---

Proceedings of the Standing Senate Committee on
Transport and Communications

Issue No. 14 - Evidence - April 4, 2017

---

OTTAWA, Tuesday, April 4, 2017

The Standing Senate Committee on Transport and Communications met this day at 9:31 a.m. to study the regulatory and technical issues related to the deployment of connected and automated vehicles.

Senator Michael L. MacDonald (Deputy Chair) in the chair.

[English]

The Deputy Chair: Today the Standing Senate Committee on Transport and Communications will continue its study on the regulatory and technical issues related to the deployment of connected and automated vehicles.

This morning we have two panels of witness. For the first panel, I would like to welcome Chief Superintendent Eric Stubbs, Director General, National Criminal Operations, Contract and Aboriginal Policing, of the Royal Canadian Mounted Police; and Colleen Merchant, Director General, National Cyber Security Directorate of Public Safety Canada.

Thank you for attending our meeting. I invite you to begin your presentation. Afterwards, the senators will have questions.

Chief Superintendent Eric Stubbs, Director General, National Criminal Operations, Contract and Aboriginal Policing, Royal Canadian Mounted Police: Good morning, Mr. Chair and honourable senators. Thank you for having us here this morning.

As Mr. Chair mentioned, I am Chief Superintendent Eric Stubbs, Director General, National Criminal Operations with the RCMP here in Ottawa. I regret my colleague, Chief Superintendent Jeff Adam, is not present. He was to be here today. He is the Director General of National Technical Investigative Services. Unfortunately, an operational pressure arose this morning, and he was unable to attend. The focus on cybersecurity is his expertise. Luckily, my friend from Public Safety is in the cybersecurity world as well. Hopefully, that will not be an issue.

Thank you for the invitation to appear before this committee as you study the regulatory and technical issues related to the deployment of connected and automated vehicles.

With the prospect of automated vehicles being used by the general public, the RCMP has a vested interest in how this technology is implemented and the manner through which we will continue to enforce aspects of the Criminal Code, provincial highway traffic acts and the Controlled Drugs and Substances Act, amongst many others.

The issue of connected and automated vehicles is rapidly evolving, which now has resulted in the RCMP's increased attention to the policy and potential operational impacts surrounding the advancement of this technology.

Today, from a law enforcement perspective, we will identify a few emerging challenges and considerations as we collectively move forward in understanding the implications of these vehicles on road safety, cybersecurity and legislative or regulatory requirements.

The automotive industry is projecting that automated vehicles will likely reduce the probability of vehicle-to-vehicle collisions. This is a positive thing. However, we must remember that driving requires the ability to read traffic signs; to operate in varied weather conditions; and to consider the actions of other road users, such as cyclists.

The possibility also exists for increased risks in regard to vehicle-to-pedestrian crashes. These cars will likely be electric, making them very quiet, and the vehicle may not have the ability to sense the subtle body movements, make eye contact or detect a distracted pedestrian, which are all concerns about how an automated vehicle might react or not. As well, motor vehicle accidents may pose a number of interesting challenges when police arrive at the scene of an accident involving an automated vehicle, including determining who was in control of the vehicle at the time of an accident and, ultimately, who to charge if the automated vehicle is deemed to be at fault.

With the emphasis on traffic safety, Canadian law enforcement look forward to working with industry and federal and provincial departments to develop police procedures and best practices to assist in maintaining safety on our roads.

An automated vehicle could be used to cause a major threat to police, infrastructure and public safety. This may require police agencies to have the ability to remotely disable an automated vehicle during exigent circumstances in order to save lives. A countermeasures program to defeat automated vehicles will have to be explored.

There is the threat that individuals may attempt to hack automated vehicles for criminal purposes. In these cases, the risks include disabling the vehicle's critical vehicle control systems such as the ability to brake or steer, or intentionally causing collisions. Once again, law enforcement may require a way to intercept and stop these vehicles in the interest of public safety.

Legislative changes may be necessary to maintain road safety for Canadians and to mitigate the opportunities for automated vehicles being used in criminal activities. Potential amendments to the Criminal Code may be considered in regard to dangerous operation of a motor vehicle causing bodily harm or death, as well as criminal negligence causing bodily harm or death and, of course, impaired driving.

There are also potential scenarios which may require amendments to the Controlled Drugs and Substances Act due to drug traffickers exploiting automated vehicles to distribute drugs throughout our communities.

With regard to provincial highway traffic acts, consideration will be required to address scenarios where automated vehicles would stray from obeying all traffic laws or have a technical problem which results in the law being broken. While supporting innovation and enhancing transportation options for Canadians, future regulations will be required to address how traditionally unlicensed persons will be able to operate an automated vehicle, such as youth or some elderly persons who may have had their driving privileges removed.

One law enforcement and public safety benefit of automated or connected vehicles is the use of an emergency vehicle beacon that may be programmed for these vehicles to pull over when receiving a signal from first responder vehicles. This would make it much easier for emergency vehicles to respond to 911 calls and to reach their destination without delays.

Canadian law enforcement is taking steps to build knowledge and understanding of this emerging technology. As such, the RCMP wants to be part of a collaborative effort at all levels of government, as well as with industry stakeholders, to help enable an environment that can address these public safety and law enforcement considerations.

Thank you for providing us with the opportunity to deliver these remarks. We would be pleased to answer your questions.

Colleen Merchant, Director General, National Cyber Security Directorate, Public Safety Canada: Mr. Chair and honourable senators, thank you very much for inviting Public Safety to speak to you today about the cybersecurity aspects of automated and connected vehicles. As mentioned, I am Colleen Merchant. I am the director general of national cybersecurity at Public Safety Canada.

Before I go into specific comments around automated and connected vehicles, I would like to quickly provide this committee with some information about the role of Public Safety Canada and, specifically, the Canadian Cyber Incident Response Centre or CCIRC.

[Translation]

In support of Public Safety Canada's mission to build a safe and resilient Canada, the Canadian Cyber Incident Response Centre, known as CCIRC, contributes to the security and resilience of the vital cyber systems that underpin Canada's national security, public safety and economic prosperity. As the national computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to and recovery from cyber events.

[English]

CCIRC serves as a single point of contact for owners and operators of Canadian critical infrastructure to report cyberincidents to the Government of Canada.

CCIRC provides advice and support, and coordinates information sharing and incident response in conjunction with its domestic and international partners to address cybersecurity concerns.

[Translation]

CCIRC works to understand the national cyber threat picture by receiving cyber threat information from trusted partners including other government departments, critical infrastructure organizations, and international partners.

[English]

CCIRC shares information with partners through automated victim notifications. We have a community portal, community teleconference calls and technical and executive product distribution lists. CCIRC engages regularly with other federal governments departments that have a mandate that includes cybersecurity, most often the Communications Security Establishment, the Canadian Security Intelligence Service, the Canadian Radio-television and Telecommunications Commission, the Department of National Defence, the Royal Canadian Mounted Police and Shared Services Canada.

