Evidence of meeting #13 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Thank you, Mr. Chair.
Mr. Hewie, you mentioned that SolarWinds attacks in the context of Canada's national defence.
5:05 p.m.
National Security Officer, Microsoft Canada Inc.
I mentioned SolarWinds just in the context of the emerging trend we're seeing across nation-state adversaries, but especially Russia, in compromising the supply chain. What I mean by “compromising the supply chain” is that, instead of individually going after a specific entity individually, those actors will go after and try to compromise the software or technology systems that those companies use.
In the case of SolarWinds, Russia was attributed to the compromising of the SolarWinds company itself, whose software is used by many companies around the world, including governments, and the data that we have indicates that the single compromise of SolarWinds ended up impacting over 18,000 organizations worldwide.
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Is the scope of the SolarWinds attack still under investigation?
5:05 p.m.
National Security Officer, Microsoft Canada Inc.
I don't have any detail to provide this committee on the current status of that investigation.
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
No Canadian national defence software was impacted by it. Is that what you're saying?
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
You mentioned FoxBlade earlier. Do you know whether or not it's being used against NATO members?
5:05 p.m.
National Security Officer, Microsoft Canada Inc.
I don't have insight into that or have information on that either, but I can say that this is not the first time that this destructive malware has been used by a nation-state actor.
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Would FoxBlade have the potential to result in mass death?
5:05 p.m.
National Security Officer, Microsoft Canada Inc.
I suppose, if it were targeted at critical infrastructure in a way that had some type of catastrophic chain of failure, then it could certainly impact human lives in a negative way.
5:05 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
There's the term “threat emulation technology” as it applied to Cobalt Strike. What is meant by that, and how would it be applied or used against our national defence?
5:10 p.m.
National Security Officer, Microsoft Canada Inc.
I'm sorry, I'm not aware of the term “threat emanation technology”.
5:10 p.m.
Conservative
5:10 p.m.
National Security Officer, Microsoft Canada Inc.
Threat emulation technology.... No, I'm sorry, I'm not aware of that term either.
5:10 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Okay.
CSE judges that cyber-threat actors will very unlikely seek to intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life.
That being said, how vulnerable are we with the Internet of things, given that something as simple as your refrigerator is sending off pings? There seem to be so many vulnerabilities and it is the least protected throughway that is going to be attacked, so how can they be so confident, do you think, that it will be unlikely to be disrupted?
5:10 p.m.
National Security Officer, Microsoft Canada Inc.
I think it's really difficult to predict a future in this space, and it's why we've seen a theme of needing to work together on sharing intelligence and looking at different ways to combat these threats, not just from the defensive perspective, but advocating for things such as what Microsoft is doing around our digital peace objectives and advocating for cyber-norms of acceptable behaviour in cyberspace so there are consequences to these actors.
Specific to your question about IoT, absolutely, that is a concern to Microsoft and many others across the industry, in that these devices are being plugged into the Internet at a prolific rate, and there isn't necessarily the structure or the organization among the vendors or even regulation around this to ensure that these devices are built and secured by design and securely operated, or even have the ability to be updated at a later point in time by the vendor. Those things are easy targets for actors to compromise and then use against either governments, critical infrastructure, Microsoft or any organization in a future cyber-attack.
5:10 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
I didn't have a chance to ask this in the first round, but there was GiveSendGo, a U.S.-based platform that was hacked. Do you have any knowledge of who the expected or suspected perpetrator is of that?
5:10 p.m.
National Security Officer, Microsoft Canada Inc.
I'm sorry. We do not have any information on that particular situation.
5:10 p.m.
Liberal
5:10 p.m.
Liberal
Mike Kelloway Liberal Cape Breton—Canso, NS
Thank you for having me, Mr. Chair.
Hello to my colleagues, to the staff who are here and to the witnesses.
Let me say, Mr. Chair, that I think you're getting better, not older.
5:10 p.m.
Voices
Oh, oh!
5:10 p.m.
Liberal
Mike Kelloway Liberal Cape Breton—Canso, NS
That's great.
I want to thank you for your opening remarks and your responses to a lot of the great questions that have been thrown your way.
I want to pick up on one particular item. I think, Mr. Hewie, you brought up the importance, when you're looking cybersecurity, of looking at it from an integrated approach. This includes the government, private sector and academia.
There are a couple of questions—and these are also for Mr. Dupont. Can you provide an example of where that integrated framework is working well?
The second piece concerns this. I'll paint a picture. You have an opportunity to speak to that collaboration of private sector, governments and academia. What are the first three things that you would recommend to that group to look at concretely and do a deep dive on?
We could start with Mr. Hewie and then go to Mr. Dupont.
Thank you.
5:10 p.m.
National Security Officer, Microsoft Canada Inc.
I'd like to share a very timely and close-to-home example, and that's the work that Microsoft has done. I mentioned our long-standing collaboration with the Communications Security Establishment and the Canadian Centre for Cyber Security. Part of the threat intelligence that the Canadian Centre for Cyber Security develops and curates, as part of what they see through their various sensors and lens that is shared with critical infrastructure here in Canada, is also shared with Microsoft. That's been done over the past two years in an automated way.
Those indicators and signals that are contributed by the Canadian Centre for Cyber Security end up helping to improve the protections within all Microsoft products and services globally across the cloud. They help provide that additional level of protection to customers worldwide and in Canada, including the Canadian government and consumer organizations around the world.
That's very much a great example of that industry partnership and having real impact by sharing key information.
