Evidence of meeting #16 for Industry, Science and Technology in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was fraud.
A recording is available from Parliament.
4:10 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
We've seen it reported that a darknet hacker named Julius stole 1.4 million names.
I'm sorry, Madam Chair. I didn't see you waving your red flag at me.
4:10 p.m.
Liberal
The Chair Liberal Sherry Romanado
My apologies. I'm sorry to cut you off, MP Motz.
Our next round of questions goes to MP Lambropoulos.
You have five minutes.
May 20th, 2020 / 4:10 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Thank you, Madam Chair.
I'd like to thank all the witnesses for being here today.
With regard to COVID-19, people are obviously taking advantage of the fear and the vulnerability of Canadians at the moment. They're doing whatever they can to take advantage of the situation, as they would under normal circumstances, but this is obviously a new angle that they can use.
Given the fact that we're going to be in this situation for at least several months to a year or a couple of years, what are some of the strategies that you think we can use moving forward in order to prevent such crimes from continuing to happen in the future?
That's a general question for whoever would like to answer it.
4:10 p.m.
A/Commr Eric Slinn
On behalf of the RCMP, I touched on this in my opening statement. An ounce of prevention is worth a pound of cure. I don't think you can do enough prevention. Many of my colleagues who are witnesses here have talked about informing the public and letting them know what these scams are.
Because a lot of these threat actors are actually outside of Canada, it's very difficult for enforcement. From a prevention standpoint, I don't think you can message enough, and that is a key part of our strategy. It's to make the public aware of new scams, getting it out on our website and getting it out through partners.
As I said, it's a shared responsibility. We all have a piece to play, but prevention is huge.
4:10 p.m.
Executive Director, Enforcement, Autorité des marchés financiers
Madam Chair, I'd like to make a comment.
4:10 p.m.
Executive Director, Enforcement, Autorité des marchés financiers
Thank you.
I completely agree with what Mr. Slinn just said. In my view, awareness and education are very important. We take action with regard to investors, but in this case, we're talking to all Canadians. We must watch out for situations that appear fraudulent. People can be tempted by the lure of gain in some circumstances.
Some schemes involve promoting a person who has invented a miracle vaccine or a miracle drug, for example. The Royal Canadian Mounted Police is an investigative team, and so are we. We must first encourage people to take care to avoid falling for this type of fraudulent scheme. We try to reach out to seniors, who can be contacted by telephone or on social media. That's one of the major issues. Governments probably have a role to play in raising public awareness about this issue.
4:10 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Thank you.
With regard to medicine, vaccines or antibody testing that people are going to want to see happen in the coming months, people obviously will be taking advantage of this.
We've seen examples of it in Montreal already, where companies have put out ads for these types of tests, and we know that they weren't approved by Health Canada. What is done in circumstances like these in order to help protect Canadians once it's found out that people—a lab, let's say— are taking part in this type of criminal activity?
My question is for Mr. Fortin.
4:10 p.m.
Executive Director, Enforcement, Autorité des marchés financiers
Could you repeat the question, please?
4:10 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
How are Canadians being protected from companies, such as laboratories that create fake drugs and that aren't necessarily approved by Health Canada, once we know that the laboratories are engaged in this type of activity?
4:15 p.m.
Executive Director, Enforcement, Autorité des marchés financiers
Your question has two components. One component is outside our jurisdiction.
If we were dealing with pure fraud involving other criminal activities, we would then need to work with our police officer colleagues, such as the Royal Canadian Mounted Police or another agency.
If we see this type of promotion and the people involved intend to take money from investors, for example, in a situation where someone has invented or found a vaccine or a drug, we can take action in order to stop the activities and prevent them from continuing. We can even obtain cease and desist orders to ensure that investors don't lose money. We have ways of taking action very quickly and preventing the fraud from continuing any longer.
4:15 p.m.
Liberal
The Chair Liberal Sherry Romanado
Thank you.
Our next round of questions goes to MP Van Popta.
You have five minutes.
4:15 p.m.
Conservative
Tako Van Popta Conservative Langley—Aldergrove, BC
Thank you very much.
My first question will be for Mr. Marchand.
Thank you for your testimony. Thank you for educating us on some of these important statistics.
You told us about increased identity theft associated with so many Canadians who are teleworking, as we are today. I think you mentioned a 600% increase in phishing. Again, thank you for that information. What do we, as legislators, do with that? Do you have any specific advice for what we as legislators can do to help you help Canadians better protect themselves?
4:15 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
Thank you for the question.