CCIRC also has established relationships with Transport Canada and Innovation, Science and Economic Development Canada and, of relevance to this discussion, has most recently participated in a workshop with these two departments dedicated to automated and connected vehicles. While recognizing the potential of autonomous vehicles to make a positive contribution in many areas of life in Canada, government and the private sector are paying close attention to cybersecurity in order to ensure that the ultimate benefits of these vehicles are realized.

[Translation]

Last fall, Public Safety Canada concluded Canada's first federal consultation on cyber security as part of the minister's mandate commitment to review how Canada protects its critical infrastructure and citizens from cyber threats. We received several submissions that identified both the opportunities and potential cyber security risks associated with autonomous vehicles.

[English]

Industry is aware of several potential areas of compromise to be considered. For example, compromising an individual vehicle through its connected systems; compromising multiple vehicles using vehicle-to-vehicle communications and compromising the supporting technical infrastructure that will be in place to support automated vehicles. Assuming physical control of a vehicle through unauthorized access to on-board systems could conceivably result in collisions and physical harm to vehicle occupants and pedestrians, or, from a commercial perspective, the disruption or destruction of transported goods.

[Translation]

Governments and industry are also aware of the potential risks associated with theft of personal information from the vehicle, vendors or operators of supporting critical infrastructure.

[English]

Whether it is through monetizing stolen data via online marketplaces or directly stealing funds through compromising computer systems, criminal actors continue to seek new avenues and means to boost their profits. Fortunately, as my colleagues from Transport Canada and from Industry, Science and Economic Development have noted, compromises of connected vehicles to date have been confined to research.

[Translation]

The news, of course, is not all bad, and there are things that can be done and are being done to mitigate these potential risks, all while ensuring that the benefits that come from automated and connected vehicles can be realized. Public Safety Canada has an important role to play.

[English]

Mitigating the cybersecurity concerns with automated and connected vehicles will require coordinated efforts in several areas including regulation and standards development and research along with vulnerability and incident reporting.

CCIRC, as Canada's national cyber incident response team, is well positioned to share information including mitigation advice, alerts, and advisories with critical infrastructure owners and operators. CCIRC's role as a trusted broker and primary window for cybersecurity incident reporting into government will be crucial in sharing timely information on cybersecurity threats to automated and connected vehicles with critical infrastructure owners, operators and industry partners. The Get Cyber Safe campaign, which is managed by Public Safety Canada, is how the government informs citizens of cybersecurity issues and best practices. This messaging in future could include information for citizens on how to keep their connected vehicle cybersafe.

[Translation]

Looking to the future, I had commented earlier that Public Safety Canada had recently completed a public consultation on cyber security. This consultation is aiding in the development of the Government of Canada's new approach to cyber security. This new approach to cyber security envisions a future in which businesses, organizations, governments and all Canadians play an active role in shaping and sustaining Canada's cyber resilience.

[English]

In order to adapt to the new technologies and the changing security environment, government must play a leadership role in protecting the safety and security of Canadians and our critical infrastructure, while encouraging businesses and individuals to implement responsible cybersecurity practices that support innovation and prosperity. Canada's new approach recognizes the importance of taking action in several areas that will have additional positive effects for the cybersecurity of autonomous vehicles. Areas of interest that could be contemplated for further policy development include: legislation to establish cybersecurity measures that would protect those federally regulated but privately owned critical cybersystems that are critical to Canadian national security and public safety; increased information sharing between government and industry regarding cybersecurity threats and vulnerabilities; measures to support innovation and increase the availability of IT security professionals; ways to incorporate security into the design of the Internet-enabled products known as the "Internet of Things.''

[Translation]

More information about Canada's new strategy, related initiatives and their relevance to the cyber security of autonomous vehicles will be available in the weeks and months ahead. Public Safety Canada, through CCIRC, will continue to work with its partners at Transport Canada and Innovation, Science and Economic Development Canada on this important issue.

[English]

I would like to conclude my remarks by thanking you for the opportunity to speak with you today. I look forward to any questions you might have.

Senator Terry M. Mercer (Acting Chair) in the chair.

The Acting Chair: Thank you both for very good presentations. We will start with Senator Griffin.

Senator Griffin: One of the problems in our country and perhaps more so in some regions rather than others has been quite a high rate of functional illiteracy. With the new cyber age and particularly with cybervehicles, I am trying to picture what this will mean for us. I can see that professionals who are trained in the industry are going to become increasingly scarce to find. I can see another issue, and that is with your average citizen being able to cope with these vehicles. I think especially for the professionals, this is going to involve training and I'm not sure we're ready for that in Canada. I'd like to know what your assessment is of that.

Ms. Merchant: As I mentioned, we had just completed a cyber review, and we did that through a broad consultation with citizens, academia, industry and government partners. We had put an online survey out — it was really a consultation documentation — and we got 2,399 responses to questions around four topics. We also got 90 position papers. We found that there were some fairly broad areas for action that we got a lot of response on. And two of those I'd like to mention here are, one, increasing public education and awareness around cybersecurity, and the other is to improve training for cybersecurity professionals and law enforcement. Those were two of the four basic themes that we really got a lot of feedback on, so obviously there are things that we are paying a lot of attention to, moving forward.

Mr. Stubbs: In terms of managing with an automated vehicle, perhaps the provincial governments will have to consider within their motor vehicle branches altering and updating the requirements to have a licence if you are, in fact, going to operate an automated or connected vehicle to ensure the proper knowledge to operate that vehicle on the road is there.

Senator Griffin: That's a good point. It might keep them somewhat busy, particularly if this really catches on, but I can see it might have two trains of vehicles — the people who want to get with the latest and will be prepared to get trained or catch on to it quickly. But there will be others, particularly people who have driven vehicles all their lives who are now in their senior years, who will want to stick with whatever they're driving now or something akin to it.

I like your point about working with the provinces and I'm assuming you do mean "working with the provinces'' and not that you're just going to dump this on the provinces.

Mr. Stubbs: You bet.

[Translation]

Senator Cormier: Thank you both for your presentations. My question is for Ms. Merchant. You said that the government was working with industry on cyber security threats and vulnerabilities. How is the Government of Canada, through your department and others, working with the private auto sector, given the fierce competition between automakers?

[English]

Ms. Merchant: Specifically, with the automotive sector, CCIRC does not have any specific relationships but Transport Canada does and we work very closely with Transport Canada, with the automotive sector, in making sure that threats to the automotive industry from a cyber perspective are understood.

Also, one of the things we found during our consultation process for the cyber review was that there was a lot of interest around the development and promotion of standards, best practices, certification and legislation, so that this is another area where we'll pay particular attention as things such as automated and connected vehicles are evolving.

The Acting Chair: I should mention Senator Griffin brought up the question of training and that it might not be an acceptable form in Canada. For all my colleagues, because no one around the table was on the trip, this committee visited Estonia. We were looking at the study on a paperless society. We discovered in Estonia that they tried to go paperless from the fall of the Iron Curtain when they became independent and they used very little paper. You can't write a cheque in Estonia because no one would know what to do with it. They do have training centres in that country and we visited one where they taught people how to use — in Canadian terminology — their debit card to pay for everything, including buying a newspaper at a newspaper box, to paying for a telephone call. When we visited a grade school, young kids in Grade 3 and 4 were buying their lunch and paying bus fare using their own debit card.

