Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue No. 37 - Evidence - March 28, 2018
OTTAWA, Wednesday, March 28, 2018
The Standing Senate Committee on Banking, Trade and Commerce met this day at 4:15 p.m. to study and report on issues and concerns pertaining to cyber security and cyber fraud; and in camera, for the consideration of a draft agenda (future business).
Senator Douglas Black (Chair) in the chair.
The Chair: Good afternoon and welcome, colleagues, and members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening via the web.
My name is Doug Black. I’m a senator from Alberta, and I have the privilege of chairing this committee.
I would like senators who are with us now to introduce themselves to our guest, please, and then we will introduce the guest to senators.
Senator Marwah: Sabi Marwah, senator from Ontario.
Senator Wallin: Pamela Wallin, senator from Saskatchewan.
Senator Ringuette: I am Pierrette Ringuette from New Brunswick.
Senator Tannas: Scott Tannas from Alberta.
Senator Dagenais: I am Jean-Guy Dagenais from Quebec.
Senator Wetston: Howard Wetston from Ontario.
The Chair: Today we are finalizing our study on issues and concerns pertaining to cybersecurity and cyber fraud, including cyber-threats to Canada’s financial and commercial sectors; the current state of cybersecurity technologies and cybersecurity measures and regulations in Canada and abroad.
Before introducing our guest, honourable senators, just to let you know, and also to share with you, Dr. Ghorbani, that because of votes in the Senate, we’re getting right under way, and we are, unfortunately, going to have to wrap this up 35 minutes from now. I know you have five or so minutes of introductory comments, and they will just ensure our questions are directed.
May I introduce to the committee Dr. Ali Ghorbani, Director, Canadian Institute for Cybersecurity at the University of New Brunswick joining us via video conference. Dr. Ghorbani has held a variety of positions in academia over the past 35 years and is currently also the Canada Research Chair, Tier 1, in Cybersecurity, as well as the Dean of the Faculty of Computer Science since 2008.
Dr. Ghorbani, we welcome you to the committee. We are looking forward to your presentation. I would ask you to commence with your statement, please.
Ali Ghorbani, Director, Canadian Institute for Cybersecurity, University of New Brunswick: Thank you, Mr. Chair. Members of the Senate committee, good afternoon. Thank you for inviting the Canadian Institute for Cybersecurity at the University of New Brunswick to speak today about cybersecurity.
There is an unprecedented growth in anything cyber, including cybersecurity and cyber analytics. The worldwide cybersecurity market is large and growing, with a market size estimated to reach $170 billion by 2020. The size of the market is a response to the rising global cost of cyberattacks, which is expected to grow to $2.1 trillion by 2020. It is predicted the global cybersecurity workforce will fall short by 1.8 million workers by 2022. As a consequence, there is an intense interest in the development of new-generation cybersecurity solutions and the training of highly skilled cybersecurity professionals.
New Brunswick is strategically focusing on technological innovation in cybersecurity. Since 2000, the University of New Brunswick has played an important role in the success of cybersecurity research and innovation in Canada. Currently, UNB has, by far, the largest network security research group in Canada, and is well positioned to seize the opportunity to lead this effort through the Canadian Institute for Cybersecurity.
The institute is currently working with industry and provincial and federal governments to establish Canada’s leadership as a world-class cybersecurity hub for innovation and talent development.
Cybersecurity and privacy, once issues only for technology experts, have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem. It is a business problem; it is everyone’s problem. The weakest link in cybersecurity is now people, not devices. As such, the human factor is considered the biggest threat to cyber safety. Therefore, we strongly believe that cybersecurity requires multidisciplinary and human-centric solutions.
CIC is the first institution at UNB to bring together researchers from across the academic spectrum to share innovative ideas and carry out groundbreaking research. The institute focuses on comprehensive multidisciplinary training, research and entrepreneur activities that draw on the expertise of researchers in science, mathematics, business, computer science, engineering, education, law and the social sciences. Currently, the institute has a team of nearly 50 researchers, technical staff and graduate students, and state-of-the-art infrastructure.
