Evidence of meeting #33 for Government Operations and Estimates in the 43rd Parliament, 2nd session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Great. Thank you.
I'll switch gears.
Some Canadians, obviously, felt the impact of their government accounts being closed with the CRA. Can someone explain to me what happened there and why the government took the precaution to shut down these accounts? What is the best way for Canadians to prevent that from happening?
Acting Chief Information Officer of Canada, Treasury Board Secretariat
I can answer the first part of that question, Mr. Chair.
The CRA has been proactively using different methods and third parties to look for signals that accounts have been identified and potentially compromised. This is anything from, again, going back to the capabilities where there have been previous compromises or known lists of identities that are suspicious. All they do is deactivate the accounts. They contact the users, and they tell them that they may have been compromised and that this may have been part of some other event that may affect other accounts like their bank accounts, Facebook accounts and things like that. It is giving Canadians a proactive piece of advice that they need to look at their cyber-hygiene and that they need to take action.
With regard to the CRA accounts, there's a process for them to re-establish their accounts. They don't lose their accounts permanently. It's just that they have to reset their passwords and re-establish their identities.
I would leave it to Mr. Jones to talk about what other cyber-hygiene activities Canadians should take to protect themselves overall when this happens or just even as part of due course.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Mr. Chair, I'll quickly add in on what Canadians can do.
The first thing is this: Don't reuse passwords on accounts that you really care about. In fact, don't reuse passwords. We recommend that Canadians use things like password managers, something that will autogenerate some random, complicated string of passwords.
For things that you really care about though, use unique passwords. Turn on multifactor authentication. That means asking it to send you a text message when you're logging in, logging in from a trusted device, or having one of those hard tokens, although most people won't use those because those are kind of hard to use. However, turn on something so that it verifies.
Security questions are not multifactor authentication. That information has been stolen, so don't count on that as a second factor. When we talk about that.... So, it's something you know: your password. It's something you are: in the physical world, a fingerprint or a picture or something like that. It's something you have. That's where we talk about your getting a text message on your phone that gives you a code to log in with for the next few minutes, etc. That's multifactor authentication.
Turning on those things already makes you a much harder target. Those are simple things you can do. I encourage every Canadian to go in and change the passwords for the things you care about, the things that can have harm to you as a citizen. Set it to a hard password—better yet, a pass phrase if its allowed—something that only you know, that only you can remember. If you're going to write it down, lock it away somewhere and hide it. Don't tape it under your keyboard. That's the first place anybody looks.
Liberal
Conservative
The Chair Conservative Robert Gordon Kitchen
Yes, Mr. Drouin. Thank you very much.
We have heard some great questions and answers. I look at the time, recognizing that we have to go in camera. If we go into the next round, it would take us well past that point.
I'll remember not to put it under my keyboard anymore. I appreciate that.
With that said, I would like to thank the witnesses for being with us today—all five of you, although Mr. Jones, Mr. Perron, Mr. Brouillard did all the answering. We appreciate that. You did indicate that you might have to look up some further questions and respond to us. If you would do that and respond to the clerk with those answers, it would be greatly appreciated.
We go now from the public portion of this committee to the in camera portion meeting. When I suspend the meeting, the technical staff will end this part of the meeting in Zoom. This means that members cannot remain logged into this meeting. You will have to go out and then come back in using the pass code the clerk has sent to you.
I will suspend the meeting until we're back together in a couple of minutes.
[Proceedings continue in camera]