Information & Ethics Committee on April 29th, 2014

That was Aramco. Yes. They had about 30,000 desktops that were—

Yes. Typically viruses do not harm the hardware, but in this case it was a management decision of Aramco. Of course they are rich. They said the best way to deal with the problem is to throw away all those computers, buy new ones, and reinstall them.

Probably that was a very good decision because it's probably cheaper to do that than to have to reinstall them from scratch. Do the math, $1,000 a machine. That's a big number.

As I said, high school kids hacking with respect to the Heartbleed incident, students from the University of Western Ontario, they used to be the bigger problem. Now they are just a nuisance. They are not the problem.

From a social-political point of view, however, in countries where there hasn't been much of an IT economy developing, you have all of those whiz kids who instead of finding jobs in Kanata or Silicon Valley go into cybercrime. They have become professional, and they have people with big guns and big muscle who are making sure they do what they need to do.

It's not only the government. It's Canadian industry. It's foreign governments worldwide. It's a worldwide problem. I don't think the Canadian government is less diligent than all the governments worldwide or even all the big organizations. It's not only in the last few years. It's in the last 30 years. In the sixties, seventies, and eighties, the IT industry was a well-dominated, organized market. It used to be IBM and a few other people. It was well understood how it worked, and whose throat you had to choke if there was a problem.

But with the arrival of the web, then it became a free-for-all. Anybody who had some kind of coding knowledge could develop a web app. Anybody who could contribute to the development of open-source software could, and the standards we were used to were dropped because it was new, it was shiny, and we wanted to have the cool stuff and we wanted to make a buck as quickly as we could with it. The banks are a good example of that, right? The fabulous profits they made in 2000 were due to that.

The government just followed suit. They did what everybody else did in adopting technology, but they abandoned the standards they had in the previous world. In the mainframe world, there were standards about development and so forth, but when we went to the new paradigm of client, server, and web, we just forgot it. We just abandoned it completely. We need to go back.

When we talk about technology, we talk about security, and data security is the weakest-link problem. There are technological aspects to it. We can have good technology. We have encryption technology, but it's just not being used. People don't use it. When we get into new types of information like health information and electronic health records and the way that this is now being transferred among all these different networks and systems, the fact that we have data breaches of health information that's not encrypted is criminal. That shouldn't happen. But that's a people-problem not a technology-problem. The technology is there.

Yes, with encryption, the policies may even be there, but you have to have people to actually do it.

If you don't mind, I can borrow your credit card, I'll shut off my phone and I'll be able to read your credit card number over the air, and your name, and your expiry date. There's an app for that.

Oh, oh.

Yes, unfortunately the banks were mostly motivated by profit in developing this technology. They wanted to get their filthy 3.5% of profit on the market of the small pocket change.

That's at the cost of Canadians’ privacy because that technology is not protecting their privacy. If I steal your credit card from your wallet, you'll probably notice because I have to put my hand in your pocket at some point, but with this new technology I don't even have to do that. I only have to get close to you in the metro, on the subway, or within 10 centimetres, and that's it; I've stolen your credit card credentials and I can make transactions on it. The technology that they themselves have created could prevent that, but they've deployed it in a mode that is less secure, for the time being, because they don't want to have to invest the money required to change the infrastructure for the payment terminals.

What regulation...?