National Defence Committee on March 28th, 2022

Yes. While the cyber centre's primary mission is to protect the government and lead the response to cyber incidents, we work side by side with the public and private sectors. We have a number of engagement platforms with the sectors through sectoral tables, be it energy, electricity or health care. Some meet more regularly than others. With the health care round table, which includes the cross-Canada health care community, the hospitals and the clinics, we meet weekly if not every other week.

With the electricity sector, we have started a pilot called Lighthouse for them to appreciate the threats posed to their networks. Likewise, we have another pilot with the Canadian Gas Association where we work collaboratively for them to appreciate the threats to their landscape.

Beyond that, we also care about national-level outcomes. We have worked with the Canadian internet registry to make available, free of charge to Canadians, a protective DNS service so that when you browse online, if you point to the Canadian shield, you can be assured that there is no malicious website where you are going. We have a pretty broad engagement program with the private sector.

It's difficult to compare one sector against another. The threats could be different. Our role at the cyber centre is to make sure we pass on all the information to all the critical sectors—be those finance, energy, transportation or health care—and to make sure they all have the necessary tools to protect themselves in the event of a cyber-attack. It's difficult to simply say which one is better prepared than the others.

There's a program under which we can work with the various entities to assess their cybersecurity maturity, and we're happy to work with all of them. Every sector needs something different, so the programs that we tailor to, for example, municipal engagement, are different from the programs we tailor to the banking sector. We have to cover the entire waterfront of Canadian sectors so we can make sure they're all protected.

We know that ransomware incidents are under-reported, so we encourage everybody to reach out to us, whether an incident is big or small, to share with us the nature of the cyber-incident so we can learn from it and quickly turn around to mitigate the threat across Canada. The more reporting, the better it will be to raise the collective bar across Canada.

I would second that. I fully believe that we really need to have open communication, to discuss and raise the issues and to encourage anybody to report an incident. Many companies are very uncomfortable and think it will reflect very negatively on them, but all of that can be managed in a secure manner so we are not giving out identities but are collecting as much information as possible to protect them and other companies.

Thank you, Mr. Chair and members of the committee, for inviting me to appear before you. I will be making my opening remarks in French, but I would be happy to answer questions in both official languages.

I am a professor at the Université de Montréal and Canada research chair in cybersecurity. I am also the scientific director of the Human-Centric Cybersecurity Partnership, a group of 30 or so cybersecurity researchers, and government and private sector partners, including Microsoft.

Like other witnesses who have appeared before the committee, I want to focus on the technological changes that are currently redefining the parameters of the military conflicts in which Canada is, or will be, involved. With the invasion of Ukraine, cyber-attacks and disinformation are, of course, top of mind. Looking further ahead into the future, I would point out that digital technologies such as artificial intelligence, 5G networks, the Internet of things, quantum computing and the advent of neural interfaces are also challenges that have the potential to radically alter armed conflicts.

With these predictable changes on the horizon, we must think about the strategies that need to be put in place now to prepare. It is essential to consider the medium- and long-term policy implications of these technologies and anticipate their role in future conflicts, for instance, in 2025 or 2030. We must start preparing now, by acquiring new technical capability and by recruiting and training the people who will be called on to leverage that capability. This foresight work is crucial if our armed forces are to adapt proactively to a constantly changing environment.

These technological changes must go hand in hand with fundamental changes in the recruitment and training of cybersecurity experts, whose role will become increasingly important. The general labour shortage in this field—which I believe my colleague Christian Leuprecht talked about—is affecting the private sector, so the armed forces will have to be creative if they are going to attract skilled workers. Some countries have already introduced specific recruitment strategies for their armed forces, while others have opted to build reserve forces with specialized skills to quickly mobilize skilled personnel in times of crisis. To my knowledge, Canada's examination of the issue is still in its infancy.

Beyond human resources, it is crucial that Canada develop digital sovereignty in defence, specifically over key areas such as artificial intelligence and quantum computing where Canada leads the way in research but lags behind in industry. That involves the deliberate development of industrial innovation ecosystems that can contribute to Canada's defence and that of its allies. I want to draw your attention to the AUKUS security pact between the U.S., the U.K. and Australia, a pact that Canada was not invited to join. Announced in September 2021, the arrangement focuses on more than providing nuclear-powered submarines to Australia; it calls for a very high level of integration across the three countries' R and D and commercialization efforts in the strategic areas of cybersecurity, artificial intelligence and quantum computing.

In conclusion, the cyber threat landscape is becoming increasingly complex and adversaries are stepping up their cyber-attacks. These challenges cannot be dealt with effectively using traditional solutions, whose limitations have become painfully clear. The innovative solutions we need cannot simply be carbon copies of those our neighbour and allies have devised and implemented. We must genuinely engage in a process to thoroughly examine our interests, resources and strategies if we are to implement the bold measures needed to make up for lost ground.

Good afternoon, Mr. Chair, Mesdames Vice-Chairs.

Let me begin by thanking you for inviting me to appear today to inform this committee on the cyber-threats affecting Canada, and the Canadian Armed Forces' operational readiness to meet those threats.

My name is John Hewie. I'm national security officer with Microsoft in Canada.