So there are examples of training centres that do work, and they told us at that time the training centre was going across the age barrier from young people right through to seniors because it had become an issue for everyone, since they went paperless, and everyone needed to know how to properly use their debit card.

Senator Runciman: Thanks, chair. This question is to the chief superintendent. You may have mentioned this and I missed it, but do you think, with respect to the technology that's available, that policing operations should be given the technology to override vehicle systems? If you agree with that concept, what view would you have with respect to the privacy implications of doing that? And do you have any view on legislative changes that might be required to ensure that it can happen?

Mr. Stubbs: Thank you, senator. With regard to the ability to control an automated vehicle, I mentioned that a countermeasure program would have to be explored. It's something where obviously the what-if scenarios are there where, under exigent circumstances, with the safety of the public in mind, we may have to have an ability to stop a vehicle by our devices. It would be in a very extreme situation but that possibility is there and I think exploring those avenues would have to be made in partnership, again, with industry to ensure that there was an ability for us to override those systems.

Similar to our UAV or drone program that we also have, we're exploring countermeasures to be able to control those unmanned vehicles that are operating today. We have actively worked on that program and I think it would be very similar with regard to our need in the drone industry as well as the automated vehicle industry.

The privacy issues are certainly something that we have to explore as well. There's also the issue of the amount of personal data that would be gathered within an automated vehicle and having access to that, whether it's in the context of a national security issue or whether it's simply a car accident, and whether or not we could have access to that data that's in the vehicle. Do we need a search warrant or don't we need a search warrant? That would certainly have to be explored.

Senator Runciman: There are so many implications to this. Both of you talked about consultation with the industry. I wonder what kind of reaction you're getting from industry that a security-first approach should be necessary when installing this kind of technology in Ottawa. Are you getting a receptive approach or is that what you're talking about with the industry as part of these consultations?

Mr. Stubbs: I can certainly start the answer. Last week, I had an opportunity to meet with industry and that exact discussion surfaced. I can tell you my confidence certainly increased with regard to their focus on two aspects: one is safety and the other one was the security of the vehicles.

It certainly is a focus and a priority of theirs, and my confidence was certainly increased by their focus.

Ms. Merchant: It wasn't specific to the automotive industry when we had gotten our responses to the consultation process. It was a general consultation but I would say we were a bit surprised by the uptake, even within the private sector, for the development and promotion of these standards, best practices and certification, right up to legislation, so generically speaking there is a positive reception.

Senator Runciman: I have been told that there is modern digital ID verification and security technology that is available on the market now, and I'm wondering the that's the sort of thing governments should be considering to be required before the vehicle is offered for sale.

Mr. Stubbs: From our perspective, we would certainly support any measures to increase or enhance the safety and the security of those vehicles on the streets.

Senator Runciman: I was reading an article as part of the research for this. When I talk about the range of implications here, you talked about the fact that compromising has been confined to research, but if you take it down a step, I guess, there was a situation in Texas where individuals were getting into the key fobs of cars and stole over a hundred cars in Texas. They were able to access that information through repair shops that had access to the information and then sold it to the bad guys. So those are the kinds of wide-ranging implications going forward that governments and policing and security agencies are going to have to come to grips with.

Senator Michael L. MacDonald (Deputy Chair) in the chair.

Senator Mercer: I suspect what Senator Runciman said is probably something they could do now if they get the proper information from the repair people, without going to driverless or automated vehicles.

We haven't talked about the difference between automated vehicles and connected vehicles, but many of us around the table have been taught, in the last little while, the difference between connected and automated vehicles. The security issue becomes different for connected versus automated.

I'm concerned that most connected vehicles are going to be in the public transit field. We saw a demonstration of that in Edmonton when we were there; it was impressive. If the system of driverless cars — automated vehicles — gets hacked by somebody sitting in their basement with nothing else to do but play, they could cause a lot of havoc. We heard testimony about having fleets of driverless transport trucks. Someone could hack into the system and somehow halt those trucks or disrupt their travel.

Can you imagine, Chief Superintendent Stubbs, the difficulty your colleagues in the OPP would have in policing the 401 if suddenly 20 tractor-trailers came to a stop or did something else to disrupt the traffic on the 401? That's not an attack on the highway system; that's an attack on the economy of the country. How are you going to counter that? What is your answer to that problem?

Mr. Stubbs: As it develops — and it develops rapidly and changes — the challenges that policing have to keep on top of people who want to hack, not vehicles but, of course, into computer systems and whatnot, is a never-ending task.

Similar to this one, as it develops, we have to work with industry. We have to work with government to understand what's out there, what can be defeated and what the potential consequences could be if someone was successful.

Unfortunately, like most incidents, if something does occur, then we have to react, as we are in a reactive state if something happens on the 401. Certainly significant effort will have to be made to work with those in the industry to understand so we can understand.

If need be, we can potentially override that or industry can override that. I know there were some comments about industry — major manufacturers — having a centre to basically monitor their make of vehicles on the road so they can perhaps react to something like that. How the policing industry interacts with that type of situation has yet to be determined.

Senator Mercer: I'm not sure how Canadians would react to that. I drive a Jeep. I'm not sure I'm too anxious to have Chrysler following where I'm driving in Nova Scotia. I would much prefer the RCMP to know where I'm at and what I'm doing. The RCMP's interaction with me is a little more satisfactory than my interaction with a car dealer who wants to sell me a new vehicle or wants to know how I've abused the vehicle I want to trade in. It seems to be that that's more to worry about.

How does the RCMP compete? We've heard recent reports, and the documentation is fairly clear, that the pay scale of members of the force is much lower than the pay scale in other police services across the country and around the world. How do you compete?

We're talking about you needing people who understand high technology, how to counteract people who are hacking, how to anticipate that, how to find a way to identify and stop that. How are you going to do that when you're not paying your people the competitive salary that they could get if they went to work for Chrysler?

Mr. Stubbs: Obviously, the pay issue amongst our membership is a live issue that I think all in the RCMP are aware of. I'm not quite prepared today to talk in detail about that, but there are processes under way to try to address that.

In terms of recruitment and retention, obviously specialized skills for cybersecurity, for people that really know this business, is something we actively participate in. Our recruitment drive, if you will, is very aggressive right now. I was in depot the week before last, and it was energizing to see the depot full, active and a number of troops going through. I went to a graduation.

We still have a lot of people that want to be part of our organization. To attract those specialty skill sets that we need is, again, a challenge.

Senator Mercer: It's good news that the depot is full. That's the first we've heard in some time that they have a full complement of cadets at depot. That's good news.

I have a practical question: Someone raised the issue of a driverless car being involved in an incident. Someone calls the police or first responders. What reactions are first responders going to have when they arrive at an incident where one of the vehicles is a driverless vehicle? Who is in charge of that vehicle?

Mr. Stubbs: Senator, that is a question that needs to be explored and determined. The scenarios there are significant and many.

We deal with that now when people are at the scene of an accident and they flee. With a normal vehicle today and no one is there, who operated it? Who caused the accident? It's along those same lines.

