Evidence of meeting #31 for Procedure and House Affairs in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
Thank you, Mr. Chair, and thank you to our witnesses for coming.
Mr. Zimmer asked a question about good IT practices and so on. You said you do promote those. Are you able to share any specific good IT practices that might be useful for individuals?
11:35 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
There's plenty of advice and guidance that's available on our public website. That's openly shared.
In general it's about taking steps to put in place proper security measures at the perimeter, and that is monitoring for things that can happen so that we can react swiftly when they do happen. That helps to mitigate any damage that might be caused or limit the costs that would be incurred from a cleanup. Being vigilant is a very important one.
Also, there's looking at how we protect our information holdings within those networks. Certainly not all information is created equal, so some information deserves more protection than other information, and there are technologies that can be used for that.
User awareness is a big one—user awareness and education, not only for IT security professionals and practitioners, but also for regular users of the Internet, of computer systems, to warn them of the risks and dangers and how they may be vulnerable. For instance, managing their passwords is a good one, changing them often, what's a good password, things like that.
There are a lot of things. One of the key pieces is that the software that we use on our networks is constantly being updated and upgraded with security patches. Once vulnerabilities are discovered, vendors are very good at putting out patches to upgrade their products so that they can avoid those vulnerabilities from being exploited. Swiftly patching systems and networks, and the applications on them, is a very good way of preventing threats and risks associated with them.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
That's not something the average home user would be able to do, though.
11:35 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
The average user would find that all bundled into their anti-virus software or their security software on their computer.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
Everything we've heard suggests that our chances of catching Anonymous, whoever he or she or they may be, is pretty remote. I guess it varies, but do you see these guys or gals as pros, or enthusiastic amateurs?
11:35 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
Certainly it doesn't take much technical expertise to post a video.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
So probably they're enthusiastic amateurs.
You mentioned in your remarks about detecting and defending against those IT threats that are not in the public domain. Without getting too detailed, in regard to the extent of the IT security threat, public domain or non-public domain, is it safe to say that's increasing? Is it something we think we can keep ahead of? How tough a challenge is that?
11:35 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
No, I wouldn't say we're keeping ahead of it. We're trying to track as many as we can, and those numbers increase exponentially. It's very difficult to keep pace with the number of threats we see out there.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
Okay, I'll leave it at that.
For the Luddites among us—and I refer to myself—could you describe spear-phishing?
11:35 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
Spear-phishing is a technique. One of the ways someone can take advantage of your computer, your network, and the information that it contains is to send you an e-mail that looks like a legitimate e-mail, which would have an attachment that would look very attractive to you or be of interest to you. By clicking on this attachment you would get a document pulled up. To the user there's no apparent change, but in the background there would be some things happening to install something on your computer that could be used later to steal or extract information from your computer network.
11:35 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
Not to be too paranoid, but we've had this discussion before, about all the little data sticks that you get from everywhere. If you turn them over and see where they're made, would that cause you any concern about not knowing what's actually on that stick?
11:40 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
That's right. We increase our vulnerabilities as we increase the things we attach to our networks. So thumb drives and mobile devices increase the ways into our network and make them more vulnerable.
11:40 a.m.
Conservative
Laurie Hawn Conservative Edmonton Centre, AB
So it would be pretty easy for somebody—for a pro, not an enthusiastic amateur—to embed something on a data stick that you receive as a gift, and you stick it into your computer and who knows what happens.
11:40 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
It's possible.
11:40 a.m.
Conservative
The Chair Conservative Joe Preston
I have no one on the question list. If that's it for these witnesses, we'll suspend for a moment.
I thank our witnesses for coming.
Let's bring forward our second panel for today.
We will suspend for a minute or two while we do that.
Thank you very much for your help today. It was great to have you.
11:40 a.m.
Conservative
The Chair Conservative Joe Preston
We'll go ahead and start the second part of our meeting.
We have with us today Robert Gordon from the Canadian Cyber Incident Response Centre; James Malizia from the Protective Policing Branch; and Tony Pickett from the Technological Crime Branch.
Mr. Gordon, do you have an opening statement? Okay.
If we have an opening statement from our RCMP friends, we'll go ahead with that and then we'll do questioning.
Go ahead. Please start.
April 3rd, 2012 / 11:40 a.m.
