Information & Ethics Committee on Feb. 19th, 2019

CDS's answer to that question is one partner-department at a time. Culture change is not usually something that happens effectively with a single directive that everybody should just start behaving and thinking differently all at once.

There are pretty clear models of how adoption of new technologies in the public culture occurs. It looks like a bell curve or a Rogers curve. Early adopters will try anything and get started. If they're comfortable, their friends and their networks start to hear about it and more people take it up. Then, at the very end, after mass adoption, there are a few folks like my father who took 15 years to start using email.

It is slow. One of the ways we measure the success of a project that we do with partner departments is that as we're wrapping up or are in the midst of that project, we see if the department is starting to use some of the same methods, practices and tools that we brought in, possibly for the first time there, on other unrelated projects. If we see that, we know that we're succeeding because those notions are starting to take root and spread in the department.

I guess I'll start by saying, I did work for CSE for about 12 years. I was in the cyber defence branch, so I was likely involved in these intrusions you spoke about, in some respect. That said, I no longer work for CSE and I don't want to speak on their behalf, but I'll kind of wave my hand a little bit.

You're right. There are actors around the world, both at a nation-state level and from a script kiddie—people just trying to break things—who are constantly attacking systems around the world. We're not really special—well, maybe we are special—but I think one of the challenges that a lot of organizations have is that when they get compromised, they don't really want to go and tell people because that creates negative press for them.

Essentially, what happens is that everyone ends up suffering in silence. Part of the work I did before I left CSE was to take one of the security tools that we built and open-source it, to release it to the security community so that we could actually bring up that security bar across the industry. From a transparency perspective, that's where we sit in terms of the security space.

To kind of pivot on to your question about the banks, I guess the point to that would be, I don't actually know how banks secure their systems. For me to say that I think they are in the best position to protect Canadian security would be kind of out of place. I would love it if they would be more open and honest about that, just like I would love it if Google and Facebook and all these companies would be very open and honest about how they do security things. At that point, we could all collectively bring up our security postures, and I think Canadian citizens would be a lot more trusting of all of the parts.

I haven't had any interaction directly with the bankers' association, but I can say that the banks have been engaged in the pan-Canadian trust framework, for example, so this isn't something that is necessarily new to them.

We have architecture conversations with the banks fairly regularly on some of their investments, including their sign-in protocols, and ours, and making sure that we're working together. We also have, I would suspect increasingly, at least the objective of the new Canadian Centre for Cyber Security, to continue interacting cross-sector, because often an attack on a bank could lead to something happening in the CRA and other places. I can tell you that the focus on cross-sector collaboration is something that Public Safety Canada is examining and CSEC and other colleagues, as we're going through this new era of cybercrime, frankly.

You raise some very good points. The current Privacy Act has been in force since 1983, well before the Internet era. The discussion we're having today attests to the big changes on the way that will affect society. The act applies to 265 institutions. I mention that not to make excuses, but simply to highlight how colossal the undertaking is.

When we encounter an issue, we work closely with the Department of Justice. TBS is responsible for building an inventory of situations that arise, and our discussions with the Department of Justice and other stakeholders are ongoing. The enterprise architecture review board began cataloguing issues and key points that have come to our attention.

Naturally, it takes time. Take, for example, Europe. The EU General Data Protection Regulation, or GDPR, wasn't developed in a few years. It takes time to come up with those kinds of rules, which will likely require regular review, as Mr. Snow pointed out. Many of our private sector partners are currently putting new services in place. Obviously, it's an ever-evolving challenge. We also have to work closely with our partners at Innovation, Science and Economic Development Canada, since they are the ones in charge of enforcing the Personal Information Protection and Electronic Documents Act, or PIPEDA, in the private sector.

There is no doubt that the digital ecosystem is quite complex, so we want to be sure we take the time we need to analyze all of the issues reported to us. The next step will be to engage with Canadians about their private data.

In the timetable we gave ourselves, we set aside two years to review certain legislation that might hinder information sharing. We wanted to ascertain whether an issue was real or merely just a rumour, so after examining 11 departments, we identified 187 amendments to legislation that could affect the sharing of information.

What I just said is also based on the premise that information sharing is a problem, real or imagined, but we wanted to validate it. With some of the technologies we talked about earlier, namely X-Road in Estonia, we'll be able to validate some of the notions we have. We'll continue working with our partners at Justice Canada and Innovation, Science and Economic Development Canada to make sure we have the complete picture. Right now, we are thinking it all through.

I can refer to my experience in the United States. Legislation, being the slowest and most encumbered of all routes to the solutions, can often result in unintended consequences. We saw that happen in several cases, so I would exhort all of us to look for the smallest and fastest unit of governance when possible to avoid going into the process of creating and amending laws.

It's important not to dissociate issues related to data protection, AI and automation. For instance, we're doing a lot of work with France right now on issues around ethics, data management, privacy and automation, so I encourage you to explore those elements.

Rare is the project we work on that does not delve into service design, and not just digital design. In fact, in every product team we have, in addition to our research and design, and our engineers, there's a member of our policy team on that team as well for exactly this reason. Service design spans across. To communities like yours where connectivity is at issue and where complexity is to grow, we design with those users in mind. We go to those people.

For instance, this isn't necessarily an example about disconnected users, but the work we did for citizenship exam rescheduling for folks who were trying to change citizenship, we knew that some subset of the people who would need to reschedule citizenship exams would be doing so from their phones, because it's the only Internet access they had. Those connections might be intermittent, so that particular service was designed to work even when their connection goes in and out. It was designed to work on a phone, computer, gaming console, on any access they had, so that whatever level of access they had, it was going to be an experience they were not going to suffer through.

Every service is different. Every service has different requirements, different needs based on who's consuming the services, but that's why it's so important and why it's the first of the digital standards to put your users at the centre of the design experience, not just digitally but for the entire service design.