Go ahead, Mr. Dupont.
Evidence of meeting #13 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
Evidence of meeting #13 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
5:15 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
Another great example is the CCTX—the Canadian Cyber Threat Exchange—which brings together 150 Canadian companies. It provides them with threat intelligence from the Canadian Centre for Cyber Security, but the private sector also blends all of these [Technical difficulty—Editor] intelligence and shares that with Canadian companies, big and small.
One of the major issues is that we've talked a lot about critical infrastructure, but Canada is a country of small and medium-sized business and those businesses are being hit by ransomware and they cannot often afford the same kind of cybersecurity technology. We also need to be thinking about how can [Technical difficulty—Editor] we need to be thinking about more.
5:15 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
Do you want me to repeat the last few sentences?
5:15 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
It might have been Chinese.
I was just saying that the Canadian government needs to keep thinking a lot more about how to help SMBs—small and medium-sized businesses—because they employ 95% of the Canadian workforce and provide a lot of services and some of the critical functions to bigger companies. They are also involved in supply-chain attacks, and they have very limited resources to deal with cybersecurity issues.
5:15 p.m.
Liberal
Mike Kelloway Liberal Cape Breton—Canso, NS
Very quickly, the second part of my question is for both of you.
If you had an opportunity to speak to that collaborative team—the best and the brightest, as it were—and you had one or two recommendations, what would they be? Let's go with one for the sake of time.
5:15 p.m.
National Security Officer, Microsoft Canada Inc.
Number one is that cybersecurity basics matter more than ever now. When I say the “basics”, I mean keeping systems up to date, using modern technology and enabling things like multifactor authentication.
In our view of all of the attacks and customer compromises that we see, doing the basics and enabling MFA would prevent the vast majority of those. Unfortunately, as much as we work with things like Get Cyber Safe to build that education, there's still a lot of improvement we can make around the basics.
5:15 p.m.
Liberal
The Chair Liberal John McKay
Professor Dupont, you're going to have to work that answer into Madame Normandin's two and a half minutes.
Madame Normandin, you have two and a half minutes.
5:15 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you, Mr. Chair.
My question is for both witnesses. With the crisis in Ukraine, we are hearing a lot about the role of hacktivists, so hackers who have answered President Zelenskyy's call for help by hacking into Russian networks.
Mr. Hewie, how welcome are these hackers?
Professor Dupont, do they pose a long-term risk, especially if they are given free rein and encouragement?
Is there a risk of them going rogue because they couldn't be controlled, especially if they were encouraged to do what they were doing?
I'd like to hear how both witness see the role of these hacktivists and whether we should be worried at all.
5:15 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
I'll go first. Their role makes the work of government agencies even more complex. It becomes very hard to know who is doing what in this new environment where anyone can call themselves a hacker to answer the call for help, with very good intentions, I don't deny that.
The risk is that some of the hackers may not necessarily know all the ins and outs of the systems they are attacking. As a result, they may launch attacks against critical infrastructure in Russia to the detriment of Russian civilians, who don't necessarily have anything to do with the attack on Ukraine. Those cyber-attacks have the potential to spill over into other countries, beyond Russia's borders, and be hard to control.
I think the situation needs to be approached with a great deal of care. It's important to not get excited and to think about all the uncontrolled and unforeseen implications of cyber-attacks mounted by isolated groups.
5:20 p.m.
Bloc
5:20 p.m.
National Security Officer, Microsoft Canada Inc.
I would reinforce Microsoft's position that we certainly do not support cyber-offensive activities, primarily for a number of reasons.
We have seen that cyber-weapons are typically very difficult to target, and the potential for collateral damage to spill beyond the intended targets, much like the NotPetya attack in Ukraine a few years ago, which ended up impacting organizations around the world and costing hundreds of millions of dollars to recover from. That is example of where there's a potential for that collateral damage that could be extreme.
5:20 p.m.
Liberal
The Chair Liberal John McKay
Thank you.
Ms. Mathyssen, in spite of my better judgment, you have two and a half minutes.
5:20 p.m.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Thank you, Mr. Chair.
One major issue we've seen with that cybersecurity threat is the issue of espionage and the stealing of Canadian intellectual property. What recommendations do you have for the committee to tackle this form of digital theft?
I would add that a lot of our data is differently managed from province to province. What challenge does that provide for the protections that are provided through cybersecurity and corporations like Microsoft?
That's for both witnesses.
5:20 p.m.
National Security Officer, Microsoft Canada Inc.
I could maybe start with that one and Mr. Dupont could follow.
Certainly in our digital defence report we outlined some of the activity we have seen and detected, which includes espionage by some of the nation-state adversaries that I mentioned previously. These actors, quite frankly, whether they are cybercriminals or nation-state actors, are looking for gaps in our protection, gaps in our processes, and are looking to exploit those.
The general guidance that Microsoft would have, whether protecting against espionage or other types of ransomware attacks, quite frankly, would be similar. We would certainly encourage organizations with sensitive IP, or what we might call the “high-value assets”, to invest additional protections in those high-value assets, versus trying to just protect everything in the organization equally.
5:20 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
The Canadian government has launched a new research security program to try to help, or to force or compel, universities to better protect their intellectual property and raise their awareness. I think that's an excellent initiative to try to counter the leakage of Canadian IP.
The government needs to think about helping universities to fund these new efforts they are required to undertake. That would maybe be a piece of advice.
5:20 p.m.
Liberal
5:20 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you very much, Chair.
Thank you to our witnesses for being here.
For the sake of our chair, and to take you back to the very beginning, we all think we know what the definitions mean, but can both of you very quickly define what “cybersecurity” means and what the differences are between “vulnerability”, “threat” and “risk”?
5:20 p.m.
National Security Officer, Microsoft Canada Inc.
Maybe I can take a crack at that.