Evidence of meeting #96 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was estonia.
A recording is available from Parliament.
Conservative
Jacques Gourde Conservative Lévis—Lotbinière, QC
I have one last question. Do we need international legislation? Different countries have different laws, so we can't guarantee the same level of privacy protection if information is obtained through another country.
Programme Director, National Cyber Security, e-Governance Academy
We believe that we don't know the Canadian situation so well. What we can say is that everything—at least, what we do in the digital world—is based on legislation that was developed with digital development in mind.
Senior Expert, e-Governance Academy
The Estonian experience is that we can protect private data better in the digital environment than in paper forms. If someone is looking at my paper documents, I cannot get information about that, whereas digital information transactions are visible to citizens. This is a very important fact to consider, actually.
Conservative
Liberal
Raj Saini Liberal Kitchener Centre, ON
Good morning. Thank you very much for being here.
I want to ask a more general question related to foreign policy.
The attacks in 2007 were in part precipitated by a domestic move that you had made in Tallinn to move a statue, from what I understand. Please correct me if I'm wrong. Going forward, the decision was made legitimately by a sovereign country to do what it wanted domestically regarding certain issues. The attack emanated from that.
Going forward, in terms of your foreign policy, have you been more hesitant? Are you more tempered in what you say? Has it changed your outlook in any way to not irritate certain countries in the world? Has that changed in any way?
Programme Director, National Cyber Security, e-Governance Academy
If I think back to the time when we had this incident, I ask myself what lessons we learned.
One is that we have to co-operate more closely with the countries that believe in the same values as we do—basically, all democratic countries. Regarding those countries that don't appreciate the democratic way, we just have to keep in mind that we need other solutions, technical solutions or otherwise, to prevent other incidents from happening.
I think it has certainly been reflected in the foreign policy, but more to the positive angle of how to co-operate with democratic countries. In the NATO environment, the EU, there is a very good example: somebody mentioned earlier that Estonia is quite a small country—and that's true; it's only 1.3 million people—but now we have influenced the whole European Union in that the same principles we talk about today are already implemented in the EU, where there are 500 million citizens. That certainly was the product of our foreign policy.
Liberal
Raj Saini Liberal Kitchener Centre, ON
One of your strategic objectives in your cybersecurity policy is international co-operation, and since the attacks of 2007 certain things happened. One was that NATO undertook their own review. I also believe the U.S. government has people there to help protect against cyber-attacks.
However, when we talk about international co-operation—I'm specifically talking about your objective, which I think is a very noble objective—in many cases the countries that are predisposed to creating attacks may not be democratic and may not have the democratic principles that we enjoy. How do you navigate that?
You talked about the European Union—which is fine, since the countries are democratic—but when it comes to international co-operation, a lot of the attacks that will emanate against certain sovereign states will not be from countries that are democratic or stable.
How do you approach that issue when a part of your founding principles in your cybersecurity document is international co-operation?
Programme Director, National Cyber Security, e-Governance Academy
We do that through the European Union, because all these countries you've probably referred to are quite big. They are simply not discussing this matter with us, so the only way to deal with these countries is through the EU foreign policy.
Also, let's say that the international co-operation or foreign policy in this area gives something like probably 30% of the security, but most of the things that we could do are still technical. Implementing new technology ensures security in cyberspace for us, and through the foreign policy we handle only the part that we cannot do technically.
Conservative
Conservative
Conservative
Peter Kent Conservative Thornhill, ON
Thank you, Chair.
To your point that there have been no instances of identity theft—and I think that's an impressive reality— I understand that several months ago, some 760,000 personal certificates were suspended, not because there had been a breach but because of a threat assessment that the chips within the cards were perhaps defective or vulnerable.
Could you explain what happened there?
I understand that these chips are not made in Estonia but in Switzerland.
Programme Director, National Cyber Security, e-Governance Academy
Yes.
We found out that the company that produced the ID cards for us didn't use the best possible encryption logic. The cryptoprocessors that were on the cards were not made as per what was written into the contract. Basically, they were not good enough. These chips were produced by the Swiss company Gemalto, and the specific chips were made by German company Infinia.
That was a case that affected not only us but also Spain, Slovakia, Microsoft, and everybody else in the private sector and public sector who used the same chips. It concerned the chips that were produced in a certain time frame, from late 2014 to 2016.