Training and education in cybersecurity fall far short of current needs and what will be required in the future. The current cybersecurity skills shortage in Canada leaves the public and private sectors and government vulnerable. CIC trains highly qualified personnel skilled in cybersecurity and privacy, and offers training programs that meet the true cybersecurity needs of the private and public sectors.
The science of cybersecurity is about managing risks and avoiding surprises. We view cybersecurity as a practical problem that requires practical solutions. UNB was among the first to recognize cybersecurity as an industry, and it promoted the creation of Q1 Labs Inc. in 2001, which was acquired by IBM in 2011.
Today cybercrime is on the rise and no organization is totally immune from cyberattacks. Health care, financial services and governments top the list of targets for cybercriminals. It is believed that a high percentage of cyberattacks are due to insiders, mostly due to human error, such as falling for phishing attacks. According to the national fraud survey, in the United States alone, internal attacks cost approximately $400 billion per year, and $348 billion can be tied directly to users.
Therefore, monitoring and managing users’ actions are paramount to cybersecurity and compliance reporting. CIC is currently developing a people-centric cybersecurity solution to address insider, as well as outsider, malicious activities.
The institute is involved in educating the public and the private sector through events, workshops and talks to raise awareness about the importance of cybersecurity and how to stay safe online.
Finally, cybersecurity issues are often technical in nature. Legislation and regulatory policies are emerging as important aspects requiring the collaboration and involvement of the public and private sectors.
Thank you again for inviting me to be with you here today, and I look forward to your questions.
The Chair: Thank you very much, Dr. Ghorbani. Before we turn to questions, congratulations to you for the work you’re doing at UNB. It is very impressive, and I’m looking forward to exploring that a little bit through the questions of my colleagues. We’re going to start with Senator Marwah.
Senator Marwah: Thank you, Mr. Ghorbani, for your comments. I must congratulate you and the University of New Brunswick. You’re well ahead of the curve when it comes to cybersecurity and related issues.
Mr. Ghorbani, one of the comments you made late in your speech is that the legislative and regulatory policies are emerging as important aspects that should involve the private and public sector. Could you elaborate in terms of which legislative or regulatory policies you believe need to be modernized and brought into the 21st century, or if there are any new policies, both legislative and regulatory, that are lacking and that need to be put in place to help to advance the field of cyber?
Mr. Ghorbani: One of the things that I have felt over time is needed to be looked at is that small and large companies have to comply with certain regulations when they establish their operations. Right now we have all sorts of regulatory requirements for a company to be established, but we don’t have anything there that identifies how a company’s data and infrastructure should be secured, nor evidence that the company provides that they have looked into acquiring the technologies and solutions that safeguard their data, as well as their operations and the people that work in their company. Right now there is no certificate of some sort that identifies that the company truly has in place all the required solutions and technologies in order to safeguard their own operations, as well as the operations of others who may interact with them.
This is what I meant by not having anything at this time and that, therefore, the private and public sectors should come together to identify what is needed, at the time of establishing an entity, with regard to cybersecurity solutions that should be in place in order to start an operation.
Senator Marwah: One of our previous witnesses mentioned that data storage is an issue, particularly when you cross national jurisdictions. You have a lot of things in storage. You have an operation here, but the data is stored somewhere else, globally, and that’s a major issue in terms of how you get data.
Are there any other situations such as this that you would see are preventing us from building a more robust cybersecurity system?
Mr. Ghorbani: Data, of course, is at the centre of this, but the interactions of entities with outside agencies, outside our jurisdictions, need to be regulated as well. It’s not only the data, but it’s also the communications that happen between parties within the Canadian jurisdiction and outside the Canadian jurisdiction. Those communications also need to be regulated and identified as to how it should be done.
Senator Wetston: I wanted to explore the market structure in which cybersecurity is being developed.
The reason for my question is that it seems to me — and I would like you to comment on this, if you can — that cyber risk, in sourcing the technology that’s important to dealing with it, seems to be sourced from a relatively small cluster of companies.