Robert Gordon Special Advisor, Cyber Security, Canadian Cyber Incident Response Centre, Department of Public Safety and Emergency Preparedness
Thank you, Mr. Chairman, and honourable members of the committee. Thank you for giving me the opportunity to speak to you today.
I have one minor correction for the record. I'm actually with the Emergency Management and National Security Branch, the Cyber Security Directorate, in Public Safety. I've taken note of the committee's proceedings today and thought it might be helpful if I begin my remarks with a brief overview of the government's approach to cyber-security. I'll then elaborate on the role of the Cyber Incident Response Centre, which is part of the National Cyber Security Directorate located in Public Safety Canada.
Let me start by drawing your attention to Canada's cyber-security strategy, which was launched in October 2010 by the Minister of Public Safety, the Honourable Vic Toews. The strategy signals the government's commitment to strengthening the security and resilience of Canada's vital systems and our approach to doing so. That approach is founded on the idea that securing cyberspace is a shared responsibility, one in which we all have a role to play. In implementing the strategy, Public Safety Canada is therefore striving to ensure clarity of roles and responsibilities within the Government of Canada and to establish the partnerships we need with other levels of government, the private sector, academia, and international allies.
Permit me to offer a high-level snapshot of those departments and agencies with an operational role in cyber-security so as to situate the roles of Public Safety Canada and the Canadian Cyber Incident Response Centre in context. In support of Public Safety Canada's mission to build a safe and resilient Canada, the National Cyber Security Directorate leads and coordinates the development and delivery of policies and programs that increase the resiliency and security of the vital systems and their information that underpin Canada's national security, public safety, and economic prosperity. Within the National Cyber Security Directorate, the Canadian Cyber Incident Response Centre is responsible for helping to mitigate, respond, and recover from incidents affecting vital systems outside of the federal government. Since these systems are owned and operated by other levels of government and the private sector, partnerships are essential to strengthen their security. The Cyber Incident Response Centre also works closely with federal intelligence and law enforcement agencies as well as international allies in delivering on its mandate. In the event of a national level cyber-incident, the Cyber Incident Response Centre would play a key role in the coordination of that event.
The Communications Security Establishment, who just appeared before you, along with organizations such as Shared Services Canada, and independent departments and agencies, including Parliament, all have roles in the prevention and the management of cyber-incidents on federal government systems. Two other agencies, the Canadian Security Intelligence Service and the Royal Canadian Mounted Police, have investigative roles that encompass systems both inside and outside the federal government. CSIS investigates cyber-activities that raise national security concerns or appear linked to threats to the security of Canada. The objective of their investigations is to assess threats, and produce intelligence for the government. Law enforcement agencies, whether the RCMP, provincial, or local forces, investigate cyber-incidents that are suspected of being criminal in nature, be their origins domestic or international. The RCMP also conducts national security criminal investigations, as CSIS does not have a law enforcement mandate. The purpose of law enforcement investigations is to prosecute criminals in court.
Clarity of these roles and responsibilities is vital not just for efficiency and effectiveness, but also for focused and rapid response to incidents. For instance, when investigations are initiated evidence must be preserved even as we work to mitigate and recover systems. Since attacks detected on one system will often affect others, the rapid sharing of information between, for example, the Communications Security Establishment, which is acting to protect the government, and CCIRC, which is trying to share its information with its partners, is essential.
Let me turn now to setting out in greater detail how the Cyber Incident Response Centre delivers on its mandate to contribute to the security and resilience of the vital cyber-systems that underpin Canada's national security, public safety, and economic prosperity. As Canada's national computer emergency readiness team, CCIRC's role is twofold: it monitors and provides mitigation advice on cyber-threats, and it coordinates the national response to major cyber-security incidents. As such, the Cyber Incident Response Centre is Canada's national coordination centre for the prevention, mitigation, and response to cyber-events.
To fulfill its role, the Cyber Incident Response Centre provides authoritative advice to, and coordinates information sharing and event response among all levels of government, international counterparts, critical infrastructure operators, the private sector, and information technology vendors. These activities are focused on providing assistance and coordination to resolve the incident and to bring operations back to normal.
CCIRC is not an investigative body. It does not have law enforcement or regulatory authorities. The Cyber Incident Response Centre works under the premise that prevention and preparation are the most effective ways to enhance Canada's cyber-security. We act as a trusted broker for information on threats, vulnerabilities, and mitigation techniques. We have our own technical capability, and we invest considerable effort in forging trusted relationships that lead to an exchange of detailed, actionable information. Since these relationships often involve the disclosure of information that our partners consider to be either proprietary or potentially damaging to their public reputations, we guard their privacy fiercely.
