Evidence of meeting #33 for Government Operations and Estimates in the 43rd Parliament, 2nd session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
I'm happy to pick up on that line of questioning. Just to be clear, through you, Mr. Chair, to Mr. Jones, I believe it was the CRA breaches of close to 50,000 incidents of suspicious activity that my friend from the Bloc just referenced. Would that be something that the Communications Security Establishment would flag and pick up, or would that be left to the agency's forensic analysis?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Mr. Chair, I think that's a great question.
One of the areas where, in terms of credential stuffing or information theft, the amount of information that's already been stolen about so many of us from different data breaches and is reused against the government is the threat.
Typically, what you're talking about there is how the application is being abused in terms of attempting to commit fraud. That would be where it would be for the department to look for. They know what normal activity looks like, so the department would look for things that look abnormal, but we would obviously work with them.
We work closely with CRA throughout this and any department that runs these types of services, but that would be something that looks from a cybersecurity perspective from the outside like a normal user. I have your username and I have your password, so it looks very legitimate. That's where we make sure there's no light between departments, so we look outside and the departments look inside for fraudulent activity.
NDP
Matthew Green NDP Hamilton Centre, ON
We've heard lots of discussion around the prevalence of CERB fraud, and yet we hear Mr. Brouillard talk about 50,000 identities stored in the dark web. Have there been any early indications or cross-reference between information that was taken through these breaches and potential fraudulent applications for the CERB?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Mr. Chair, I think I'll turn to my colleague—
NDP
Matthew Green NDP Hamilton Centre, ON
Before that happens, Mr. Chair, can I just ask Mr. Jones if something like that would be in his purview before it's passed along?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We're really talking about two different things, Mr. Chair. I think there's the number of data breaches that have happened. The Privacy Commissioner of Canada, in our national cyber-threat assessment where we highlight this, said that 28 million Canadians last year had their information taken. That information has then been reused to target the Government of Canada. By reusing passwords, for example, somebody was able to log in.
We're not talking about information that was taken from the government. It was taken from other data breaches, but people reuse things. Our security questions are the same. What's your favourite colour? What school did you go to, etc.? That's the information these criminals have stolen, and because passwords are horrible and we all have too many of them, we tend to reuse them. A lot of Canadians reuse them, and so those were able be reused. That's what credential stuffing is. Really, we're talking about information from other data breaches then turned and used against the Government of Canada. But Marc, maybe—
NDP
Matthew Green NDP Hamilton Centre, ON
I do say this respectfully, because it's not often that we have a member from the Communications Security Establishment before us. This is why I'm trying to get the most out of this intervention, because I don't know when you may be back.
Is there a scenario—this is for my own edification—where the information that might have been obtained through the CRA's vulnerabilities could then have been used to re-access fraudulent CERB applications? Maybe I'm oversimplifying it or conflating it.
I'd love to hear from you, Mr. Jones.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I think that would be a pretty unlikely scenario, to be frank, because that wasn't what we saw happening here. We saw Canadians being impersonated in this activity where they were using their legitimate credentials, so essentially logging in as them. I think that's kind of my overall response to this, but Marc might be able to tell you more.
NDP
Matthew Green NDP Hamilton Centre, ON
That's fair. When I hear that the information would be parked on the dark web, I just have this nefarious vision of what that looks like and how it might be used through organized crime, non-traditional organized crime and other entities to defraud the government. I'm just wondering if some of our own vulnerabilities may have played a role in that in some way.
This is a follow-up question for Mr. Jones through you, Mr. Chair.
I've heard now in many different public accounts committees and different places about the legacy and just how old some of these technologies are. Is this something that is currently being reviewed by the Communications Security Establishment? Would it be in your oversight to review system-wide vulnerabilities and provide information back to departments that would triage and find the biggest gaps in our security?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
That's a great question, and you have the right group here. It's the tripartite that would really look to say how we would make sure the government is robust. Marc would lead that as the CIO for the government. So yes, the answer is that, in some cases, legacy does work in our favour. Sometimes things are so old that they don't—
NDP
Matthew Green NDP Hamilton Centre, ON
This is the floppy disk. We're not going to have any floppy disk espionage.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Sometimes it's so old it just doesn't connect to the Internet. In most cases, though, this is where Shared Services Canada, our perimeter strategy, making sure that we're ringing security and layering different elements of security to afford that level of protection.... We do take very seriously the need to protect that information.