If a vehicle gets into an accident, is it the manufacturer who is responsible for that vehicle if, in fact, it was a mechanical malfunction? Is it the owner who bought that vehicle? Is it the person that programmed that vehicle to go from A to B?

Senator Mercer: What happens if the vehicle was hacked? Who is responsible for that? Is the hacker the guilty party and liable for the damages that might have happened?

Mr. Stubbs: The person that was operating that vehicle or programmed that vehicle, did they hack the vehicle and take control of the critical driving functions, like the braking or steering, and cause that? Those are aspects that we would have to investigate to determine.

It's similar if a vehicle is stolen and the suspect crashes the vehicle. The owner isn't responsible, generally, for what happens when that thief crashes their vehicle. We'll have to draw parallels to that, but it needs to be explored even more.

Senator Mercer: We have a lot of work to do.

Senator Bovey: Thank you for your presentations. It's a very complex, interesting series of connected issues.

I've got a couple of things to pick up on what others have said. In California, we know that the police are projecting that with less need for traffic enforcement officers — and that may not be the case — it could lead to job losses. I'm wondering if you've taken a look at maybe not job losses, but what kind of job changes do you see in the RCMP going forward, and what about retraining? I'm concerned about the retraining side.

That links back into research grants. In 2014, funds were provided for research grants for various projects tied in with all of this, and I'd like to know where those research grants have gone and what kind of work is being done.

Mr. Stubbs: In terms of the job losses or that thought, I suppose it would be highly speculative to try to understand how that might affect it. Obviously, as the decades move on, you will have a blending of the typical traditional vehicle intertwining with connected and then, perhaps, automated vehicles and how that might all play out.

Going forward, police chiefs around the country, North America and, for that matter, around the world, will have to assess and keep their eye on road safety and then react if they do see an increase in road safety and less need to enforce speeding laws or erratic driving behaviour or accidents. They would have to readjust or re-prioritize their resources.

For sure, there are always other areas of policing where resources could be redistributed. I'm not sure there will be job losses as much as potential redistribution as far as those resources might go.

Senator Bovey: Are you looking at that as you bring in new recruits? Are you looking at changes that might be instigated with all of this?

Mr. Stubbs: The answer to that is no. We're not looking at automated vehicles at this point in terms of an impact on our recruiting or in terms of decreasing it at this stage.

Senator Bovey: As far as the research grants that the federal government launched, the Cyber Security Cooperation Program which offers research grants in support of projects, have any been given out?

Ms. Merchant: Yes. As a matter of fact, we get $300,000 a year for this grants and contributions program, and we just went through another request for proposals. We got 21 of them, which is quite high for the program, since it is a fairly small amount of money. That program is ongoing.

To my knowledge, we haven't had any that are specific to connected or automated vehicles.

Senator Bovey: Are these going to academic institutions or industry?

Ms. Merchant: Both.

Senator Eggleton: I'd like to explore how governments in this country are getting ready for this and what kind of mechanisms or structures we have in place to deal with it. You've indicated a number of entities within the federal government — the two of you here represent two of them — that are involved in automated vehicles, connected vehicle issues, involved in the legislation, involved in regulation, involved, ultimately, in all aspects of this.

We do know that in governments, silos are dominant. This requires a lot of horizontal whole-of-government thinking both for the federal government and the provincial governments. I wonder what further structures we need to put in place.

It concerned me a bit when I heard the answer to the question about talking to the industry. Ms. Merchant, you said that you don't directly talk to the industry, but Transport talks to the industry. Then the chief superintendent said we want to be involved, but I didn't get the sense that it was necessarily in play in all of these.

I wonder how we bring a whole-of government approach to this. Who would be the lead player to ensure there is a maximum flow of information between the different entities in government and the industry itself?

This is evolving fairly fast, I sense. The Americans have done some studies and seem to have some better integration of communications between the different players. Perhaps we can learn from them or from other countries as well. We don't need to reinvent the wheel because all of the developed countries will be going through all of this or are going through all of this. I wonder what mechanisms or structures we need to put in place to ensure that whole-of- government, horizontal approach and make sure all players are connecting that need to connect with each other.

Ms. Merchant: I don't think it's as dire as perhaps it may look. I do want to mention I had said we don't have a formal relationship with the transportation industry right now. Obviously, though, we do talk to industry. CCIRC has many partners. They have well over 1,000 partners that they deal with and obtain threat information, where possible.

Transport has a formal relationship under the federal Emergency Response Plan. There are several departments who have formal relationships with industry and critical infrastructure owners and operators, namely, Transport for transportation, Finance for the banks and NRCan for the energy sector, and so forth.

In terms of organizing ourselves within government to deal with this, it is absolutely true that there are many departments and agencies that are somehow involved with the cyber area. Cyber is ubiquitous, so it's hard to get away from that.

We have a governance structure that is fairly well coordinated. It runs up the hierarchy to the deputy minister level. They get most of the deputies around the table who are interested in or have some impact on cybersecurity within the federal government and with relationships with the provinces, territories and the private sector. That's where a lot of the discussions happen in terms of making recommendations on either operational items or policy issues.

We also have tables with the provinces and territories up through the deputy minister level specific to cybersecurity.

Mr. Stubbs: I would echo Ms. Merchant's comments. It's imperative that the agencies organize themselves going forward.

I mentioned it briefly, but in our experience working with Transport Canada in regard to the UAV or the drone industry that came upon us fairly quickly, they organized a director general level meeting with a number of agencies across government. I was on that committee for a couple of years. We worked together to try to manage — I don't want to call it an epidemic; it makes it sound negative — the proliferation of the use of drones by the general public. Last month, it led to Minister Garneau announcing some regulations for recreational drone users. I was with him at the Billy Bishop Airport press conference to announce that. We worked well together — that is, Transport Canada, ourselves and the other agencies around that table — to get on top of that emerging technology fairly quickly that we'll still develop.

I think that similar format could be followed with this industry to ensure that all government is engaged in this issue and working with our provincial partners as well.

Senator Eggleton: Quite a bit of consultations are going on, but who is leading? Who is driving the agenda? Who is ensuring the coordination? Who is in charge?

Ms. Merchant: Public Safety is responsible for coordinating across government, but one of the things that we did hear back from the consultation is that even though it may be coordinated, it's difficult to find who you report something to, for instance. Where do you report a cybercrime or a threat, an incident or an attack? Then, when you do report it, at times you have multiple departments who will respond to that, given the various mandates that the departments have. Your question is a very relevant one.

Senator Eggleton: More needs to be explored on this. Thank you.

[Translation]

Senator Saint-Germain: Before I get to my question, I would like to draw everyone's attention to the fact that the Senate is hosting students from Carleton University's Equal Voice chapter. I am pleased to have accompanying me, a student with a keen interest in political governance, like her colleagues. I want to commend those in charge of the program at the university, because the group of students here today may include future senators, and when their turn comes, they will be ready.

Thank you for your very informative remarks. Following up on Senator Eggleton's question, I am wondering about the preventive role that Parliament, as the lawmaking authority, and the government should play. They must work together in the public interest. Like previous witnesses, both of you focused on an aspect we hear a lot about, the "response.'' Although it is important to respond, from a lawmaking standpoint, should we not take action starting now to prevent attacks and take a more coercive approach?