Perhaps we could look at two tools in the short term. The goal is to provide tools to companies that face these risks. Now that the fraudsters have access to the information, how can we equip banks and telecommunications companies with tools to prevent the fraudsters from successfully attacking them?
The STIR/SHAKEN standards are included in these tools. Of course, in my view, because the Americans will implement these standards quickly, we can expect fraudsters to come north of the border and to take advantage of a gap in Canada's legislation and regulations.
In my opinion, the STIR/SHAKEN standards are an essential tool because fraudsters use scooping to carry out certain types of identity fraud. This isn't just a matter of robocalls, but also a matter of identity theft.
As for the other tool, I think that the rules for identifying customers should be strengthened. Right now, a social insurance number, a driver's licence or a health insurance card is enough to open a bank account or a telephone account. These pieces of identification are outdated. We must start looking at the issue of digital identity and biometric identity.
Several countries have already transitioned to these higher levels of identification. To protect Canadians, we must consider whether some form of more advanced biometric identification should be required to open accounts.
4:15 p.m.
Conservative
Tako Van Popta Conservative Langley—Aldergrove, BC
Thank you very much for that.
You mentioned STIR/SHAKEN. I know the CRTC has described STIR/SHAKEN as “the only viable authentication/verification solution that can provide consumers with a measure of additional trust in caller ID.”
Do you agree with that? Is that an accurate assessment?
4:15 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
I don't know if it's the only one, but it's a useful one, for sure.
I don't think we can afford not to have this additional layer of security and validation. We do not want to let fraudsters have that tool in their tool box when we can—not without difficulty—technically deploy that for ourselves to try to fight fraud. It's not the only one, but it's a tool that we should consider.
4:15 p.m.
Conservative
Tako Van Popta Conservative Langley—Aldergrove, BC
Good. Thank you for that.
I believe the CRTC said this will be mandated for carriers later this year, September 2020, I think. Is that realistic?
4:15 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
Unfortunately, the issue with the STIR/SHAKEN standards is that the carriers don't believe that this deadline will be met. If I'm not mistaken, representatives of Rogers, Bell and Telus appeared before a House committee to request an extension of the deadline. I think that it's necessary to be firm and to require implementation as quickly as possible.
Canada's telecommunications networks are outdated. They won't make it possible to fully implement the STIR/SHAKEN standards. However, I don't think that this constitutes a reason to not begin implementation in the fall. It's just necessary to make sure that the pressure from the telecommunications lobby doesn't push the government to extend the deadline to 2021, which I think would be a mistake.
4:20 p.m.
Conservative
Tako Van Popta Conservative Langley—Aldergrove, BC
Thank you.
Perhaps you could tell us a bit about the limitations associated with STIR/SHAKEN. For example, if spoof calls come from outside of Canada or outside of a STIR/SHAKEN protocol area, apparently the filter doesn't work.
4:20 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
Yes, absolutely.
That's the biggest limitation. This technology will apply only to calls from Canada and possibly the United States. All participating countries will benefit. However, not everything that comes from outside will be covered. However, when we know that a call doesn't have the STIR/SHAKEN certification, we know that it's a higher risk call and that we must pay attention to it.
4:20 p.m.
Liberal
The Chair Liberal Sherry Romanado
Thank you very much.
Our next round of questions goes to MP Ehsassi.
You have five minutes.
4:20 p.m.
Liberal
Ali Ehsassi Liberal Willowdale, ON
Thank you, Madam Chair.
Thank you to the witnesses for appearing before our committee. I found the testimony very helpful.
My first question is for you, Mr. Jones. During your testimony, you were suggesting that one sector that should be highlighted for attention is the health care sector, given that there are many more cyber-attacks. However, approximately a month ago, the top authorities in the United Kingdom and the U.S. warned that universities are also incredibly vulnerable. Have you seen an uptick on cyber-attacks on universities? Would you agree with their assessment?
4:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
While I emphasized the health care sector, given the pandemic, we are actually working with and reaching out to every sector of critical infrastructure in the economy, including universities and the broader education sector as well. We rely on the reports of any sort of malicious cyber-activities. We try to proactively communicate anything that we're seeing from our defence of the government.
One of the things is that we don't watch Canadians. We don't watch what's happening on Canadian networks. We defend the government, and we rely on reporting.
We have certainly reached out to universities. We're providing proactive and tailored advice and guidance so they can take some measures to secure themselves, and we are also hoping to build a partnership where they will call us when they see an event or an incident so that we can work together.