Evidence of meeting #16 for Industry, Science and Technology in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was fraud.
A recording is available from Parliament.
4:20 p.m.
Liberal
Ali Ehsassi Liberal Willowdale, ON
Absolutely, but the reason I'm highlighting universities is that approximately three weeks ago there was a pretty elaborate cyber-attack on York University. Is that a trend? Are we going to see more of that?
4:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Whether it's a trend or not—we don't have enough information to determine that—we certainly do see that universities, due to their open nature and the rapid influx and departure of students, do have unique vulnerabilities. They are also emphasizing the open, collaborative nature of their network, which makes it harder to protect.
In trying to work with them to better defend, one of the things we have pointed them to is some of the work that CIRA is doing. It immediately offers a quick benefit for defence if you use the CIRA Canadian Shield, but there are the broader enterprise-grade services as well. While every Canadian can benefit, it's also something for universities. I think my colleague mentioned that at the beginning as well.
4:20 p.m.
Liberal
Ali Ehsassi Liberal Willowdale, ON
On the term you used when an organization actually contacts you, you said you “intervene”. I presume that's a term of art, but what does that entail? What does intervention entail? Do you help them beef up their system? Do you trace where those attacks came from? What actions does your organization undertake?
4:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
“Intervene” was probably a bit of a loose term. What we do depends upon what the organization is comfortable with and the type of cyber-incident. If it's traditional ransomware, we'll provide advice and guidance. We'll try to help them recover, best practices, etc. If it's a more advanced actor who is clearly hurting them, we might provide more tailored assistance, if it's a system of importance, for example. We'd certainly try to work with a commercial provider or a commercial partner who would be helping them rebuild their defences.
Then, finally, if it were something that required the intervention of the state, we would look to leverage some of the new authorities that were granted to CSE in terms of it going out and actually defending the organization, but that is something that we really do reserve for when it's unreasonable to expect the commercial sector to defend. In reality, what we really want is a vibrant commercial sector that is able to work and defend Canadian industry, so we really emphasize partnerships and the ability to work together.
4:25 p.m.
Liberal
Ali Ehsassi Liberal Willowdale, ON
Thank you.
Given all the advisory work you do and the counsel you provide to various organizations on a general basis, would it be fair to say that the guidance you are providing essentially establishes the standard of care from a legal standpoint as to whether organizations are actually adhering to best practices and insulating themselves from losses?
4:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Well, I'm an engineer and not a lawyer, so I'm not sure that I'm qualified to demonstrate the standard of care.
One of the things we have worked on with our colleagues in Innovation, Science and Economic Development is the cybersecure Canada program to provide baseline cybersecurity controls to help small and medium-sized organizations do things that are actually within reach. I think one of the failings of the commercial cybersecurity industry is that we talk about things that a multi-million dollar or a billion-dollar company can afford. We need things that Canadian small businesses can afford, and that's what this is really trying to achieve.
4:25 p.m.
Liberal
4:25 p.m.
Liberal
The Chair Liberal Sherry Romanado
Actually, no. Unfortunately, you have no more time remaining. You went over.
I'll now give the floor to Ms. Gaudreau.
Ms. Gaudreau, you have the floor for two and a half minutes.
May 20th, 2020 / 4:25 p.m.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Good afternoon. Thank you, Madam Chair.
I've heard many things that help me understand why people are concerned. The Privacy Commissioner has been telling us for some time now that we're seeing a crisis of confidence. There has been a great deal of talk about education as a form of prevention. He says that 90% of Canadians have lost confidence with regard to the misuse of their data. Moreover, 38% of Canadians believe that companies more or less respect their privacy rights.
That said, some potential measures were brought up earlier. Mr. Marchand pointed out that other countries had laws to crack down on companies. For example, a company that doesn't use the necessary tools to protect personal information is liable to a penalty equivalent to 4% of its sales.
Mr. Marchand, what do you think?
4:25 p.m.
Certified Fraud Examiner and Certified Administrator, Biometrics and Security, Nuance Communications
Thank you for the question.
Ultimately, I think that education is a good thing. People need to learn about the risks that they face when they're online and when they answer calls. In my opinion, the legislation is inadequate. However, the legislation does partly touch on the protection of data entrusted to a company with which people do business. However, an entire segment of the legislation is completely missing. In this case, the segment concerns the verification of what happens to the identity of the individual once they've made the mistake of providing their personal information or once this information has been stolen from them without their knowledge.
When this identity is used to obtain a credit card, open a bank account, engage in money laundering or anything of that nature, we shouldn't only look at the crime. We should also look at the fact that the crime facilitates global criminal activity on a larger scale, including human trafficking, drug trafficking or terrorist activities. I think that companies must be held accountable for this other aspect. Much stronger legislation must be implemented to protect people once their identity has fallen into the wrong hands.
