Evidence of meeting #38 for National Defence in the 41st Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vessels.
A recording is available from Parliament.
Conservative
Joe Daniel Conservative Don Valley East, ON
Should we as a government be establishing standards for these sorts of issues to actually make cyberspace more safe?
Principal, SecDev Group
I think that is certainly one issue that needs to be considered, among others. I would say that the issue of dealing with basic insecurity and vulnerability of networks at its highest concentration point, which is the operation of networks themselves, is probably more important than the consumer level at this point, in terms of the effect that it would generate.
Conservative
Joe Daniel Conservative Don Valley East, ON
The intermingling of the defence industry with the Internet system, which seems to be very useful in many ways, has kind of happened without any supervision. What are your comments on that?
Principal, SecDev Group
I'm not sure if I understand the question. Perhaps you can rephrase it in a different way.
Conservative
Joe Daniel Conservative Don Valley East, ON
The defence industry has adopted the Internet as a way of communicating, but that seems to have happened without anyone really considering the security aspect in a big way.
I guess my follow-on question to that is this. Should we, as a government, be establishing a security department that will actually monitor and police what's taking place on the Internet?
Principal, SecDev Group
Perhaps I'd answer differently.
Certainly, if we take a look at the model that's been adopted for security in the U.S., which is emerging right now, we see there's certainly a sectoral approach in terms of the degree to which security has to be ensured for the survival or the needs of the sector itself. The financial sector, for example, has its own mechanisms for information-sharing and ensuring security among the institutions that are most vulnerable and actually play a critical role in the U.S. economy.
Similarly, initiatives have been made within the defence industrial base in the U.S., where the NSA does share classified signatures that give the defence industry a better chance of dealing with vulnerabilities in the cyber domain than other sectors.
From that point of view, yes, I do think there needs to be a more sectoral approach to cybersecurity, recognizing that there's a differentiated priority in terms of how we want to implement that.
Conservative
Joe Daniel Conservative Don Valley East, ON
I have one last question along the same sort of line.
Shouldn't we be developing a parallel Internet system that is secure and that doesn't use the protocols that exist that are not secure, so that we can have a very secure network for critical infrastructure and the defence industry?
Principal, SecDev Group
I would argue that any network that's designed for interoperability will always have a vulnerability. Whether it's designed to be isolated or not isolated, ultimately it's going to have the same basis of vulnerability. I think Stuxnet proved that rather effectively in Iran, where a completely isolated system still managed to be compromised through a vector.
For me, coming at it from the point of view of security, it's that we need to change our mentality about how we think of security. It shouldn't be the Maginot Line, how to keep threats out. Rather, it's how you actually detect threats that you know and implicitly understand will exist within your network, and shape and manipulate them so as to minimize their effectiveness.
Conservative
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Thank you for this fascinating presentation and discussion.
Just to follow up on Mr. Daniel's question about cybersecurity strategy, you did say that our other Five Eyes partners have a more coordinated cybersecurity approach. Is that through a national cybersecurity strategy? Is that something you think Canada should work towards having?
Principal, SecDev Group
The answer is yes, and I think that is definitely something that Canada should work at having.
The problem with cybersecurity is that it isn't quite as easy to understand as health care, unemployment, or other things that the average voter will either have a position on or not. Cybersecurity tends to be a lot more abstract, which means that it really does take an act of will to force it up onto a national agenda, ensure that there are the adequate resources put against it, and in effect compel the degree of coordination that would be required. We are talking about creating a new institution.
But then again, when we see the importance of cyberspace to governance, to commerce, and to our national security, I think we are foolhardy not to do so.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Would you have a national cybersecurity strategy with some sectoral aspects within it, or would you have a military or defence cybersecurity strategy and a commercial or civilian cybersecurity strategy?
Principal, SecDev Group
That's a good question, and I would say this. You need to start small.
I think understanding the role of cyber within the military means you need to have some kind of doctrine around cyberspace operations that is consistent with the existing defence posture. However, because cyber goes across law enforcement, defence, and even domestic issues—for example, countering radicalization or dealing with criminality—it almost requires a wider discussion.
I'm almost a bit surprised that we haven't had a royal commission on cyberspace to look at the ways cyberspace touches all aspects of governance in Canada, because in some ways that's almost a natural place to start before we can start defining specifically how it would pertain to areas like national defence.
However, in the absence of that, I think looking at it sectorally is probably the most prudent way to start.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
You said that none of these technologies you were talking about existed five years ago. Technologies expanded faster than the ability of laws to address them. We know the law that created a legal framework for CSE was written in 2001 and not a period or a comma has been changed since then.
