Thank you very much. It's an honour and a privilege to be in front of the committee in person this morning.
I'd like to predicate my brief comments with a few remarks on position I take on these issues—in other words, where I'm coming from—and the importance of addressing this as a core issue both for Canada's relationship with NATO and Canada's national security.
My remarks this morning will be informed by essentially four activities that I've been involved in over the last 10 years.
First of all, for the last 10 years I've been one of the co-convenors of a Track 1.5 process with the Russian Internet Security Council that has dealt with the issue of cyber-norms and cybersecurity. Initially started as a NATO process 10 years ago, it has continued since then as an engagement activity, year on year, that has created a focal point for at least being able to understand the normative aspects of the use of cyberspace in security.
Second, I'm also a co-convenor, along with American and U.K. colleagues, of a Track 1.5 dialogue around the military use of cyberspace between the U.S., the Russian Federation, and the People's Republic of China.
Third, I'm citizen adviser to the United Nations counterterrorism executive directorate on combatting violent extremism and terrorist use of cyberspace, which brings together industry partners and nation-states around these issues.
Finally, I'm an expert to the World Bank digital economy working group, which is attempting to quantify the economic impact of information and communication technologies worldwide.
Why all this is important is simply the following. As Mr. Shea pointed out, NATO has declared cyber to be an operational domain for NATO countries, and yet this is the domain in which we have the least experience in understanding the levers of escalation and de-escalation. It is also a domain that has come into being at a time of the greatest tensions and degradation of channels of communication between NATO countries and its potential peer partners.
In my remarks, I want to cover two separate areas. The first area is simply understanding the impact of the cyber-environment on national security writ large. Absent understanding of this impact, it's difficult to be able to separate where we have issues that are purely domestic from those that can be influenced or otherwise made more serious by external partners. I also want to talk about the dangerous entanglement between cyber and security at a technical level and a social one—in other words, its social and political impact. I then want to briefly turn to the impact that this now has on NATO's position vis-à-vis cyber in terms of an alliance from our own preparedness point of view and also our relations with potential peer competitors in this field.
The first thing to recognize is that the foundation upon which we have built the global economy and the Canadian economy is largely made of sand. Currently, by projections of the World Bank, 26% of the global GDP will be dependent upon the digital economy by 2025. Of the $107 trillion GDP globally, $1 trillion is being spent on cybersecurity. Why is this the case? From statistics released by the Council of Economic Advisers at the White House in the last week, an amount between $57 billion and $106 billion is attributed to cybercrime losses each year in the U.S. This is occurring because the infrastructure of the Internet at a basic level was built for resilience rather than for security. At its basic, there is less security built into either the technology or the regulatory environment than there would be if I were building a car. To build a car, I have to put in a seat belt. If I'm building the equivalent in cyberspace, I'm effectively putting in an ejection seat.
Let me give you three statistics that indicate just what kind of magnitude we are facing in terms of ill-preparedness in dealing with fundamental issues of security on the Internet to begin with. These are three 90% statistics that you can keep in mind. The statistics are a bit dated, at about 12 months old, but still useful.
First, 90% of malware, code that is meant to do malicious harm on the Internet, uses a single channel to communicate, known as the DNS, and yet more than two-thirds of the Fortune 100 have no perspective on this channel in their security posture. Ask yourself, if 90% of the threat can be seen through one channel, why is it that only one third of the most valuable companies in North America have perspective on that channel?
Second, 90% of all industries are planning to implement the Internet of things as part of their infrastructure, and yet more than 80% of them have absolutely no confidence that the security measures they have in place will give them a perspective on the security coming out of the Internet of things. The reason for this is that our ability to understand what is considered to be bad traffic, malfeasant traffic, on the Internet of things has simply not been developed. It does not yet exist. This is an industry gap problem where the technology is moving faster than the regulation that exists.
The third 90%, which is the most important one, is that 90% of all cybersecurity breaches use the human vector. In other words, they are not dependent on a fault in the technology, but they use human behaviour and human weakness as a way to get in. If you ask any engineer, you cannot engineer a security solution against a human problem. This is a regulatory problem where we have not developed the rules commensurate with the importance of the infrastructure that we currently have and on which our economy depends.
Also, there has been a dangerous entanglement between cyber-capabilities and their social impacts. Quite frankly, in the last five or six years, two-thirds of humanity has gone online to the Internet, globally. Of those, almost all of them are also users of social media. In fact, for many countries, such as Burma/Myanmar, Bangladesh, and others, the first contact that individuals have had with the Internet has been through Facebook. Moreover, more than 50% of this online population is under the age of 25. These are first-time voters.