CCIRC aggregates and analyzes the information it receives in confidence from sources both inside and outside the government. We then develop mitigation advice and best practices for our partners to use in defending their cyber-infrastructure, while protecting sources. Through our various information and guidance products, as well as through briefings in trusted settings, Public Safety Canada also raises awareness of the need to take greater steps toward cyber-security.
In short, during an incident, CCIRC collaborates with the affected organization to help bring it back up and running, ensures that our federal partners are apprised of how they can use the information to fulfill their mandates, and develops mitigation advice so that other organizations and sectors can take appropriate precautions.
Cyber-incidents and attacks occur frequently, but vary greatly in severity. In many cases, they are merely a nuisance, and the cyber-community is capable of defending itself against them. Nonetheless, some cyber-threats have the potential to escalate into something more serious. For this reason, the Cyber Incident Response Centre dedicates time and resources to maintain awareness of potential cyber-threats and their potential impact. The early identification of a cyber-threat allows us to better understand it, and therefore better contain it, should the threat escalate.
Ultimately, the federal government and agencies involved in cyber-security remain committed to the protection of Canadian networks. While we all have our roles to play, collectively we share the premise that our cyber-security is indivisible. If the government is being hit, in all probability so are others, and vice versa. We will continue to collaborate with domestic and international partners to identify and mitigate threats as they arise in order to enhance the safety of Canada's digital infrastructure.
Thank you for your attention, and now on to your questions.
11:50 a.m.
Conservative
11:50 a.m.
Assistant Commissioner James Malizia Assistant Commissioner Protective Policing, Protective Policing Branch, Royal Canadian Mounted Police
Thank you, Mr. Chair.
11:50 a.m.
Conservative
11:50 a.m.
A/Commr James Malizia
Yes, thank you, and my thanks to this committee for providing the RCMP with an opportunity to appear today.
With me is Superintendent Tony Pickett, the officer in charge of the RCMP's Technological Crime Branch.
I would like to begin by addressing the issue of threats to the member for Provencher.
Ministers of the crown are entitled to receive RCMP protection in Canada and abroad, as needed, by virtue of section 17 of the Royal Canadian Mounted Police Regulations. If a minister or a member of Parliament feels their safety and security is in jeopardy, they should report it to the RCMP or the local police of jurisdiction.
Based on an evaluation of the information provided, the RCMP will assess the need for protective services and, if warranted, may initiate an investigation. We constantly review and monitor the security measures put in place for our protectees, and if needed, we will adjust our security package accordingly. Security packages are provided on a case-by-case basis, are intelligence led, and are commensurate with threat and risk assessments.
I'd like to begin by addressing the issue of threats to the member for Provencher.
Ministers of the crown are entitled to receive RCMP protection in Canada and abroad, as needed, by virtue of section 17 of the RCMP regulations. If a minister or a member of Parliament feels their safety and security is in jeopardy, they should report it to the RCMP or the local police of jurisdiction. Based on an evaluation of the information provided, the RCMP will assess the need for protective services and if warranted, may initiate an investigation.
We constantly review and monitor the security measures put in place for our protectees, and if needed we will adjust our security package accordingly. Security packages are provided on a case-by-case basis, are intelligence led, and are commensurate with threat and risk assessments.
We take all threats to ministers and members of Parliament very seriously, whether the threats are in the form of a threatening letter, in person, or through electronic or social media.
The Internet has revolutionized the way we communicate and has transformed our society. It continues to influence society at a pace and rate of growth that is on an exponential trajectory. These new and evolving technologies have brought about much positive advancement: instantaneous communications worldwide, the ability to share knowledge and to work collaboratively to more effectively conduct commerce, and the list goes on.
Nevertheless, these profound advances have their dark side and that is the use of technology for the purpose of cybercrime. The RCMP views cybercrime as any crime committed using a computer network and/or hardware device. The computer network or device could be the agent of the crime, the facilitator, or the target of the crime.
Advances in technology have created an environment where individuals achieve anonymity. Criminals exploit the faceless environment provided by the Internet to conceal their identity and conduct serious criminal activity.
