Procedure and House Affairs Committee on June 5th, 2018

I sent the email to Mr. Chan from Facebook and to Twitter as well, and I've been in contact with both of them by phone or by email. Mr. Chan said that he would be able to be here on Thursday afternoon, and I'm still waiting to hear back from Twitter with an official response.

Good afternoon, Mr. Chair and members of the committee. My name is Scott Jones and I'm the head of cybersecurity at the Communications Security Establishment. As mentioned, I'm accompanied by Jason Besner, the Director of the Cyber Threat Evaluation Centre, or CTEC, at CSE. Thank you for inviting us here today.

As I believe it has been sometime since a CSE official appeared before this committee, please allow me to provide you with a brief overview of CSE's cybersecurity mandate.

For over 70 years, CSE has helped provide and protect Canada's most sensitive information.

In addition to our foreign signals intelligence and lawful assistance mandates, CSE, as Canada's centre of excellence for cyber operations, is mandated to help ensure the protection of information and information infrastructures of importance to the Government of Canada.

In this effort, CSE provides advice, guidance, and services to Government of Canada departments and agencies and to owners of other systems of importance to the Government of Canada. CSE works closely with partners from across government as part of this important effort, some of whom you have already heard from as part of your study.

As you know, the Minister of Democratic Institutions asked CSE to analyze risks to Canada's political and electoral activities from hackers. In response, CSE released an assessment of cyber-threats to Canada's democratic process. This assessment, released in June 2017, was developed by looking at the experiences of elections around the world over the last 10 years. The report found that Canada is not immune from cyber-threat activity against its elections.

While the threat in Canada was assessed as generally low sophistication, political parties, politicians, and the media are vulnerable to cyber-threats and influence operations. Indeed, the report assessed that in 2015 Canada's democratic process was targeted by low-sophistication cyber-threat activity.

There are many types of threat actors who could target our democratic process, and CSE plays a vital role in preventing them from achieving their goals. By providing advice to government departments, political parties, and the public on how they can better protect themselves against cyber-threats, we help prevent harmful compromises.

Since publishing the report on cyber-threats to Canada's democratic process in June, CSE has held productive meetings with political parties, parliamentarians, and electoral officials to discuss the report and its findings and to offer cybersecurity advice and guidance. For example, at the federal level, CSE officials have met with parliamentarians, representatives from all political parties with standing in the House of Commons, and in partnership with Elections Canada, we met with a majority of federally registered political parties in Canada.

We have been asked by the Minister of Democratic Institutions to continue our analysis of cyber-threats to Canada's democratic process. Our 2017 report was produced with the intent of it being updated as required. Our analysis will continue to look at the rapidly changing technological and threat environment, and will help characterize and understand the evolving threats to our democratic processes.

These efforts are part of CSE's goal of supporting an enhanced understanding of cybersecurity issues and will help increase resilience against threats to Canada's democratic process. In addition, this ongoing analysis will help inform briefings to Government of Canada officials, political parties, and parliamentarians.

Our ongoing efforts are set within the context of broader initiatives taken by the Government of Canada to bolster cybersecurity. Through budget 2018, the government has announced its intention to create a Canadian centre for cybersecurity within CSE as part of a new “to be announced” Canadian cybersecurity strategy. This initiative is complemented by the enhanced statutory framework proposed under Bill C-59, which would help strengthen CSE's capacity to thwart cyber-threats. This important legislation includes key provisions to advance the tools available to government in this domain, set within an enhanced accountability regime.

Thank you, and we look forward to answering your questions.

[Witness speaks in Mohawk]

I was just speaking Mohawk and said, “Hello, everyone.” My name is Coty Zachariah, or “He Speaks in the Wind”. I come from the Mohawks of the Bay of Quinte First Nation, located near Kingston. I'm also the national chairperson of the Canadian Federation of Students and represent around 650,000 students across the country at the post-secondary level.

In October 2014, we joined the Council of Canadians in a charter challenge to the voter suppression elements of the so-called Fair Elections Act. Our primary concerns about the act were with regard to prohibiting the authority of the Chief Electoral Officer, or CEO, to authorize the use of the voter information cards as valid ID for voting, and limiting the CEO's authority to carry out voter education and outreach.

Students face additional barriers to voting, notably that students move frequently, often up to twice a year. As a result, common identification cards do not indicate the address that students live at on election day, or their names are not on the voters list in the poll or riding that they live in while they attend school. Moreover, by limiting the CEO's authority to carry out voter education and outreach, students, who are often new voters, are likely to be more confused about the process.

Despite these barriers in the last election, the CFS undertook a massive, non-partisan elections campaign that worked to mobilize students to come out in record numbers to vote. In 2015, 70,000 student voters took part in the democratic process at on-campus polling stations. It led to an expansion of that initial pilot project within Elections Canada. For 18- to 24-year-olds, turnout was 57.1%, compared to 38.8% in 2011. This increase of 18.3 percentage points is the largest increase of voting engagement in any demographic in the country. However, this increase was in spite of the Fair Elections Act and students still faced issues.

To quote the Chief Electoral Officer's post-2015 election retrospective report:

As in the previous two elections, problems with voter identification at the polls were more often related to proof of address. The labour force survey after the 42nd general election asked non-voters why they did not vote. In terms of reasons related to the electoral process, the inability to prove identity or address was the main reason cited ... and was more often cited among those aged 18 to 24.... Based on estimations from the survey, that amounts to approximately 172,700 electors. Among them, some 49,600 (28.7%) said they went to the polling station, but did not vote because they were not able to prove their identity and address. Approximately 39% of that group were aged 18 to 34.

