Thank you very much, Madam Chair and members of the committee, for inviting me to participate.
I will start with a bit about me. I have worked in cybersecurity, facing the most advanced cyber-attacks in the world for the past 20 years, both within government and as an entrepreneur. I am currently leading Arc4dia, where we are providing services, acting as the last line of defence to detect intrusions by leveraging our proprietary software. We have been operating remotely and decentralized since I founded Arc4dia 10 years ago. I also participate within the Bitcoin community, both publicly and within invitation-only fora, as a think tank in security and game theory in the ecosystem.
I came with a few points to share with this committee from listening to the previous meetings. Although I only listened to a few, I do have some observations.
I observed a resistance to change that is driven by a desire to keep what works well, and that, due to past errors, hurts collegiality. It is true that change is a threat vector that can be exploited by others. However, being static is also a weakness that can be exploited to prevent us from fixing what we have broken in the past or what needs to change in order for us to adapt. With the world changing around us, and very fast, with the rise of artificial intelligence combined with cyber-domain attacks and social engineering driven by artificial intelligence, I believe we need to change and adapt and, even better, be ahead of the curve.
To do so, and to dwarf non-genuine influences, we need to strengthen collegiality. It is by knowing each other more intimately that we will detect and see attacks against us and have the agility and the speed necessary to react before damage is done. For example, limiting or reducing face-to-face interaction has been brought up by many during the hearings as a change that will have negative outcomes for the effectiveness of our democracy. These are the kinds of changes where we need to be agile and be able to bring back collegiality. I heard that some get-together dinners were removed from the tradition of the House of Commons, where opposing parties had held discussions in a more relaxed and convivial atmosphere. I would advise you that such sittings are very important in our defence against cyber-domain attacks.
Understanding the nuances of our interpersonal and professional communications is essential in detecting subtle attacks against us. Our adversaries will look for ways to interfere with all forms of communication, and not just the written kind in email, texts and online postings. For example, during video-based presentations they will or could disrupt images and the tone of voice in an effort to inject or alter messages of body language, facial expressions and the intentions of our elected officials. Without our collective understanding of what right looks like, we will fail to see the subtle attacks that will eventually lead to more brazen and flagrant attacks.
I also observed concern with e-voting. E-voting and the use of technology should complement and reinforce one vote. Make sure your voice can be heard and make sure it is accurate. The way I see technology and software is that they augment our reliability and agility in our voting process, and perhaps even make it antifragile. We need to move away from using a single platform to vote, in favour of adding technological compatibilities to strengthen the reliability and the resiliency of voting. Perhaps we should vote on video, as well as signing our votes with dedicated, secure hardware. We can then audit that our votes are correct. Perhaps we could time-stamp our votes with a Bitcoin blockchain, making them forever verifiable.
In short, diversity—one might say multifactor authentication—in our methods of conducting business face to face, by voice and electronically will make it more difficult for our adversaries to achieve their desired outcomes and improves our opportunities to detect their attacks. These ideas and improvements should come gradually, holistically and in an agile process. If not already in place, I would recommend that the House of Commons put in place such processes, supported with permanently ongoing threat and risk assessment, versus the typical static evaluation that ends up on the shelves collecting dust to check some accreditation marks.
In closing, the three observations I have described are woven together by a common thread; that is to say, defending ourselves is more than simply a technology issue. To protect the integrity of the House of Commons and the parliamentary process so that legislation, policies and directives of the Government of Canada truly represent the intentions of the electorate, we need to provide the electorate with the highest level of confidence that the actions of the House of Commons are truly what they are supposed to be.
Regardless of the method of operation, whether it is in person or virtual, the importance of this cannot be overstated.
We require defensive measures, assessed and developed in a holistic and continuous threat-risk managed manner that address all forms of attacks, such as political attacks on infrastructure and people, attacks that attempt to compromise the integrity and loyalty of our people, attacks that attempt to compromise or disrupt the integrity of our supply chains, attacks aimed at disrupting our ability to determine truth from fiction, and of course, attacks that attempt to disrupt or compromise our IT systems. There is no higher calling than to protect our democratic institutions and our country.
I thank you, and I look forward to your questions.