For example, if everyone is using Amazon Web Services for their cloud computing, there’s a new type of vulnerability that would occur in the system. This is something I read in the media a short while ago.
Can you comment on that? Do you see that as a concern, and is that indeed occurring?
Mr. Ghorbani: I don’t see that as a concern. It’s definitely concerning in the fact that there’s a small number of monopolies in terms of different technologies we are using. But from other aspects, I can’t comment, because I just don’t have enough insight as to what it might mean to society and people on a larger scale.
If you could elaborate a bit more, I might be able to answer the question.
Senator Wetston: I guess what I’m getting at is if you have a number of third-party providers and they are the only providers, or they’re the main providers of the services associated with dealing with cybersecurity risk, you’re creating another vulnerability in the market to be able to access those particular providers — knowing their technology, being able to address the issues associated with the provision of their technology to other companies that are purchasing those services for the purposes of cybersecurity protection. That’s really what I’m getting at.
Are you observing that in the market?
Mr. Ghorbani: I’m observing it only if the third parties are from unknown jurisdictions, the places that we have less information about, for example, outside North America or Europe, where you might be a bit more concerned about using the technologies.
Within our own border and down south, there are well-established trusts and the credibility of third-party providers that one can basically rely on and not be too concerned, even though there will always be something in the back of your mind that if you’re acquiring security as a service from a third party, you have to also see that there’s some level of risk involved, unknown risk involved, and knowing that, you use a third-party technology.
Senator Dagenais: Mr. Ghorbani, my questions for you will tend to be about Equifax. As you are aware, when people’s identity is stolen, it is recommended that they contact Equifax, which will collect data and protect them.
However, Equifax users have not been lucky, given the data breaches at the company. Equifax responded. But have the financial institutions using Equifax’s services changed their data collection methods in connection with the company?
In addition, has Equifax, itself, changed its practices in order to better protect users’ data?
Mr. Ghorbani: This is such an important and good question. I would like to expand this a bit beyond Equifax and mention that we all understand that, in the black market, purchasing of an identity, a complete identity, is around $4 or $5. That being said, it raises a major question of who has control over the data. It’s my view that we have — towards giving the owner of the data — the control over the data as to when, how and in what circumstances and how much of the data can be shared with a third party.
As it is, Equifax and other organizations similar to that, or for that matter Facebook, have full control of users’ data. Therefore, users have little say in terms of when and how much of their data, private information, can be exposed or used by other parties.
I believe what I heard or read is that Equifax has addressed some of the problems they have been facing, but I don’t know if it is public in the sense that others are aware of the changes that they have made. Technologically they have made some changes, and I assume that in terms of the protocol of exchanging data with their customers and users have also been adjusted and updated.
That’s to the extent I know from Equifax. But I know for a fact that this issue must be an issue to be addressed in the future, that the owner of the data has to have full control over their information and private data and decide when and how it should be used.
Senator Wallin: Thank you very much. I appreciate your presence here. As you know, we’re in the midst of a study on this whole issue and it’s very hard to wrap our arms around the concept because it’s so large.
In terms of looking for responses, it is three areas. I was pleased to see you say today that the weakest link in cybersecurity is now people, and I think we do need to focus on that in terms of individual responsibility.
You’ve talked about the second area, the regulatory environment being very weak.
We’ve also heard testimony on the criminal prosecutorial side of this, that it might be better to pursue the criminals in this case through tax measures or economic espionage rather than other forms. It is kind of like getting Al Capone on the racketeering act.
Could we have a thought from you on each of those three areas: what we do about people, what we do about the regulatory system, and what we do about the criminal response?
Mr. Ghorbani: Thank you very much for the question. When I talked about the people, I also hoped a question would be raised about education.
The fundamentals of robust cybersecurity is people awareness and education. I personally believe that we have to take the size of cybersecurity, which normally consists of three parts: cyberethics, cybersafety and cybersecurity. These three should be wrapped together in different stages of education from school, and we have to, through that, train and make people aware of how to stay safe while on the cyberspace.