As we modernize those systems and implement the digital operations strategic plan, we make sure that we're building in security from the start. The fact is there have been so many data breaches—we're talking about outside of the Government of Canada—that there is a tremendous amount of information available on each citizen, about all of us on the web.
I know I have been the victim of data breaches, so when Yahoo was breached—
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Well, it's the reality.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you, Mr. Green.
Mr. Jones, thank you.
We're finished our first round. We'll now start our second round.
We have Mr. McCauley for five minutes.
Conservative
Kelly McCauley Conservative Edmonton West, AB
I liked where Mr. Green was going with that.
I appreciate the witnesses being here today.
The revised National Security and Intelligence Committee of Parliamentarians annual report showed up on our desks a couple of days ago. I have a couple of questions about that.
It talks about China and Russia as the main malicious actors that we have to be aware of. Is that for industrial espionage, attacks on the government, attacks on our logistics systems, or issues like utilities and so on? Would you be able to let us know about that?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Mr. Chair, I'd actually refer back to our national cyber-threat assessment, which we issued in November 2020. We listed four states as the primary threats to Canada: China, Russia, North Korea and Iran. We mentioned that intellectual property theft is one aspect of this, but critical infrastructure was also an interest.
I would really like to emphasize, though, that we did say that absent international hostilities, we think it is extremely unlikely that any nation-state would deliberately disrupt critical infrastructure. I want to really emphasize that point because—
Conservative
Kelly McCauley Conservative Edmonton West, AB
What do you term as critical infrastructure? You made a comment about the absence of an act of war. We just saw Colonial taken down a couple of weeks ago. Is that not a similar concern for us?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
It is, absolutely. In fact, that is something I said with the National Post. One of the concerns we have is that when ransomware is deployed against a victim such as a critical infrastructure provider, because of the way technology is merging together, it means that to defend themselves, they take all of their technology offline. They isolate and shut down to take protective measures.
Publicly, we saw Colonial do that. They took their pipeline operations offline so that they could get back control of their infrastructure. Something that we highlight in the national cyber-threat assessment is that we need to be taking this very seriously. Ransomware is the number one threat facing Canada and Canadians. That includes critical infrastructure, for the exact reason that we say. We were all hoping, in the cybersecurity industry, that we wouldn't see something like the Colonial pipeline, but it is the first of many.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Who would be responsible for following up on such things? We always say it's a wide amount of responsibility. Of course, there are airports, pipeline infrastructures, utilities. Who generally is responsible for that so that we don't have a Colonial situation here, or an attack on an airport, or other issues? Is it just different levels of government?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
It depends. We work with all levels of government, and we work with critical infrastructure providers. We make sure that all the information is provided and available. We try to build individual relationships with companies. In general, we have a very receptive audience. They all care about this as much as we do.
However, the IT environment is, in general, weak for cybersecurity, and so you have to layer on this tremendous amount of defence. These are areas where we work together. It's a shared responsibility, not just of the federal government but, ultimately, of the infrastructure owner and operator. They own their network. They own their infrastructure. They make investment decisions. We work to make sure that they have all of the best information we can give them, and we work together to try to make sure that we're addressing threats as early as possible. It's a shared responsibility.
Conservative
Kelly McCauley Conservative Edmonton West, AB
What about Crown corporations? Are they treated exactly like government departments?
Head, Canadian Centre for Cyber Security, Communications Security Establishment
No, Mr. Chair. Crown corporations have a unique status. We are able to provide the same levels of service that we do for all federal organizations. Just because of their structure, their chief executives tend to have more flexibility in terms of what they decide, more like the private sector, in terms of what they do for cybersecurity, but we do work with many of them.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Yes, a lot of that, obviously, was decided years ago before we had such issues coming up. Is that something on which we need a rethink? Yes, Crown corporations operate at arm's length, but that being said, for something like cybersecurity, should we have a rethink to bring it under CSE?