Thank you, Madam Chair and committee members. I'm glad to be here.
As was mentioned, I'm director of the Citizen Lab. The Citizen Lab does research on digital security issues that arise out of human rights concerns.
As much of the world moves into work-from-home rules of self-isolation, technology has become an essential lifeline; however, this sudden dependence on remote networking has opened up a whole new assortment of security and privacy risks. In light of these sudden shifts in practices, it's essential that the tools relied on for especially sensitive and high-risk communications be subjected to careful scrutiny.
In my comments, I'm going to first quickly summarize Citizen Lab's recent investigation into the security of Zoom's video conferencing application—the application we're using right now—and the company's responses to our published reports. Then I'll discuss a broader range of digital security risks that are relevant to the work-from-home routines that MPs and their staff are following. I will conclude with six recommendations.
First, with respect to our published report on Zoom, we published it on April 3 and did a follow-up on April 8. In essence, at the core of that report was that we found that Zoom did not seem to have been well designed or effectively implemented in terms of its encryption. Its public documentation made several misleading claims about its encryption protocols that did not match what we observed in our analysis. I invite committee members to take a look at that report.
We also found potential security issues with how Zoom generates and stores cryptographic information. While based in Silicon Valley, Zoom owns three companies in China, where its engineers developed the Zoom software. In some of our tests, our researchers observed encryption keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company catering primarily to North American clients that distributes encryption keys in this way is obviously very concerning, because Zoom may be legally obligated to disclose those keys to authorities in China.
In our report published on April 3, we also discovered that there were issues with Zoom's “waiting room” feature. We didn't disclose those at the time, because we consider them very serious. We did a responsible disclosure to the company.
Now, in response to both of these reports, Zoom has taken a number of actions regarding security. It has committed to a 90-day process to identify and fix security issues, including a third party security review, enhancing their bug bounty program and preparing a transparency report. They've also committed to improving their encryption, including working towards the implementation of end-to-end encryption. They acknowledged that some Zoom users based out of China would have connected to data centres within China and indicated that they had immediately put in place measures to prevent that from happening.
They've released new versions of their platform. You can see that there are some new features, like we experienced today with waiting rooms and passwords and so forth, and they've done a very good job in terms of hiring people with credible expertise in the cybersecurity area.
While it's encouraging that Zoom has made these improvements, the sudden reliance by a very large number of people on a platform that was never designed for highly sensitive communications is symptomatic of a much larger set of problems related to work-from-home routines. It's imperative that we evaluate all the risks associated with this sudden change in routines, and not just those associated with one particular application.
Legislators working from home are connecting using devices, accounts and applications through widely differing home network set-ups, as are their staff. These networks may be shared with roommates and family members whose own digital security practices may vary widely. Whereas in pre-COVID times these devices were routinely brought back into the government security perimeter where sensors might detect problematic network behaviour, this is obviously no longer the case.
Generally speaking, the communications systems we rely on have rarely been designed with security in mind. Security is either routinely regarded as slowing the speed of innovation or impossible to patch backwards. The consequence is that there is a vast array of unpatched systems that leave persistent vulnerabilities for malicious actors to exploit.
Meanwhile, governments and criminal enterprises have dramatically increased their capabilities to exploit this ecosystem for a variety of purposes. Almost all nation states now have at least some cyber espionage capabilities. There is also a poorly regulated private market for cybersecurity that includes numerous companies that provide off-the-shelf targeted espionage and mass surveillance services. Our own research at Citizen Lab has shown that the market for commercial spyware in particular is prone to abuse and has been linked to targeted killings and the targeting of a Canadian permanent resident. These relationships may well open the door to the same tools being deployed against legislators and their staff in jurisdictions like Canada.
At the best of times, these problems present extraordinary challenges for network defenders, but now parliamentarians and their staff are at even greater risk, and threat actors are capitalizing on this new environment.
In terms of recommendations, I make six, and I'll go through these very quickly.
First, where possible, extend the digital security resources developed for the House of Commons to all Canadians. I think the IT team at the House of Commons will be severely taxed dealing with all the problems I'm describing here. Some measures have been taken already, with CSE helping out. There are ways in which the measures that CSE is undertaking to push threat indicators out to some organizations outside of the government perimeter could be done more widely, but I would urge that they be done in a transparent and accountable way.
The second recommendation is that the Government of Canada should evaluate and issue guidance on work-from-home best practices, including those for video conferencing applications. This should include recommendations for scenarios on the use of some applications for specific purposes but not others, and I assume that we'll get into that in the question and answer session. Some of that has been done already by the cyber centre, but these are dated and largely insufficient for the task at hand.
The third recommendation is to support independent research on digital security and the promotion of secure communication tools. At a time when we're depending on technological systems, there should be more high-quality, independent research that scrutinizes these systems for privacy and security risks. To assure Canadians that the networks they depend upon are secure, researchers must have the ability to dig beneath the surface of those systems, including into proprietary algorithms, without fear of reprisal. Presently, researchers can come under legal threat when they conduct this research, to the detriment of everyone's security, so we recommend that the Government of Canada pass legislation that explicitly recognizes a public interest right to engage in security research of this sort.
The fourth recommendation is to implement a vulnerability disclosure process for government agencies, including the House of Commons. These processes establish terms by which researchers can communicate the presence of vulnerabilities in organizations' systems or networks without fearing legal repercussions. I believe Canada should do this as well to mitigate vulnerabilities and make it comfortable for researchers to engage in this type of adversarial research.
The fifth recommendation is to establish a transparent and accountable vulnerabilities equities process. The Communications Security Establishment currently has a process by which it evaluates whether to conceal the presence of computer software vulnerabilities for use in its own intelligence operations or to disclose them to ensure that all devices are made secure. However, CSE is formally alone in making decisions over whether to retain or disclose a vulnerability. We therefore recommend that the Government of Canada broaden the stakeholder institutions that adjudicate whether vulnerabilities are retained or disclosed, especially in light of the enhanced risk that all government workers face when working from home. We also recommend that the Government of Canada follow international best practice and release a full vulnerabilities equities process policy, so that residents of Canada can rest assured that CSE and their government will not retain vulnerabilities that could seriously compromise the security of all Canadians.
My last recommendation is to support strong encryption. Given the potential for adversaries to take advantage of poorly secured devices and systems, we recommend that the Government of Canada support the availability of strong encryption so that MPs, their staff and residents of Canada can be assured that the government is not secretly weakening this life-saving and commerce-enabling technology to the detriment of all Canadians and our allies.
Thank you very much.