This is a reality. We cannot wait until people come to university to train them about cybersecurity. We’ve got to go down into our school system and start from there.
Our view is a bit radical. That is, the same as other sciences we teach at the school, we have to also teach cybersecurity as a core course, not an elective course that some may take and some may not take. We have to address the weakest link we have now in terms of human beings inviting attackers and intruders into our system and allowing them to have access to our data, intellectual property and network.
Going after those who are doing bad, or malicious intruders, I should say I have less knowledge of how to deal with that. In a targeted case, we can, of course, bring down those people, their operations, and make sure that with enough evidence we can provide that to law enforcement to prosecute those people. This is something that definitely people working in the area of network security and cybersecurity can provide.
So from that angle I would just stop here and say that targeting people when they are doing malicious activities is possible and gathering evidence for prosecution is also possible. But there are also some aspects of it that are not too easy to follow.
For example, you heard today about the City of Atlanta and the ransom that basically crippled the police department special operation services, part of it, and the SamSam group that are responsible for that and immediately brought down the website that had information about the payment. So it’s hard now to find out where they are and how to deal with this criminal activity.
Have I answered all your questions?
Senator Wallin: Yes, we have a check mark beside them all. Thank you.
Senator Day: Thank you very much. How is everything in Fredericton?
Mr. Ghorbani: Absolutely beautiful weather today. Freezing rain.
Senator Day: That’s kind of beautiful. We’re having that kind of beautiful up here in Ottawa, too.
I think it would be helpful for me and my colleagues to understand the institute’s breadth. I know UNB and I know you have many different faculties there, but can I assume that the Canadian Institute for Cybersecurity involves your cooperation with other universities and outside corporate entities?
You indicated that you’re strategically focusing on technological innovation in cybersecurity, but there are other areas. As you have pointed out, this is a whole-of-society type issue, so there are other areas that must be strategically focusing on other things. Are they part of the Canadian institute?
Mr. Ghorbani: Absolutely. I didn’t want to spend too much time talking about that at the beginning. I’m glad you asked this question.
“Institute,” as you might know from other places, basically means a place where you have researchers doing research on developing or doing fundamentals or a curiosity research.
Our institute is a bit different from any other institute that you might have come to. We actually have three parts involved: the government, the industry and academia. I always believe without these three legs, an operation in cybersecurity will not be successful.
We not only do curiosity and fundamental research through our researchers, but we also open it up, as I mentioned, to other disciplines. We have researchers from mathematics, science, law and education who work with us when we are doing research in this area, especially from social sciences, sociology and psychology.
We covered that part, but also our institute has a model of membership. A large organization or a small organization can become a member of the institute and receive service from us, which basically means research and development. As I speak now, we have six major companies in Canada from all areas, from the financial sector, mostly from the developer and user sectors that are members of the institute, and each of them has at least two or three projects with us, which means that we have over 15 projects on the go with industry right now.
We also work with many institutes across the globe, including in Canada. Our institute is a founding member of an organization around the world called Global Epic, which is an ecosystem of ecosystems for innovation and cybersecurity research.
So we, Israel, the U.K., the United States and different parties came together and created this Global Epic for collaboration. We have an MOU and collaboration in place with the United States, institutions with New Zealand, Australia and in Europe with the U.K. “Institute” is wider than what one can imagine our institute might be. We are actually a small university that does almost everything, but we are also entrepreneurial. We build solutions for industries.
I only mentioned Q1 Labs, but we also have spun off multiple companies over the years. The recent one was a company in the area of online fraud detection called Sentrant that was acquired by Nielson from the States.
We have extensive entrepreneurial activities, extensive curiosity and fundamental research, and collaborations across the globe with other entities.
Senator Day: That’s very helpful, thank you.
Senator Ringuette: Thank you very much. I’m very proud of what you are doing.
You indicate that we have no legislation in regard to companies securing their data and communication. A few meetings ago I asked one of our witnesses if there was work being done on some kind of company certification in regard to cybersecurity, ethics, security and so forth, a little bit like the ISO system. I was told that there was a company in New Brunswick that was developing such standards of certification for companies.