4:25 p.m.
Liberal
The Chair Liberal Sherry Romanado
I'm sorry, your time is up.
Mr. Masse now has the floor.
You have two and a half minutes.
4:25 p.m.
NDP
Brian Masse NDP Windsor West, ON
Thank you, Madam Chair.
My question is for Mr. Slinn from the RCMP.
We have had cases in the past in which someone has paid out a ransom for a cyber-attack and loss of privacy. A good example is the University of Calgary. Under Canadian law, is there any obligation for a company or an institution to even acknowledge that they've paid out a ransom for a cyber-attack, or is that something that doesn't have to be disclosed?
4:30 p.m.
A/Commr Eric Slinn
That's a good question. I'm not 100% sure on that. I do know that a lot of private companies are reticent to report a cyber-attack on their business, for obvious reasons. It may affect people's confidence in that business and the data that they hold. I don't know, to be candid, if there is a legal obligation for them to report that they paid a ransom. My initial thought is no, but I'm happy to see if I can find that answer for you.
4:30 p.m.
NDP
Brian Masse NDP Windsor West, ON
Maybe you can work with our researchers on it as well. They do some really good work for us.
I'd be interested to know that. That eventually did go public. It goes to what Mr. Marchand was saying with regard to not even having to report certain breaches.
Then you have cybercrime. With regard to ransom, do you know if there has been an increase? Is there a database created? I've found over the years that I only hear about these cases. I wonder if the RCMP has a log of those who have complied or voluntarily said they paid a ransom, and whether any of that—Mr. Jones might have a comment on this too—comes from state governments that are involved in some type of cyber-attack and attempts at ransom.
4:30 p.m.
A/Commr Eric Slinn
We keep information on everything that's reported, but it's more like fraud against individuals. We know there's massive under-reporting, and the same is likely happening at the company level as well.
4:30 p.m.
NDP
Brian Masse NDP Windsor West, ON
Mr. Jones, do you have any comment with regard to other states, especially non-democratic governments, that might have been using some attempts to leverage...? Is that ever quantified or made public?
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Certainly the one thing about ransomware is that it is massively under-reported. We know that. When people do come forward, it tends to be on the cybercrime side of things. That is what we've seen.
We have reported and looked for other types of links, but it's predominantly cybercrime-focused, and it is absolutely under-reported.
4:30 p.m.
Liberal
The Chair Liberal Sherry Romanado
Thank you.
We now move to the third round. Our first question goes to MP Dreeshen.
You have five minutes.
4:30 p.m.
Conservative
Earl Dreeshen Conservative Red Deer—Mountain View, AB
Thank you very much, Madam Chair.
Certainly it's interesting testimony that we've had here today.
Of course, on fraud being investigated, we have certain comments, even from the government, about whether or not they even want to investigate fraud at this particular point in time. I think that probably gives the criminal element an opportunity to jump in here as well, which is kind of frustrating.
I want to go back to something. At the end of March, the Communications Security Establishment noted that it had taken down a number of fraudulent websites that had spoofed the Public Health Agency of Canada, the Canada Revenue Agency and, most recently, the Canada Border Services Agency. We recently heard from General Vance, the country's chief of the defence staff, that he's seen indications that Canada's adversaries intend to exploit the mounting anxiety about the global pandemic.
To the RCMP, I'm wondering what form you believe these attacks will take. Which countries are we talking about, and are we taking steps now to deal with this?
4:30 p.m.
A/Commr Eric Slinn
When it comes to the threat actors, they generally are in countries we've dealt with in the past. It doesn't have to be the COVID-19 pandemic. It can be a romance scam; it can be phishing.
There are certain individuals, certain countries, where this continues to plague us, if you will. We do our utmost to work with international partners, whether it be Five Eyes partners or other partners, to help disrupt some of those networks.
4:30 p.m.
Conservative
Earl Dreeshen Conservative Red Deer—Mountain View, AB
In August 2019, the RCMP told the media it had turned an investigation into CRA fraud calls to Canadians into a national priority, and that 39 so-called call centres in countries like India had been taken down, while 45 people overseas had been arrested. In February of this year, two Canadians connected with this fraud were also arrested.
What RCMP resources are currently being invested into this type of overseas fraud investigation? Are many of these COVID-19 fraud scams coming from overseas?
4:35 p.m.
A/Commr Eric Slinn
On specific resources, I can't give you an exact amount of resources. However, I can tell you that, as the person responsible for federal policing criminal operations, I've issued a directive to all divisional CROPS to pivot—to use a pandemic term here—financial crime resources to COVID-19 frauds, which means greater intel collection and greater enforcement capacity. We recognize our obligation there, and we are trying to up our game. We will continue to work with those international partners.
I think the project you alluded to involving India was Project Octavia, in February. Those scams continue.