Last year, we were asked to do a study for the UN in Bangladesh looking at terrorist use of the Internet, and what we found was quite predictable. There are terrorist communities that use the Internet, that speak violent, terrible things, that spread propaganda, but ultimately these groups are quite small.
What we did find, however, on a much larger scale, is that mainstream political parties are now using the Internet and social media as a focus group. They're effectively putting out messages and seeing whether these accrete some form of popular support. What that has meant is that there has been a gradual mainstreaming of extremism across the political spectrum. If that sounds familiar, it should, because the very same kinds of patterns have impacted Canadian politics and also the politics of countries such as our neighbours south of the border.
Why this is important is that, if we focus on the impact of the Internet simply from the point of view of the meddling of international states, we miss a very, very important aspect of how the Internet is changing politics within our own countries, absent any kind of foreign interference.
I'll just leave you with a couple facts.
From testimony given to the U.S. Senate intelligence committee, we know that combined campaigns of Hilary Clinton and Donald Trump spent $81 million on Facebook advertising during their campaigns. That is money that was spent on Facebook ads, absent political action committees. The same testimony indicated that the Russian Internet research bureau, out of St. Petersburg, spent approximately $46,000 on Facebook ads. Even if we inflate that figure up to $1.5 million, say, we're talking about a very, very different percentage of money. Unless we're prepared to attribute the fact that the Russians are much cleverer about political messaging than U.S.-based political operatives are, who are trying to get their constituents elected, we have to be very careful in the way we look at foreign interferences or meddling being a decisive factor in international relations. That's not to say this didn't happen.
How does all of this relate to NATO's position vis-à-vis cyber? First of all, it's important to recognize that the vulnerabilities I have just described are vulnerabilities that we all share, and have have very little to do with an external threat but a lot more to do with a threat that was ascribed in a Pogo cartoon in 1936, which simply stated, “We have met the enemy, and he is us.” Unless and until we're able to shore up our own domestic regulatory environment, being able to deal with the potential impact of a volatile external actor becomes more and more difficult.
Moreover, the problems of defending cyberspace, which I described in the three 90 per cents, essentially hit every single NATO country. The additional challenge we have is that NATO's interoperability and the development of appropriate doctrines on the military side to address how we deal with these vulnerabilities are simply underdeveloped, and yet they're occurring at a moment when we have a period of grand confrontation with a particular peer actor.
It's important to recognize that Russia is only among what IISS has identified as 140 countries currently developing cyber capabilities. This means that the spectrum of threat is much, much larger than a single country in itself. Moreover, it's also important to recognize that, since 1997, the Russian Federation has been one of few states that have used the UN mechanism to try to define a pathway for addressing stability in cyberspace through a treaty-based approach that addresses issues both above LOAC—law of armed conflict—and below LOAC.
Why is this important to deal with right now? Although I don't have recommendations for the committee on what we should do, there are certainly clear things that we should not be doing. These include, for one, not degrading the operation of confidence-building measures that give us an opportunity to discuss the impact of a cyber on interstate relations between NATO and among NATO countries writ large, and, two, not cutting off channels for engagement to be able to discuss these issues and find common ground.
This is important for a number of reasons, but perhaps one of them is most important for us to consider. The Russian Federation, which is the object of most of our concerns in the cyber domain, has very clearly linked the escalatory ladder between cyber and nuclear. For them, this is an area where they see the threat to national security spanning two critical domains.
We spent many years prior to and after 1989 creating confidence-building measures in the nuclear security chain. Nunn-Lugar is one manifestation of legislation in the U.S. They put in place multiple points of discussion, multiple breakwaters, if you like, for us to be able to deal with this issue. Those are now being rolled back, and they're not being replaced by anything.
Moreover, we have not had an active channel to discuss cyber issues with the Russians for a number of years, either bilaterally, or, more importantly, within a multilateral session. If there is one thing we should not be doing, it is engaging in an escalatory ladder without thinking through our end game. What is it that we are trying to achieve? What constitutes deterrence in cyberspace, and is there such a thing if we've been unable to define, from a strategic point of view, what cyber means for us?
The most important thing is that absent a policy, we should not be entering into a game of chicken with a nuclear power without a strategy and a map for what we want, as a country and as an alliance.
Thank you.