Are you involved with that group?
Mr. Ghorbani: Yes, I am, and thank you for the question. It actually started from New Brunswick from an organization here called CyberNB, and our institute is part of it and a main driver of that.
The company called Cyber Essentials is a U.K. company, and they have started an operation here. It’s my understanding that they are doing very well with regard to government departments and other institutions and private sectors. They have technology in place for certification, basically for risk mitigation and how to bring back your system if something happens, but more so on the certification side if you are actually meeting all the requirements of staying safe when you do operations in cyberspace. That’s the company here called Cyber Essentials. We are involved with that, and we certainly hope that this as well as others who come forward with certification technology and solutions come to Canada and provide this service, because this is very important.
I want to tell you, as an example, I was personally involved in spinning off three companies, and no one ever asked me about anything about when I purchase computers or when I set up my office or when I buy Internet services whether I follow certain regulations to meet the requirements of staying safe. This certification is important, and I think it would be good that we see this one take off in the future and be adopted in Canada.
Senator Ringuette: Because of your previous statement of being involved in kind of a global network—you said “ecosystem” in regard to this issue—is the work being done in relation to certification shared with your global partners, so that one day we could have a similar ISO certification for companies, not only on the basis of regulation for businesses, but also in relation to the potential customers of those services having a sense of security in providing information?
Mr. Ghorbani: It is. I must say that this G-epic is new. It’s only, I think, 11 months old, and it is one of the few major initiatives that we have. One of them would be consolidating all the different jurisdictions’ technologies that they have for certification and see what would be a more global view of certification, because cyberspace is global. It’s not bound by any particular boundaries. That’s one.
Then, of course, we have other mandates to follow, with basically talent exchange. We exchange talents between different countries through visiting and otherwise to make sure we exchange information, our know-how and findings with each other and basically enrich our knowledge of cybersecurity problems around the world.
The Chair: Dr. Ghorbani, would you be able to indicate to the committee what you think would be the most important recommendations we could develop to assist the development of cybersecurity in Canada? What would you like to see from this committee?
Mr. Ghorbani: I would say fundamentally education, education, education. That’s a fundamental for making sure that our next generation will be safe in cyberspace. That’s my recommendation.
There are technologies that we could build. We could basically safeguard our data in our border through different technologies. We could have regulations about where our data can be stored and accessed.
All these are fundamental to staying safe in cyberspace, but I would say a major issue now is lack of awareness among the public. Our kids are growing up from age five now having access to smart devices. In an IOT environment in the future, this is where everything will start. We’ve got to make sure that, right from the beginning, we bring cybersecurity science into the mix of education and not leave it until the person is age 18.
Having said that, I would like to add one thing, because it is here in my heart. In awareness, there is a big move within Canada and other places to go to schools and train students or make students aware of the privacy and security of their information while they are in cyberspace.
That’s great, but last year, I recognized in New Brunswick that we are also leaving out our seniors. They are also extremely in need of being aware of how to stay safe while they are surfing, doing online banking or otherwise.
In our institute, we actually developed a program for cybersecurity for seniors. We want to go to different places and different organizations, and basically provide the fundamental awareness that one should actually know and follow in order to stay fairly safe while doing Internet activities and being in cyberspace.
I want to come back and say education would be the major one, but others might also say — and it’s also part of our operations here — to establish a new centre now for critical infrastructure and protection training. Our critical infrastructure protection has to be robust in order to make sure that none of our major infrastructures will have any malfunctions. The cascading and snowballing effects of that will have serious financial and societal pain in the end.
Another major recommendation from me is that we have to pay serious attention to our critical infrastructure and protect them at all times, because the societal pain of that will be enormous.
The Chair: Thank you very much, Dr. Ghorbani. That was a very helpful presentation. Thank you for taking the time to share your incredible expertise with us. Congratulations again on the work you are doing, and I hope we’re going to see more from your institute.