Regarding Estonia, it was a massive incident, because it concerned about half of the ID cards that we use in Estonia. We could say that half of the population was basically under theoretical danger.
I have to emphasize that nothing happened, because we got out of this vulnerability and we reacted very quickly. Basically we developed a solution in two months, and we started to issue new certificates immediately after that. We didn't have any security incidents, but it put the specific concern on our table of how to approach that problem in the future and how to avoid buying a product that is certified and later finding out that the certification is not correct.
Conservative
Peter Kent Conservative Thornhill, ON
That brings up another question.
Given the rapid evolution of technology and the evolution of cyber-threats, what sort of turnover would you foresee in terms of having to reissue new certificates with updated safe encryption technology?
Programme Director, National Cyber Security, e-Governance Academy
The update was done over the Internet, the same as we do updates for our personal computers. Resource-wise, it wasn't very massive. It simply meant that each person had to plug their ID cards into their personal computers and update the certificate. They have to do it anyway every second year, so in this case they had to do it earlier. Resource-wise, it wasn't a massive problem, but it was a problem of possible vulnerability that we didn't know about.
Conservative
Peter Kent Conservative Thornhill, ON
What is the cost consideration in terms of the individual certificate and the chip it contains, the technology that it's capable of managing?
Programme Director, National Cyber Security, e-Governance Academy
I don't have the calculation of how much the certificate costs, but the ID card with cryptoprocessor certificates and everything costs 20 euros per person. We didn't need to change the ID cards, only the certificates, so I would guess that it cost maybe 1 euro per person.
Conservative
Liberal
Michel Picard Liberal Montarville, QC
Thank you.
Since we just have five minutes, let's go straight to the questions.
A system is as good as the persons who manage it. How do you manage the risk to avoid an inside job, from your human resources standpoint?
Programme Director, National Cyber Security, e-Governance Academy
We manage the inside vulnerabilities again by using the ID cards. With respect to what different persons do in the cyber-environment, there is going to be a log. Everything is going to be logged, and we can investigate the log later. If the administrator, for example, wants to do something in the system, they have to identify themselves with their ID card. That's how we prevent that. That's one measure.
The second measure is that we don't have one big database. As you see on the slide, there are hundreds of different databases under different authorities, and different persons have access to these databases. Everything is decentralized and nothing is concentrated, so if somebody even gets access to certain systems and is able to cause harm there, they have limited scope to do that. They cannot take down the whole system.
Liberal
Michel Picard Liberal Montarville, QC
About the fact that you have a separate databases, there are two things. First, from an investigation standpoint, we develop more and more software to create bridges to look at different databases to be able to create relationships, because the quality and efficiency of a database is its capacity to create relationships. By separating your databases, do you create redundancy and therefore slow down any process of research or investigation?
Programme Director, National Cyber Security, e-Governance Academy
To be honest, I'm not sure that I understood your question.
Liberal
Michel Picard Liberal Montarville, QC
Okay, let me go again.
I'll give you an example, and it's not promoting the product, but just to know how it works.
In investigation, i2 Solutions developed bridges that can catch data from different databases and put them together, because the quality of a good database is its capacity to create relationships—the name, address, time, patterns, friends, and so on. By creating databases that are separate, do we have to make redundancy? Also, going from one database to the other, from an investigation standpoint or research standpoint, is slowing down the process quite importantly.
Programme Director, National Cyber Security, e-Governance Academy
Let me explain how the system works. Maybe it will answer your question.
On the slide you see these different databases. Some of them are in the public sector and some of them are in the private sector. We make the connectivity between the databases through the secure data exchange environment. We call it the X-Road. It's a state-controlled environment. Everybody who wants to be connected to this data exchange environment has to, first of all, implement certain security regulations, security guidances, be up to the standards, etc. They have to apply to be part of this secure data exchange environment. It means that we keep an eye on the data exchange. We control that. We don't go into the data itself, but we control how the data exchange happens. Everything is encrypted, as I mentioned, logged, and time-stamped.
The way we get information from the databases is not by going directly into the database. Instead we get the information through the electronic services that you see on the slide. There is e-police, e-school, e-tech support. This is like a presentation format. The electronic service takes predefined data from different databases and then presents it.
