Evidence of meeting #13 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
4:50 p.m.
Conservative
4:50 p.m.
National Security Officer, Microsoft Canada Inc.
From what we're seeing, the FoxBlade wiper is a good example of what appears to be a ransomware-type attack on infrastructure, but is actually a destructive attack. While the intention is to encrypt data, there is no ability to restore that data or an intention on the part of the adversary to actually ransom the victim.
4:50 p.m.
Liberal
4:50 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Mr. Chair, thank you very much.
I thank both of our witnesses for being with us this afternoon.
This is an extremely complex area, as you and our previous witnesses have outlined. It's highly interdisciplinary. We're talking about the establishment of an ecosystem that, in many parts, has not been established yet, or has been insufficiently established. Then we have the Russia-Ukraine invasion, which has brought everything to a point and illustrates the urgency with which we need to look at this issue.
This goes into the private sector, into public civilian infrastructure, and into the military side. We saw, through the response of the European Union, Canada and many of our allies with respect to the application of sanctions, how quickly the private sector and the capital markets are implicated in a security question.
I'd like each of you to take a moment and give us a thumbnail sketch of the state of this ecosystem at the moment, looking at these complexities and interdisciplinarities. What needs to be done urgently, from the perspective of the federal government? What are some of the challenges, operationally, with respect to human resources, changing our mindset, and looking at digital security as an urgently needed and, ideally, rapidly growing area of investment?
If you could zoom back to your initial comments with a bit more depth for 45 seconds each.... I have limited time, and that would be helpful.
4:50 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Professor Dupont, you can go first, followed by Mr. Hewie.
4:50 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
The Government of Canada just announced an $80-million investment in the cyber security innovation network through ISED. I think this is a great initiative, because it's going to bring together more than 120 academics and industry partners from the private sector and from the provincial, municipal and federal governments. I think this needs to be supported and probably accelerated, as well.
In terms of training, we need to bring in people from all kinds of disciplines, since you mentioned it's an interdisciplinary approach. When we reviewed all of the disciplines involved, we identified more than 40 disciplines, from public health and political science to psychology and computer science, of course. I think we need to foster a lot more engagement in cross-disciplinary work in Canada and to think about how this could be put to work to protect Canadian assets, vulnerable groups and critical infrastructures.
4:50 p.m.
Liberal
4:50 p.m.
National Security Officer, Microsoft Canada Inc.
I would build on what my colleague just said. Absolutely, no single entity can combat these threats on its own. We heard similar themes from the previous witnesses. We need strong collaboration across government, industry and academia, both domestically and internationally.
I think it's important to recognize that, when we're talking about cyberspace, the private sector—private industry, especially cloud service providers like Microsoft—operates much of that infrastructure. It's what the Canadian Forces would call the “cyber battlespace”. We certainly have a unique view, and it's probably a different view from what government organizations have. By working together, we can really complement each other's abilities to defend and protect customers, organizations, governments and all Canadians in that space.
4:55 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Thank you both very much.
I have about a minute and a half left.
Briefly, on a more defence-related issue, what are the views of each of you on offensive capacity, with respect to the cyber domain?
4:55 p.m.
National Security Officer, Microsoft Canada Inc.
Maybe I'll go first.
There's a short answer from Microsoft. Microsoft does not condone or involve itself in offensive cyber-activities.
4:55 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Thank you very much.
Mr. Dupont, could you answer that?
4:55 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
This is something I have very little information about. I work in academia, so this is something that is very remote from my work.
4:55 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Okay, that's helpful. That leaves me a bit more time.
When we look at interdisciplinary connection points with respect to cyber-attacks, how stovepiped is our system, and how separate are the various stovepipes that need to respond to this? How well are they coordinated at the moment?
4:55 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
There is a real effort to try to coordinate with the Canadian Centre for Cyber Security and through other initiatives, but it's probably still lagging. This is such a complex issue, and we probably need to inject a lot more effort, energy and money into it.
I think a lot more work remains to be done. A lot of people are very much aware of the need to de-silo all of those isolated groups.
4:55 p.m.
Liberal
4:55 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you, Mr. Chair.
Professor Dupont, you said that Canada's industry was lagging behind. The SolarWinds incident came up earlier. FireEye, a U.S. think tank, uncovered the breach.
Is that the sort of initiative we don't have in Canada, or are the deficiencies more on the government's end?
Alternatively, is it the balance and co‑operation between the two where the deficiencies lie?
4:55 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
FireEye is a private firm, not a think tank. It has more or less the same type of expertise as Microsoft.
I think Canada is behind because security and cybersecurity issues are not high on the political agenda. They are considered important, but not necessarily seen as priorities that need to be dealt with at the highest political levels, unlike in other countries, where the office of the president or prime minister plays a direct role. That's where we differ from our allies.
4:55 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
That brings me to my next question.
Can you list some countries whose leads we could follow in terms of developing cyber capacity in the military and other sectors?
4:55 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
We could certainly look to Europe for some worthwhile initiatives. The U.K.'s armed forces, for instance, created a cyber reservists unit to attract people from the private sector to work on matters of national security on a temporary basis.
My colleague Christian Leuprecht mentioned something Germany is doing. The country established a specific recruitment pathway to attract people to careers in the military. They obtain the rank of lieutenant-colonel and gain very specialized skills to speed up their integration. France set up a cyber defence reserve as well.
Certain countries have introduced really positive measures, and some of those countries are comparable to Canada in size and don't necessarily have the unlimited resources the U.S. has. We can look to initiatives of those countries as models.
4:55 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Are initiatives like those precisely why the countries in AUKUS are part of the pact, unlike Canada, which is not a member and is lagging behind?
4:55 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
Yes. It does indeed depend on how much of a priority the country has made the issue and its level of investment in recent years.