You brought up the need for potential amendments to the Criminal Code as well as the Controlled Drugs and Substances Act, with respect to prevention and road safety. That seems straightforward to me and, despite everything, easier to do. Should we not, however, consider statutes and accompanying regulations that deal with manufacturers coercively, especially when it comes to adapting vehicles to better prevent breaches where vehicles are controlled remotely? I am not trying to point the finger at industry, but the kinds of requirements I'm talking about come with inherent costs, and that may explain why those requirements are not a high priority for industry players. It is, nonetheless, the job of government and lawmakers to focus their efforts on prevention in order to protect the public. Should we not take a more coercive approach to legislation so that automakers produce vehicles that meet the highest public safety standards?

[English]

Mr. Stubbs: I think any time Parliament would encourage the development of any legislation that increases the safety of these automated or connected vehicles, we certainly would support that. I made a brief comment that when I met with industry, I was impressed with their focus on safety and security of their products. If we translate that into working with them for prevention purposes to ensure the safety of these vehicles on the road and the safety of Canadians, I think that process can start any time and should start now to ensure that everyone is working together for that exact goal.

[Translation]

Senator Saint-Germain: Who would be in charge? Who would take the lead? Right now, we have a consultation committee, deputy ministers and assistant deputy ministers. Who is thinking about it right now? The vehicles are being made. Rather than missing the boat, as the saying goes, we are going to miss the electric vehicle, if we don't do something. It seems to me that there are already aspects we could deal with through legislation. Who would take the lead? Are we going to consult other governments, like the U.S. government, to harmonize our prevention-oriented laws?

[English]

Mr. Stubbs: In terms of taking the lead and whether we can do something now, I said in my last comments that I don't think starting that now would be wrong. The technology is here and it's being developed, so to be proactive instead of reactive certainly is advisable. To determine a lead for it, in terms of a government agency, I wouldn't want to commit any agency other than my own to anything with respect to leading that charge. But I think the answer — with the collaboration that I've seen in my time here — is that an agency would likely step forward to take the lead and start the process of coming to ground as a government as whole, across government on this topic.

The Deputy Chair: Those are all the questions for this morning. I would like to thank Mr. Stubbs and Ms. Merchant for participating.

Honourable senators, I am pleased to introduce our next witnesses from the Communications Security Establishment, CSE: Richard Pierson, Director General, Cyber Defence; and Scott Jones, Deputy Chief of Information Technology Security.

CSE is Canada's national cryptologic agency. It provides the Government of Canada with information technology security services as well as technical and operational assistance to federal law enforcement and security agencies.

Thank you for attending our meeting. Please begin your presentation and afterwards the senators will have questions.

Scott Jones, Deputy Chief, IT Security, Communications Security Establishment: Good morning, Mr. Chair and members of the committee. My name is Scott Jones, and I am the Assistant Deputy Minister of IT Security with the Communications Security Establishment. I am accompanied, as you heard, by Mr. Richard Pierson, our Director General of Cyber Defence. It is our pleasure to be here today as you undertake your study on the regulatory and technical issues related to the deployment of connected and automated vehicles.

The rise of the next generation of vehicles with increased wireless connectivity and automated driving capabilities is fast approaching and in some ways is already here. As such, it is timely and important that we consider the regulatory and technical issues surrounding their deployment.

[Translation]

As you have heard from other witnesses, the convergence of these technologies has the potential to provide many economic and social benefits for Canada and Canadians, from improving the movement of goods and services to road safety. At the same time, it risks exposing us and making us more vulnerable to cyber threats from nation-states, criminals, terrorists and hackers seeking to exploit those same technologies. The motivations of these cyber actors vary widely, from financial gain and creating havoc to just doing it because they can.

As the head of IT security for the government's lead technical cyber agency, my goal this morning is to highlight the critical role that cyber security plays in keeping Canada and Canadians safe from cyber threats. Since this is my first time appearing before this committee, allow me to begin by taking a few moments to clarify who we are, what we do and how we do it.

[English]

CSE is one of Canada's key security and intelligence organizations. Our mandate and authorities are defined in the National Defence Act and we report to the Minister of National Defence. Our mandate is composed of three parts. The first part of our mandate, called part A, involves the collection of foreign intelligence in accordance with the Government of Canada's intelligence priorities. The second part of our mandate, part B, involves providing advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada. That is the work I lead at CSE. Finally, the third part of our mandate, part C, is the provision of technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

With respect to cybersecurity we use our cyber and technical expertise to actively defend federal government systems and to identify, prepare for and respond to sophisticated cyberthreats. We also work to support the private sector, including critical infrastructure operators, by sharing cyberthreat information, advanced tools and mitigation advice.

[Translation]

As our networks converge and as more and more of our daily lives become dependent on connectivity, we can expect cyber threats to become more acute and impactful. Connected and automated vehicles will no doubt be an attractive target to many threat actors, making them especially vulnerable to theft and breaches. In this dynamic cyber-threat environment, cyber security is critical.

We believe that training and education is the key to enhancing cyber security. To this end, we have developed the Top 10 IT Security Actions to help reduce the threat surface and vulnerabilities for the government and beyond. They are listed on our website along with much of our advice, guidance and alerts. Recently, we have also taken steps to better educate members of the public, including launching a Twitter account, posting new content to our website and producing public videos about our cyber defence work.

[English]

Obviously the effects of cybersecurity on connected and autonomous vehicles could have a more pronounced physical impact in the real world, and that's what we're here for today.

Unfortunately, no single entity can combat cyberthreats alone. Cybersecurity is the responsibility of all of us, and it will take cooperation, expertise and innovation to protect the security of Canada and Canadians. Thank you for the opportunity to participate in this study. My colleague and I will be pleased to answer any questions that you may have.

The Deputy Chair: Thank you, gentlemen.

Senator Griffin: Thank you. That was very interesting. I fully agree with you that training and education will be key to enhancing cybersecurity. How much consultation has there been with the provinces and territories regarding cybersecurity, particularly with what's to come in terms of automated vehicles, for instance?

Mr. Jones: We participate in a number of different cross-sector forums, including with provinces and territories. In fact just a few weeks ago I sat with the CIOs from various provinces and the territories as well.

But on more general subjects of cybersecurity, we have never really delved into the autonomous vehicle problem or question at this point. It's more about the general things we shall be doing to protect the information, mostly from a privacy perspective in terms of what information we're entrusted with.

That being said, I think the autonomous vehicles is probably the point where the physical reality of the threat meets the intangible element of cybersecurity, which people haven't grabbed on to. Now that it's our cars, now that it's a physical world and we can see it, I think it will be the opportunity to enhance the training we're doing, but we're still in really early nascent stages for that.

Senator Griffin: I don't know if you were here when the previous two witnesses were in the room, but in terms of training to help drivers to be able to cope with this, the RCMP witness suggested that possibly provinces will have to be prepared to do some more testing as they license new drivers, and I assume as they relicense older drivers. That's going to be a major impact on provinces, and there will have to be a lot of cooperation not only amongst the provinces but also with the federal government. I can't see it just being dumped on them. There has to be a lot of work.