I'd like you to comment on whether updating the laws governing CSEC would be an integral part of proper security strategy.
Principal, SecDev Group
Again, I think the answer is yes. It boils down to the fact that CSEC is—rightly so—the institution in which we have concentrated the capabilities and understanding of the cyber domain in government. However, CSEC is both constrained in some ways and maybe not the most appropriate institution to be looking at how those capabilities need to be migrated out across the whole of government.
So I would say, yes, with the focus being not just on CSEC but rather on what CSEC represents as a national asset for government to be able to deal with the challenges of cybersecurity across the board.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
I have questions on two other areas. I'll be as quick as I can.
The Homeland Security agency's deputy director has declared that embedding privacy and civil liberties into the programs and activities of Homeland Security is essential to strengthening it and making it more effective. In other words, respect for privacy and effective security is not a zero-sum game. You actually have the better of both if you properly embed privacy into the organization. Would you agree with that approach?
November 20th, 2014 / 4:10 p.m.
Principal, SecDev Group
I would very strongly agree with that approach as, I think, the comments during my testimony would emphasize. We risk silently rewriting the social contract between individuals and states if we don't take into account the role of privacy and the right of the individual as we rebalance institutional values.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
In other words, some proper addressing or updating of CSEC laws to improve the embedding of privacy would actually strengthen CSEC.
Principal, SecDev Group
That's correct, but here I might also make a small distinction that is quite important. There is surveillance for law-enforcement purposes, but there's also public health surveillance. Both rely, essentially, on the same kinds of methodologies, which means gathering data in order to be able to understand patterns of either behaviour or incidents, to allow intervention to happen.
We've grown to understand the role of public health surveillance and its importance to basic public health. We've understood the role of public health surveillance, in a law enforcement sense, as enabling us to understand individuals at risk of criminality far before they start entering into the criminal justice system. I think looking at those lessons to see how they apply to the policing of cyberspace is probably a far better lens than is simply viewing the world of law enforcement or state surveillance with post-Snowden revelation eyes. I think there's a danger of the pendulum going the other way.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Okay. Thank you for that.
Our other Five Eyes partners have this kind of coordination across agencies and we don't. Along with that, you just commented that these things are in silos. There has been a comment—and I agree, actually—that not having a parliamentary committee looking at all of the departments and agencies that deal with security and intelligence is partly why we have these silos.
In the countries that do have that—i.e., all of our Five Eyes partners—that committee of parliamentarians empowered to do that through security clearance can actually identify where there are gaps, duplications, and a lack of interoperability. It's like having the RCMP on the same channel as House of Commons security. That's part of why they have a coordinated place in the other countries and we don't, so there's a lot—
Conservative
The Chair Conservative Peter Kent
Ms. Murray, I'm afraid you've talked out your time.
We're going to the second round now with five-minute slots beginning with Mr. Williamson.
Conservative
John Williamson Conservative New Brunswick Southwest, NB
Thank you, Chair.
Thank you for being with us today. It's very interesting.
I'm going to follow up or question some of the points you made to get a little more background on them.
You mentioned that some of the threats could create and generate “sustained effects” on the country or society. Could you explain what that might entail or what you had in mind?
Principal, SecDev Group
It could mean anything as simple as the mass disruption of telecommunications networks; the manipulation of data in critical systems, for example, at Treasury Board or Bank of Canada; or the remote manipulation of SCADA or process control systems around either electricity delivery networks or things such as nuclear power plants. It's both near physical effects, in other words, where you're touching infrastructure, or it's the manipulation of information such as to make that information unreliable or to foster a failure of the systems through not being able to rely on the input being given.
Conservative
John Williamson Conservative New Brunswick Southwest, NB
Thank you.
What did you mean by, we've not put in place the regulatory demand? Again, I understand where you're coming from, but can you be more precise about what that might entail coming from government or Parliament? I have a sense of what you mean.
Principal, SecDev Group
I will give you an example. It'll be an artfully constructed one but I think one that will make the point.
All the banks in Canada use the same Internet providers for most of their network services. Whereas banks can see anything that happens within their infrastructure, they can't see what happens across infrastructure. That's visible at the level of the operator. Currently, if that operator were to turn to the banks and say he sees a vulnerability that is addressing all of them, chances are the banks would come back to the operator and ask why he didn't tell them 30 seconds ago when he knew about it, and therefore, they're going to hold him liable for their losses.
There is a perverse disincentive for the infrastructure operators to provide that information. I would argue that rewriting the current instruments of the Telecommunications Act to compel operators to share that information would, first of all, not expose them to liability and would, second, increase the usable information on the cybersecurity side that would be available to the downstream clients.