We at CSF find that unacceptable. Students, however, are encouraged to see that Bill C-76 would make substantial reform to the Canada Elections Act, including the amendments formerly set in Bill C-33, and we look forward to seeing it passed.

We are discouraged, however, that these reforms are coming so late. It seems likely that even if Bill C-76 proceeds expeditiously, it would not make it through the Senate and be proclaimed into force until 2019, making it unlikely that Elections Canada could fully implement the bill's reforms before the next general election in October of next year. It seems likely that it is our court case with the Council of Canadians that might result in the necessary reforms around voter suppression being implemented prior to this election, a regretful outcome of a delayed process around Bill C-33 that we would like noted.

We believe student and youth participation in the democratic process is something to be celebrated and not discouraged. We hope that Bill C-76 will promote this principle.

Thank you.

There are a few areas. We've been working with Elections Canada on general architecture, advice, and guidance, things such as supply-chain integrity, contractual clauses, and so on, as they start to establish the infrastructure for the election. In addition, though, we've also worked with them in the development of the threat assessment itself, just to ensure that we were maintaining neutrality and not stepping into what is the domain of Elections Canada as a non-government entity, an entity of Parliament.

Further to that, though, we are also looking at how to actively participate and work with Elections Canada in terms of defending the infrastructure that is being deployed in support of election 2019 to ensure that it is properly protected and is able to proceed.

I think it's a mix. If you look at political parties and politicians as candidates, the lack of advice that can be practically implemented and easy to use...technology itself is a barrier to that. It is hard to implement proper security right now. It's not simply something that you can just buy. Frankly, the technology we use needs to be improved drastically itself.

We do provide advice and guidance in terms of things people can do themselves. Everything takes time. We all know there's probably not a large IT organization behind every candidate or behind every party; it's what's necessary to run the election. The biggest challenge is that right now cybersecurity takes a tremendous amount of effort and it takes expertise. It should become secure by default and design rather than you having to secure yourself.

No.

It all depends on how early you get in and start working on security. If you look at security from the very beginning, you can design a system that is able to protect itself, that's able to detect when there is malicious activity happening, and that is able to assure that the data itself has integrity. That starts from the beginning, so that security is designed as an integral part. When we look at security at the end, it interferes with our ability to use the system; it interferes with our ability as users to interact.

The key aspect of going with online voting—and there are a number of benefits that I know have been discussed—is really to get in early and design it from the start for the security environment we face, which is one of a number of threats. It doesn't necessarily need to be a state threat, but sometimes the threat of mayhem and the ability to just do something.... Enthusiasts are actually a significant risk at this point as well.

We have a number of things. One is simply configuring when you're using mobile devices. Obviously as members of Parliament you have to travel quite extensively, but in your ridings, etc., we have a number of pieces of advice and guidance on our website. I know that we've actually made them available as well through the House of Commons IT staff. As well, we work really closely with that IT staff in terms of increasing the security you have as parliamentarians using your infrastructure.

There are some simple things that can be done in terms of how you use your IT, how you configure it, and the passwords you set. How do you manage your environment? Who do you give access to for your account? Who do you give access to for your equipment?

Some of that mobile security guidance is one of the pieces of advice that I would encourage everybody to use. It's freely available on the Internet site of CSE. Those are some concrete steps that should be done by everybody.

Elections Canada has reacted very quickly. We started working with them before the 2015 election. That has continued unbroken since. They're very aware of the rapidly evolving environment.

I think one of the issues we have in terms of dealing with individual politicians and political parties is that it's just one of the issues that everybody has to tackle along with everything else they're facing. There's the ongoing, day-to-day business that you all have to face, and cybersecurity is yet another thing on top of that.

How can we work together to make it easy? I think that's one of the key things. That's where we need to really work in society to raise the bar on cybersecurity so that you don't have to do something special. We should all have at least a basic level of cybersecurity by default.

It's probably best left to the RCMP. Anything that is illegal interference with a computer system or any type of activity would probably qualify, but it's probably best left for my colleagues in the RCMP to address.

Yes. With social engineering, I think the thing they're usually taking advantage of is time. How quickly...? You're busy, so they want to catch you off guard and get you to click on something. In social engineering, I'm really talking about them trying to convince you they're somebody they're not, so that you reveal a password, a critical piece of information, or something they need to be able to get into your systems.

One of the key things we always say is that just because somebody has called you and seems to know something, don't trust it. Ask a question or, for example, say what we always say in the banking context, which is that you'll call them back. You say, “Give me a file number and I will look on the back of my credit card and I will call you with the file number.” Then I know that at least I've called the right place. That's a simple step, but it's things like that.... Unfortunately, approaching everything with a little bit of suspicion is one of those things that's necessary in the cybersecurity context now.

I think the thing right now is that it wouldn't be CSE's lead. That would really be the lead of Public Safety Canada and the Canadian Cyber Incident Response Centre, at least in the broader context of a larger piece of infrastructure, but as the Canadian centre for cybersecurity stands up, it would definitely be the cyber centre that would be a place to come to.

In general, though, we'd be looking to leverage some of the other activities going on, such as the Canadian Anti-Fraud Centre and some of the awareness campaigns—for example, “Get Cyber Safe”—to just bolster the level of defence and the general knowledge that's out there.