Mr. Jones: Absolutely, I think you've really hit the nail on the head and it's the key issue with cybersecurity in general where it is joint and shared not only between the federal government and other levels of government — the provinces, territories municipalities will obviously be heavily impacted — but also the private sector, the manufacturers of these automobiles, and citizens themselves. We all need to be aware of the different threats we're facing and what our part to play is in vehicles. For the first time, we have basically a smartphone on wheels where we have to worry about patching and keeping it up to date, not only for performance reasons but also for security.

How do we connect all of these various systems together? I think it's going to be very complicated because, unfortunately, security typically right now impacts convenience. There will have to be a good discussion about that, convenience versus security, and how do we find an appropriate balance that protects both?

Senator Griffin: Going one step further; there are a whole lot of people out there who repair cars, who have small private businesses. They're not a dealership or one of the big companies. That's a whole other group we have to deal with. I would see this as probably where the rubber hits the road because this is a $91 billion industry in Canada, vehicle repair, and we in rural Canada could end up not having very many repair places. You would have to go to the major nearest centre just simply because these people would have gotten left out. So it's a pretty big field to deal with. Cybersecurity is going to really impact people. If I'm buying a used car or if I have my own vehicle and I want to take it to a private shop just down the road to be repaired, those are all questions that as a private citizen that I would be concerned about. Thank you.

[Translation]

Senator Saint-Germain: Thank you for your presentation and your use of French.

Library of Parliament analysts assist us in our study, and they drew our attention to a report released by the U.S. Government Accountability Office. According to the report, industry stakeholders have highlighted the importance of being able to conduct remote, over-the-air, or OTA, updates of vehicle software so that automakers can quickly and effectively respond to cyber security incidents. They talk about "responding.'' Once again, I will say that the committee has heard that word a lot.

The U.S. office found that few automakers currently have OTA update capability. Should we not get tougher on industry stakeholders to avoid costs that could arise under new legislation imposing other requirements? Do you think we should have legislation that sets out specific cyber security requirements for automakers in Canada?

Mr. Jones: I think the problem lies with the OTA updates. Having the right updates for the vehicles is necessary. Three levels of security exist: confidentiality, integrity and reliability. In this case, integrity is paramount in order to protect the vehicle. The responsibility for establishing those regulations may fall on Transport Canada. Aircraft manufacturers, for instance, are required to develop aviation system updates, so they have the certainty of knowing that the updates are right. The aviation sector would be a good model to look to.

Senator Saint-Germain: How do you explain the fact that few automakers have update capability right now? Do they not see it as a priority? Do they lack the expertise and training? What can we do to rectify that?

Mr. Jones: First of all, consumers are not demanding updates. The focus is more on safety features. Second, the public and consumers cannot check whether the update is genuine. We are generally not in a position to know when an update is needed to fix a problem.

Vehicles are a good example of equipment that has become much more complex over the past three decades. Most people are baffled by how it all works and how to fix problems. The same is true when it comes to security, particularly cyber security: we accept how the electronic components function without really knowing how they work.

Senator Saint-Germain: Do you have anything to recommend? Your answer worries me. I appreciate your candour and the fact that you aren't sugar-coating things, but what can we do?

Mr. Jones: I'm going to switch to English because what I'm going to say is quite technical.

[English]

It's important to use things like encryption or digital signing to protect when you're doing an update. So the aviation industry really does give us the model for assured updates.

So I run a program at CSE called the Crypto Module Validation Program, but it makes sure the encryption systems are built properly. So when you put the update on to the vehicle, whether an airplane or car, you know that it came from the manufacturer, you know that it was approved. It was the version that they have tested. It is then installed.

Right now, when we update our systems, in general, you're not quite certain it's coming from the original manufacturer. What we want is to make sure if it is a vehicle made by manufacturer X, that they have approved it, they have tested it, that it's gone through whatever standards Transport Canada has assigned, and then you apply it properly. That's kind of the security update process.

Senator Saint-Germain: Very interesting. Thank you.

Senator Mercer: Thank you for your presentation, and thank you for helping us understand a little better cybersecurity.

It's timely that you're here because there is a news story this morning or last evening, I can't remember which, with respect to security right here in this building, with respect to our electronic devices. I certainly hope that CSE is on top of that because it's an important issue.

My colleague, former Minister of National Defence, says he knows nothing about this whole thing. He remembers the Official Secrets Act.

It's interesting that we haven't had any direct integration between people such as yourselves, who are monitoring what's going on, and the people who are implementing the rules at Transport Canada or talking to the RCMP who will be the people on the ground. CSE does great work, but you're not the first responders. It's important that there is an integration of that.

How are we going to get this integration happening? Do we wait until we come to a crisis, that something goes wrong, something bad happens, somebody hacks into a fleet of driverless transport vehicles and shuts down the 401 for 20 hours costing millions or billions of dollars to trade in this country? Should we not anticipate this in advance?

Mr. Jones: We do a lot work behind the scenes to work with different departments. I mentioned earlier the cross sector forums with critical infrastructure and manufacturers et cetera.

I hope we don't have to wait for something as economically devastating as the scenario you described. We've spent the last few years trying to get ourselves on to a proactive footing with regard to cybersecurity, certainly within the Government of Canada, where we were frankly in a position of having to react to compromises. Now we're very much in the opposite position, where we're proactively stopping malicious activity. That has given us time now to start thinking about some of the emerging questions.

The evolution of technology, frankly, is one that we have to start paying attention to the big things. As I mentioned earlier, this is probably the field that will finally draw the attention to cybersecurity that it needs, because it will translate back to the physical world. Unfortunately, our smartphones are this thing in the ether. It doesn't really touch us. If your identity is stolen right now and you have money taken from your bank account, the bank makes you whole, typically. It's a little work, but you get made whole, whereas this time we will actually have physical consequences to things that are not just doom and gloom and scary.

We do work with Transport Canada. We're trying to build up those relationships. This is why it's so important to work cooperatively across the private sector, because the expertise on vehicles isn't necessarily going to reside within CSE. We're going to want to partner. We're the experts on cyberthreats and where we see things facing, but we're going to want to work with the manufacturer. For example, in the aviation industry you work with the manufacturers who have experts in how avionics and aviation systems work.

The same thing with autonomous vehicles. You want to work with the manufacturers to make sure you know how you're building your software and that your whole process takes the security mechanisms into account.

Senator Mercer: How does CSE help prevent that disaster I talked about: a whole fleet of driverless transport vehicles shutting down? If you shut down the four major crossing points in the province of Ontario into the United States, you have virtually shut down over 60 per cent of Canada's trade with the Americans. That not only costs money, but it costs jobs.

How are you doing that now, or how will you do it in the future, when we get to the point where we have driverless vehicles arriving at the border?

Mr. Jones: I think there are three ways. First, we have a program where we do general advice and guidance, and it's about how to build things better from the start. It's trying to raise that cybersecurity bar. Organizations that have not had to think about security, we need to help establish that bar, help them learn and grow their exposure and experience in that. That's building it better from the start. We probably call that our cyberprotection side.