Criminals are reinventing themselves online to facilitate criminal acts associated with fraud, facilitation of drug trafficking, sexual exploitation of children and money laundering, for example. At the same time, new cybercrimes have emerged, including hacking and theft of data where the computer, the network or data become the focus of the criminal activity.
As you know, the Internet and various forms of social media are being used as a means to promote social change, and for individuals and groups to express their freedom of expression. This can be positive when done in a lawful manner. Such campaigns can be compared to online versions of protests on Parliament Hill, petitions and peaceful protests.
Criminals are reinventing themselves online to facilitate criminal acts associated with fraud, facilitation of drug trafficking, sexual exploitation of children, and money laundering, for example. At the same time, new cybercrimes have emerged, including hacking and theft of data where the computer, the network, or data become the focus of the criminal activity.
As you know, the Internet and various forms of social media are being used as a means to promote social change, and for individuals and groups to express their freedom of expression. This can be positive when done in a lawful manner. Such campaigns can be compared to online versions of protests on Parliament Hill, petitions, and organizing peaceful protests.
The vast majority of those who use social media to reach out do so with positive intentions and within the law, however, there are others with very different objectives and methods of achieving their goals. Certain groups would have us believe that they are the sole agents of social change. Our current understanding of some of these cyber-groups is that they can be best described as a movement with undefined membership. They offer a forum for like-minded individuals or groups to express similar ideologies. Few of these individuals or groups represent themselves as criminal organizations. However, their tactics sometimes violate criminal laws in countries where they purport to operate.
Cybercrime is growing at an alarming rate around the globe. Investigating cyber-threats or cybercrime is an evolving and challenging domain. However, the RCMP remains committed to enforcing the laws, apprehending criminals and providing for a safe and secure Canada.
Cybercrime is growing at an alarming rate around the globe. Investigating cyber-threats or cybercrime is an evolving and challenging domain, however the RCMP remains committed to enforcing the laws, apprehending criminals, and providing for a safe and secure Canada.
Thank you.
11:55 a.m.
Conservative
The Chair Conservative Joe Preston
Thank you very much. Thank you both for your opening statements.
We'll go to questions by members.
Mr. Albrecht, you may start. You have seven minutes.
11:55 a.m.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Thank you, Mr. Chair. Thank you to all of you for being here today.
One of the most encouraging things about our investigation to this point, for me at least, has been the incredible commitment to sharing. Mr. Gordon, you indicated that very clearly at a number of points throughout your opening statement—the fact that the different groups that are responsible for various aspects of security have a good network of communication.
In the RCMP statement, Mr. Malizia, you pointed out that you take all threats to ministers and members of Parliament very seriously, whether the threats are in the form of a threatening letter, in person, or through electronic or social media.
I wanted to read into the record some of the threats that were posted on YouTube by this group that identifies itself as Anonymous.
We demand that you scrap the bill in its entirety and step down as safety minister. We know all about you Mr. Toews, and during Operation White North we will release what we have unless you scrap this bill.
They go on to say, “Anonymous demands the immediate resignation of Vic Toews, the scrapping of Bills C-30 and C-11 in their entirety...”.
It's clear to me that there's no physical threat to Mr. Toews, at least not in this particular statement. But to me, there appears to be a definite threat to democracy, and I've mentioned this earlier, in the sense that legislators are sent here to craft legislation to improve the safety and security of our citizens. So it seems to me that this threat is a very real threat that all members of Parliament, and especially, members of the crown, the ministers, need to take seriously.
In your opening statement on page 5, Mr. Gordon, you indicated that CCIRC is not an investigative body and it does not have law enforcement or regulatory authorities. Prior to that you said:
Law enforcement agencies, whether the RCMP, provincial, or local forces, investigate cyber-incidents that are suspected of being criminal in nature, be their origins domestic or international. The RCMP also conducts national security criminal investigations, as CSIS does not have a law enforcement mandate. The purpose of law enforcement investigations is to prosecute criminals in court.
Going back to my line of thinking that this is a real threat to democracy, it's a threat in the sense that parliamentarians are intimidated from doing their work and then, perhaps, we could even argue that it may be a threatening factor in terms of those who are considering public service. So where in the continuum of criminality do you see this current posting of a video by the group that identifies itself as Anonymous? Is a criminal investigation necessary? What kind of investigation would be called for in terms of trying to identify who the people are who are responsible for posting a threat of this nature?
Whoever wants to may respond to that.