National Defence Committee on Oct. 25th, 2017

Yes. I would like to add that in the beginning of 2014, when Russia illegally annexed Crimea, it was only the first step in the further development of the situation by military means. The essential question for them was to get ground corridor transportation to Crimea throughout the Ukrainian territory. That's why in July-August 2014, they have been doing their very best to get control over our southern city, Mariupol, and there was heavy friction between the pro-Russian forces and the regular forces of Ukraine, the ministry of the interior, and special security services. We've managed to protect Mariupol from their assault. Nevertheless, they've been using even MLRS to destroy some objects in Mariupol.

As far as I remember, some of the worst-case scenarios from British experts were whether Russia would get control over southeastern Ukraine, including Odessa, and a direct corridor to Transnistria, or we could get control over the left bank of Ukraine. You know probably that the territory of Ukraine is divided in two by our main river, the Dnieper. The worst worst-case scenario was, if they could get control over 70% of the Ukraine, then only a few regions on the west would be Ukrainians at least, so Lviv, Ternopil, Rivne, all these regions. As far as I understand, they didn't manage to do it, so now they're using both tanks and hybrids in order to get their goals.

That is the 10,000-mile view question. It's a significant question to ask. We're struggling with it within our own critical infrastructure and the fact that you need to have effective asset management. First, what are the assets in the field that you need to update? Second, are they vulnerable? Third, do patches currently exist and how are you going about updating those patches?

With the computers we have in our home and the laptops we have in our offices, you'll get the updated patch. It'll be pushed. There's a mechanism and an ecosystem that helps support that. With SCADA systems, sometimes you actually have to take them offline to harden these systems, so there is no real measure that you can actually bring to that. How do you determine that, if you don't know what assets you have, and identify whether that manufacturer has a patch in place to actually remediate? It would be very difficult at this junction to give you an assessment as to how long it will take them to harden their systems or update them to the vulnerabilities we know.

The concern that we should have is the unknown unknown vulnerabilities? We need to come up with a measure with the knowledge that these systems are likely to go down. What steps are you going to take once they do go down? What is the response and recovery? Then once you bring them back up, harden them at that junction. We need to take a different tack. You take a preventative measure and then a reactionary measure. We're already in reactionary. When you're in conflict and you're in the field of operations, how do you go about addressing that while you're in the middle of a battle conflict?

How can you bring your electricity grid back up and get your engineers out to make the system safe while there are shells falling around and casualties being taken? It's a very difficult assessment to make.

I would concur, yes.

Here's the challenge. Again, it comes back to attribution. We know that in certain interests.... Alan had mentioned Turkey and we had also spoken to Ukraine and eastern Europe. We know that there are very strong indications that Russia is active in those theatres of operation. The concern we have is, what about third-party attacks?

We know that we've seen attacks come out of other countries, like India. I believe that there have been attributions out recently, with Thailand and the Sony attacks as examples. We've also heard about attacks originating in Africa. Are these nation-states going to war and using cyber-mechanisms to attack other nation-states or are they being used as third-party entities? How do you go about doing a forensic analysis? How do you trace back to the actual threat actor? That's the challenge. There's no clear-cut assessment.

If you had asked me whether we got hit by the Russians, we're seeing indications coming out of eastern Europe or out of Estonia. It may be a cyber-gang. It may be a third-party entity. It may be other threat actors from other regions. It may be China. It may be folks in Latin America. We don't have a coherent mechanism to determine those threat origins or to be able to map them back in a respective time. We need to have that ability. We need to get the actionable intelligence.

I have to tread very carefully here. Which government are you referring to?

In the federal government...?

The chair has indicated a 30-second flag. I'll be very quick.

More measures are requiring additional resources. That would include additional dollars. You need to ramp up your resources, which means that you need to start hiring specialists in this area or training up those specialists. More needs to be done. More dollars need to be expended in these efforts.

The effective product marketing is there. You already have the captive audience. That's actually quite brilliant.

I'm going to be careful because we're not convening in camera. There are security levels that are required for me to discuss in open context that question.

I will say the following. If you look at the December 27 Department of Homeland Security-FBI JAR report, which provided specific details to Russia's involvement with the electoral process south of the border, which was spoken to earlier, that is direct evidence of the capability, sophistication, and pervasiveness of the Russian cyber-threat.

From a hybrid solution in these other jurisdictions, I can go back and we can revisit this, but we have a pretty clear indication of attribution in Russia in at least two or three of those arenas, one specifically with Sandworm, with the Ukraine outages that we saw in 2014 and 2016.

Again, there is some concern. In Estonia, I believe, they did not want to come and say outright that there was an attribution there. We're not sharing that information, which is unfortunate. It's hard to make that determination.

That happened on Tuesday. We got word of it, I guess.... The notifications went out Tuesday night when I was flying in.

Again, they need to have boots on the ground to look at the forensics, but early indicators are suggesting a very strong leaning that when you're doing this full theatre conflict and then you're shutting down the ability to transport troops, taking down power grids, disrupting airlines.... It's a very unusual coincidence, I would say.