The second side is in our industry relationships and our partnerships with the private sector. We're trying to not only share our expertise but also some of our tools and techniques. For example, on the defence program, we're giving tools that we have custom built for the government and providing them to our various sectors. That's to help them be able to defend themselves.

Thirdly, we leverage our foreign intelligence mission to understand what threats could be coming from outside and we try to translate that into helping people be aware before the threat hits. It will be a mix of proactive — in terms of how to build it more securely — a relationship side crossing the provincial, territorial, federal and into the private sector boundaries. It's a very non-traditional relationship for the government where we are very regulatory. It's almost adversarial in some cases. For cybersecurity, we have to have a more cooperative side, and that's something that — I'll be honest — I don't know how we will build that yet, because there is a lot of mistrust, or a lack of trust in some cases there. Then there is the defence side and how we get information as we see what people are doing.

We would aim for those three. The relationship side especially is very new, and it will take some time for us to build up the credibility but also the expertise.

Senator Mercer: Thank you. The fact that we have people here from CSE indicates that this is a serious business. This is not an organization that appears a lot in public and so I thank you for that.

[Translation]

Senator Boisvenu: I am not sure whether it's me, since I woke up with a sore back this morning, but I am getting the sense that everything we are hearing points right back to the same questions we have already thought about. I don't feel we are really getting anywhere. You are the experts who are supposed to have a plan for the future, and yet, no one in the federal government seems to have any such plan. We are all wondering the same things. The idea of us, as a committee, putting forward a plan for the future doesn't inspire much confidence.

Over the past five years — if not decade — we have welcomed the arrival of semi-autonomous cars in the marketplace. As I get older, I become less alert, so the last vehicle I bought is equipped with 360º cameras, an emergency braking system and automatic speed control capability. All of these features make me a defensive driver. Because my car is equipped with the latest features, I am in direct communication with the manufacturer. Vehicles are already equipped with communication systems that are vulnerable. Your agency is not calling for action, and neither is any other. No one is saying that the regulations need reviewing or that drivers need protecting. In the next five years, before autonomous vehicles hit the market, vehicle automation will have made huge strides, with drivers increasingly dependent on communication-based technologies. We are not talking about 20 years from now, in terms of autonomous cars. We are already there. I feel as though we have absolutely no forward-looking direction when it comes to amending the regulations and protecting consumers.

I must say that I'm a bit disappointed with what we are hearing from the witnesses this morning. They are raising the very same questions we have already wondered about, instead of setting out a direction for the future. I'm not sure how you would respond to my comment, but I'd like to hear your take.

[English]

Mr. Jones: You're absolutely right. We've been emphasizing trying to secure the government's communications right now, the immediate threat. That's the challenge we face right now. We're in a world of very limited resources. Three years ago we were very much focused on responding to intrusions. It was the threat of absolutely today. Now we're in a position where we're trying to be proactive about blocking the threat that's coming. But you're right; we need to look at what's coming ahead. I think that's what's happening with the Internet of things, for example, as more and more things are connected, vehicles being one of them, but a very physical manifestation of that. How do we work to secure that? The fact that we're here as you are asking questions, I hope that will lead to us asking questions, as citizens, when we will buy these vehicles.

I ask a lot of questions when I buy things now. For example, when they wanted to put a smart meter in my house, I asked Hydro Ottawa how does it work, how are they securing it, and how do they make sure someone doesn't turn my temperature down to zero degrees and freeze the pipes in my house, for example.

This needs to start with education. Our asking questions will demand that the manufacturers put those features in and are able to answer them for us, which means they will emphasize it; they'll invest in security. Right now, we do need to start looking at what's emerging. I have started looking at the Internet of things, as things are interconnected, looking at the risk to critical infrastructure. This is just another one of the threats that is out there.

What gives me comfort over this is that the vehicle industry, the transportation industry, is actually the one we look at as kind of the model for how cyber can mature. Very much, cyber is immature at this point. We started off with roads with no lines, with no basic rules, and people worked in the time of horse and buggy; and we've progressed to a series of rules and regulations. Cyber requires the same thing, and we're just not there yet. We don't have that physical grasp that transportation has brought. It is probably the closest analogy, and now they are converging. We do need to place the emphasis on this emerging threat or this emerging technology.

I probably mischaracterized it as a threat. But you're absolutely right, we have not been paying enough attention to the proactive nature.

[Translation]

Senator Boisvenu: I am glad to hear you say that, because this does give rise to all the challenges related to infrastructure, job changes and the socio-economic environment. Communication systems are the common thread in autonomous vehicles. We are talking about cars that will be controlled remotely via communication systems. I am trying to understand why the federal government has not designated a lead group — presumably, in your organization — to consider potential communication risks with a view to both protecting people's personal information and preventing cybercrime. Given your role, do you not see your organization as the clear lead on this? Having met with officials from Transport Canada and the RCMP, I can tell you that those organizations are very closed and silo-like. No common thread ties them all together.

[English]

Mr. Jones: I think we have to break down the silos a little bit. The key concept for us is that we have been absolutely preoccupied.

There are a few things. I think it's how we're building these vehicles and connecting them in, because right now with a lot of vehicles, you still have to go to the dealer to update. They don't communicate out where you are. They're self- contained and have the sensors as you described earlier. But as you start connecting all of these systems together, I think there are some models out there. For example, why does the entertainment system in your car need to be connected to the control system for the car? So you separate out the system vulnerabilities that are there, for example. That's basically how we protect the government's classified information. We try to separate different systems and keep them apart. If you're looking at the vehicle, you can do that.

You look at its architecture, you make sure of how the system is communicating when it's making decisions. But then I think there is a whole other aspect to cybersecurity with these autonomous vehicles, and it's the data leaving the vehicle. It's not just the cybersecurity aspects of having a car, for example, veer off the road but it's also telling you where it is, who is in it, how many passengers. There are a lot of privacy aspects that we consider part of cybersecurity. The data leaves. Where do you go?

Certainly, I've experienced where I had my cellphone and I leave it on as I drive to work. And then I get in, start the car up and it connects to my vehicle and it says, "35 minutes to home,'' which is pretty neat but it's also tracking me. There are two elements, including the security element, which I have been emphasizing and that's where the mind goes to the threat, because we're focused on the threats that we counter. But I think we need to look at the holistic view of the cybersecurity realm. I've read some other work that you've been doing and you've been looking at that, but taking tactics like that in terms of how to protect the vehicle. Thinking about it with the vehicle manufacturers is the key thing here.

We'll certainly support Transport Canada. I think it's going to have to come down to their ability as a regulator and protector of our transportation system. It's really going to come down to them as the lead and we'll support them as the cybersecurity experts.

Senator Runciman: I don't think you mischaracterized it as a threat. It's also an opportunity, but I think the threats are pretty significant.

You operate in a defensive mode. I think that's one of your key priorities today, but when you look at things like the hacking of the National Research Council, it's pretty significant. We know the folks are out there who want to find opportunities to gain information for a variety of reasons, especially with the auto industry. It's such an integrated industry in the United States.

What kind of consultation/cooperation is occurring with your counterparts in the United States with respect to this issue since it impacts both our national economies in such a significant way?