One of our principal and global responsibilities as a company is to help defend governments and countries from cyber-attacks. Seldom has this role been more important than during the past weeks in Ukraine. All of us at Microsoft are following closely the tragic, unlawful and unjustified invasion.

This has become both a kinetic and digital war, with horrifying images as well as less visible cyber-attacks on computer networks, accompanied with Internet-based, state-sponsored disinformation campaigns.

Our single most impactful work in this area in Ukraine has been assisting with the protection of Ukraine's infrastructure against Russian cyber-attacks. These ongoing cyber-attacks have been precisely targeted, and we are especially concerned about those on Ukrainian civilian digital targets, including critical infrastructure, emergency response services and humanitarian aid efforts. We have deployed cybersecurity technical protections to dozens of targeted organizations in concert with the Ukrainian government. We are also assisting organizations in Ukraine to move services to the cloud so they may continue to potentially operate from outside of the country. Our disaster response teams have also been supporting numerous groups that are providing aid to the Ukrainian people.

Our efforts have involved constant and close coordination with the Ukrainian government, the European Union, the U.S. government, NATO and the United Nations. We are committed to supporting Ukraine and helping to protect its government, citizens and our employees.

While the events in Ukraine certainly have the world's attention, other cybercriminals continue targeting and attacking all sectors of critical infrastructure, including public health, information technology, financial services and the energy sectors. Ransomware attacks are increasingly sophisticated and successful at crippling governments and businesses. The profits from these attacks are soaring, which leads to fuelling criminal and state-sponsored financial interests. Global estimates indicate that the cost of data breaches worldwide will reach in excess of $5 trillion by 2024.

During the past year, 58% of all nation-state cyber-attacks observed by Microsoft have been attributed to Russia, followed by North Korea, Iran and China. Russian actors are increasingly targeting government agencies involved in foreign policy, national security and defence for intelligence gathering.

The SolarWinds compromise at the end of 2020 by a Russian actor is an example of the increasing and concerning attacks observed against the supply chain. These and other insights are further detailed in the second annual Microsoft digital defence report, which provides our view into the global cyber-threat environment.

Microsoft recently made an unprecedented global commitment to invest $20 billion in cybersecurity over the next five years. Our overall security strategy has a comprehensive approach across diplomacy, by promoting digital peace and advocating for norms of acceptable behaviour in cyberspace, disruption of cybercriminal infrastructure using innovative civil litigation and law enforcement partnerships and, of course, defensive cyber-attacks that target Microsoft and our customers globally using advanced cloud technology—a zero-trust approach to security that involves information-sharing partnerships and thousands of highly skilled people.

Good examples of partnerships are our 15-year relationships with Canada's Communications Security Establishment and now the Canadian Centre for Cyber Security, where we share information on emerging threats and cyber-defence techniques enabled through the Microsoft government security program.

As we look around us, it's apparent that digital technology plays a vital role in almost every aspect of our lives. Microsoft's mission is to empower every person and every organization on the planet to achieve more. We can only do so by protecting the digital world we all use. What has become very clear to the world is that cybercrime and state-sponsored attacks are critical threats to national security and Canada's economy. No single entity can combat these threats effectively on their own. Working together with industry, academia, civil society and government, in Canada and internationally, is paramount.

As a company at the forefront of cybersecurity, we are here to support, build knowledge and expertise, and play a key role in helping to enhance preparedness for Canada, the whole of government, including the Canadian Armed Forces.

Thank you, members of the committee, for your time and attention. I welcome your questions.

Thank you for that question.

Certainly, technology providers have a critical responsibility to ensure that their software and services are as secure as possible. Microsoft takes this responsibility extremely seriously.

While we have led the world and led technology organizations worldwide with the development of and education around things like the security development life cycle, which Microsoft pioneered over a decade ago, and of course with continued improvements around information-sharing and partnerships with organizations and governments around the world, and working with our competitors, including Amazon, Google and many others across the security community, in doing our absolute best to build reliable and trustworthy software, we're really, quite frankly, up against adversaries that are very determined, very patient and very well funded.

Software today is incredibly complex, and while we aim to minimize vulnerabilities in software, it is a task that we're continuously vigilant on and continue to work towards.

Thank you.

It's a great and in fact very important question. We are also acutely aware of that resource and skilling shortage across the security community. We're taking a number of steps.

Here, specifically in Canada alone in the last year, Microsoft has invested millions of dollars in the security skilling, tools and programs to help bring new individuals and much more diversity into the security space here in Canada. We have partnerships in supporting various academia and academic institutions across the country with skilling programs and I think we're trying to build awareness across the broader community that this is not simply something that's going to be solved by technical nerds who know how to configure networks. There are legal issues, civil rights issues and just a diversity. We need a broad range of thinking brought in to fill this skills gap to, together, help combat this problem.

Microsoft's threat intelligence center tracks a number of actors around the world on a constant basis. We've been doing that for a number of years, and that's really to help inform not just how we build cybersecurity protections into our products and services but to help inform and provide intelligence to our various customers around the globe.

I don't believe I have details at hand on exactly whom we've attributed FoxBlade to, but that was certainly a malware wiper attack that was targeted at the Ukrainian infrastructure.