINTRAC would already be half-developed on the investigative aspect.
I would think that as you pull together, the funding should also come from the different departments into this centre. Have you given any thought to perhaps seconding our own people that we have a foot up with? I know it would be a fight but still, I think that would be a very good way to go forward.
Ms. Merchant: Well, from my perspective, what I see across the departments is we rely very heavily on secondments and assignments between departments to build the expertise and to better understand how all these moving pieces fit together. It’s a critical tool in our tool box.
The Chair: I want to thank you all very much. This has been extremely helpful to us and we are very appreciative that you are as focused on this issue as you are, because we’ve come to learn, as you obviously know, this is a substantial threat not only to government, but to business. We obviously need to protect our country from that kind of threat. Thank you for what you do and thank you for being here today.