Mr. Jones: In terms of working with our U.S. colleagues especially, it has been a lot more general consultations about working on the threats and things we're facing today. We're looking at critical infrastructure and the telecommunications infrastructure. How are we making sure that North America's integrated systems are protected? We are working to both share indicators of compromise but also to look ahead to what threats can be coming.

On the transportation sector specifically, I haven't been part of any specific conversations on this. It has been more about general critical infrastructure, border security and those types of activities.

Senator Runciman: That's a little bit concerning given that technology is advancing so quickly. I wrote down that you said education is the answer, consumers asking questions that compel the manufacturers to take steps, but I'm a little dubious about that. I'm not a big fan of government intervention, but I think this is an area where government has to play a more activist role, if you will, with respect to the kind of requirements that protect our privacy and the national security of the country.

One of the things I mentioned earlier was mandating that automated and connected vehicles be equipped with ID verification and security technology before they can be offered for sale, those kinds of steps. I would see your agency making that recommendation to Transport Canada and our U.S. counterparts that we move in that direction.

The other thing is not all autos that come into this country are manufactured in Canada and the United States, as we well know. We've had instances in the past where products come into this country with surveillance devices embedded within the manufactured product. Maybe I'm misunderstanding your role here, but I think that you should be playing a more active role in making that kind of information and advice available to the government and the decision makers.

Mr. Jones: I don't think you mischaracterized our role at all, actually. There are a few things that we are trying to do in terms of general knowledge, and some of it is simply a prioritization issue where we just don't have the resources to cover things like the energy sector and the telecommunications sector and the automotive sector and things like that. That's why we work with Public Safety and others in some areas.

I think you've hit on quite a few of the areas. There's import, as things are coming in, and controls and regulation in terms of how to protect these vehicles. But from a cybersecurity perspective, certainly I'm worried about a few things. I'm worried about how are we updating those? Do they meet our standards for safety? How do we test that they're up- to-date?

There is this — I don't mean this in the pejorative way — hacker mentality that we want take our smartphones and jail break it or do something to make it a little bit faster, a little bit better. I can see the same thing happening with cars. When your phone malfunctions, it's in your pocket and it's inconvenient. When it's your car, because you've done something, we have a consumer issue. We might have consumers that want to put their own special updates on cars on to let it exceed speeds, have different control systems or have tighter suspension, things like that.

There are a few different threats. If you go through the actors, we've got people who are just going to try to do this because they can. It can be fun to just make a car stop on the 401 or 417 because I can prove it's possible, versus a state who will do it for a national objective type of thing and terrorists who could use it to take an autonomous vehicle and send it on a course that wreaks havoc with us, or death and destruction.

We've got to look at the different scenarios. That's the way to break it down, working with Transport Canada on the threats and trying to counter those. But this is something we need to spend more time on. It's growing much quicker than we anticipated, as a lot of thinga are, including the smartphone and telecommunications technology.

Senator Eggleton: I've been listening to your answers, and I'm wondering about your discussions with the designers of these systems, the automotive industry. People are putting these systems together. It seems to me you should be talking to them regularly. I don't know whether you do or don't.

Connected vehicles are here to a great degree now. It's going to get more connected in future, and then we're getting into the autonomy of the vehicles.

It seems to me you should be talking to them now. You should, on a regular basis, have some sort of committee that you're talking with, and as well, of course, the United States because of the integration of the automotive industry on both sides of the country. I would think that's very important. Are you lacking the resources to do that?

Mr. Jones: It's not an area that we have the resources for right now. We do work with, for example, in the U.S, the National Institute of Standards and Technology. We have a partnership with them on some security elements that would be included in there, but, no, we're not working with manufacturers at this point.

Senator Eggleton: I think that needs to happen.

The U.S. government has something called the Cybersecurity Best Practices for Modern Vehicles. Do you have anything like that? Have you been involved in anything like that?

Mr. Jones: No, we haven't done that. Sorry.

The Deputy Chair: I have a question I'd like to put forth to you both. We work with the U.S. on the Canada-U.S. Regulatory Cooperation Council Connected Vehicles. Their work plan states that Canada and the U.S. will collaborate to establish certification requirements for CB system components and to develop a vehicle security certificate management system. I am wondering if you could explain to the senators the importance of security certificates in AVs and CVs?

Mr. Jones: Certification or certificates, sir? Certificates?

The Deputy Chair: Yes.

Mr. Jones: If I understand the reference correctly, it's likely talking about what I mentioned before, the concept of confidentiality, integrity and then availability, the three kind of security foundations. I think we're really talking about integrity, and that's what we do in terms of, "How are you assured that it is the system you expect it to be?'' Certificates is a concept in this public key in cryptography. You might hear it called signing, so you sign the update. It's not that you sign it like this; digitally, you put something in it that verifies that it hasn't been tampered with, that it hasn't been modified, that it comes from the original manufacturer. It's a way of checking that the updates you've gotten are valid.

For example, when our cellphones are updated — I'll use the example of an Apple update — it says "verifying update'' before it installs. It's checking its certificate to make sure that it's signed properly and that it is the update so, for example, somebody else isn't sending you the wrong thing.

That's probably what they're talking about in terms of the certificate side. It's the same system we use in terms of how you update an airplane, for example, and it goes to that Crypto Module Validation Program that I talked about.

The Deputy Chair: Mr. Pierson, do you want to add anything?

Richard Pierson, Director General, Cyber Defence, IT Security, Communications Security Establishment: That's good, thank you.

The Deputy Chair: If there are no more questions on second round. I would like to thank the officials of the Communications Security Establishment for their participation today.

Honourable senators, before we leave, I would like to tell that our budget for the study on automated vehicles was presented yesterday to the Subcommittee on Budgets. It will now be referred to Internal Economy, and, once Internal makes a decision, the budget will be presented in the chamber, hopefully on Thursday.

Senator Mercer: I would propose at the meeting at the same time — and this happens every year around this time — The former parliamentarians association has their annual dinner that evening, and I was going to ask steering if they could have a look at the possibility of postponing our meeting that evening so that those of us who want to can participate with our former parliamentarians, which is an important event. It's an organization that we'll all join sometime.

The Deputy Chair: You have my support, Senator Mercer, but, of course, the chair is away this week. We'll have to speak to him as well.

Senator Mercer: That's why I brought it up, so that you could do that.

Senator Runciman: Why don't you move a motion?

Senator Mercer: I move that we don't meet on April 12.

Senator Eggleton: Do we have anybody lined up for April 12?

Victor Senna, Clerk of the Committee: Yes, we do have witnesses.

Senator Eggleton: Is it internal federal folks?

Mr. Senna: No, it is a non-governmental organization, CCMTA. We'll check the calendar, but do have them confirmed.

Senator Eggleton: You could reschedule them. They're not coming from Europe or California or somewhere.

The Deputy Chair: Yes, we could reschedule. Do you want to make a motion?

Senator Mercer: I so move.

The Deputy Chair: Moved by Senator Mercer that we cancel and postpone the meeting on April 12, seconded by Senator Runciman.

(The committee adjourned.)