Evidence of meeting #13 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
5:20 p.m.
Conservative
5:20 p.m.
National Security Officer, Microsoft Canada Inc.
“Cybersecurity” is really about protecting your computer infrastructure or your identity in the digital context, on the Internet or connected to a network. It's those security protections extended to the cyber domain.
A “vulnerability” is a problem within a piece of software code that could be exploited for unintended purposes by a particular adversary.
“Threats” can be considered across a spectrum of criminal organizations or nation-state adversaries.
We've also done work at Microsoft with the Citizen Lab at the Munk School at the University of Toronto to try to shine a light on what we call “private sector offensive actors” who are building spyware for sale to governments and other organizations.
Really, risk and risk management are what all organizations at the core are looking to focus their business efforts on. There's always a trade-off between risks and benefits, and there's only a limited amount of money and people—
5:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
I'm going to cut you off there, Mr. Microsoft.
Mr. Dupont, do you have anything to add to that or do you have something substantially different from that?
5:25 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
Well, just on top of that, I would say that cybersecurity is not only about protecting systems but also about protecting the information that resides on those systems and helping the people using those systems adopt the behaviours that will actually strengthen the whole architecture of the people, machines and information working together.
5:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
All right. Good. Thank you very much for that.
I have one last question for both of you. A number of Canadian organizations have responsible disclosure policies that offer financial incentives to what we call “ethical hackers” to refrain from publicly disclosing software security and vulnerabilities they discover in that organization's products or services until a patch is available.
However, a frequent complaint of those who disclose security vulnerabilities under a responsible disclosure scheme is that the organization they disclose to fails to respect the rules of that game. Sometimes, an organization that has been alerted to a security vulnerability in their product or services plays down the significance of that vulnerability, so as to pay a smaller bounty, fails to give due credit to the ethical hackers or demands an unreasonable delay in public disclosure because they're unwilling to put resources into patching the vulnerability.
We all know that puts Canadians at risk. What do you think government should be doing to encourage organizations to implement responsible disclosure policies to prevent this sort of activity from occurring?
5:25 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
Maybe the government could be offering tax deductions to cover those bounties. Maybe that would help those organizations take these bounties more seriously. Or, as well, it could regulate this area of activity.
5:25 p.m.
National Security Officer, Microsoft Canada Inc.
I would say that Microsoft has quite extensive experience in this particular topic. We'd certainly be happy to consult and to inform some views on that particular topic following this committee meeting.
We certainly encourage confidential vulnerability disclosure. We work with a community and have fostered a community with security researchers around the world. We have extensive bug bounty programs to try to direct that research into areas of our products and services that we feel are the most sensitive or where we'd like to see more inspection. Quite frankly, we've found that works generally very well.
There are certainly situations where.... Technically, these patches are updates to address these vulnerabilities, and they take time. We don't want to roll out a patch before it's ready and end up disrupting or negatively impacting existing infrastructure out there.
5:25 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Motz.
The final five minutes will go to Mr. May and Mr. Fisher.
5:25 p.m.
Liberal
Bryan May Liberal Cambridge, ON
Thank you, Mr. Chair.
Mr. Hewie, I'm somebody who's really new to this, so I'm hoping you can really dumb this down and walk me through it. You talked about how much work from Microsoft's perspective goes into detecting these breaches and obviously stopping them.
Could you elaborate a little bit on the breach itself? Is it typically Microsoft that discovers this as opposed to the organization or a government?
5:25 p.m.
National Security Officer, Microsoft Canada Inc.
Yes, absolutely. I would say that the techniques being used most predominantly are twofold. One, attackers are using vulnerabilities or exploiting vulnerabilities in software that for the most part have been patched by the vendor, but the customer or organization or agency just hasn't yet had a chance to deploy that patch.
5:25 p.m.
Liberal
Bryan May Liberal Cambridge, ON
But you see that first, right? Is it you guys who are detecting these breaches maybe before a government, or even before the company in question?
5:30 p.m.
National Security Officer, Microsoft Canada Inc.
In the shared responsibility model in which we operate for cloud services, there's a security responsibility for both the cloud provider and for the actual end-user or the customer. In a case where we see attacks against identities, meaning that people are trying to access someone's username—their login and password, so to speak—certainly we've seen Russian actors use password spray and other types of techniques, including phishing, to gain access to those accounts.
We work with those customers to be able to notify them of suspicious activity when we see attempts to compromise those particular accounts or if we do have intelligence to detect that they have been compromised.
5:30 p.m.
Liberal
Bryan May Liberal Cambridge, ON
What does that decision tree look like? I'm wondering at what point you reach out to the government and say, “We've detected this. It's something we should be sharing with the wider community.”
5:30 p.m.
National Security Officer, Microsoft Canada Inc.
In the vast majority of cases, because these systems are massive and at scale, the tooling has been empowered so that there are alerts generated. It's the responsibility of the end-user, the end customer, to monitor those alerts and that suspicious activity themselves.
5:30 p.m.
Liberal
5:30 p.m.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you very much, Mr. May, for sharing your time with me.
I have to say that both witnesses are amazing. The information we're getting here is absolutely astonishing. I thank you both for being here.
I'm short on time, so I guess this will be sort of a short snapper here. Presuming that the good guys and the bad guys are seeking the cyber-skilled young people of today and tomorrow, who has the edge on that skill set? Is it a bidding war to get the smartest and brightest people out there to be on the side of good versus the side of evil?
I just randomly looked at you, Cheryl....
5:30 p.m.
Voices
Oh, oh!
5:30 p.m.
Professor and Canada Research Chair in Cybersecurity, Université de Montréal, As an Individual
I think the side of good pays better than the side of evil, so I would say there is an edge for white-hat hackers.
5:30 p.m.
National Security Officer, Microsoft Canada Inc.
I would like to agree with Mr. Dupont in that regard.
I think the area where there is an ethical line is in the security research community. The security researchers who are looking for vulnerabilities can do basically one of two things. They can provide that back to the vendor, which is part of the confidential responsible vulnerability disclosure program, and have it fixed, or they can sell that vulnerability to the cybercrime industry or others.
We try to provide “bug bounty” programs and other incentive structures to encourage and align those security researchers with the good guys.
5:30 p.m.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you.
That sort of leads me to my last question, which I have about 45 seconds for.
Mr. Hewie, you talked about the cost of data breaches. How do groups, these state actors or these criminal networks, profit other than by selling the data?
5:30 p.m.
National Security Officer, Microsoft Canada Inc.
Unfortunately, they are very creative in finding ways to monetize data that's been stolen from organizations.
In the case of ransomware—I'm sure it's a term most people are familiar with—there's the traditional encryption of your files and holding them for ransom with the intent that you'll be given a key to decrypt those files. Then there's the second stage where they steal that data and leak it to the public.
In the last several years, I think we've seen a professionalization of that crime industry where it's not just one actor or two actors doing things; it's a whole economy of actors.
Another example is compromised accounts, where a username and password for a particular Canadian organization is compromised. It gets put into a market on the dark web and sold to the highest bidder as a way to gain access to this particular organization. They may have more experience dealing with critical infrastructure or the mining industry and know how to further monetize attacks against those organizations.
5:30 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Fisher.
That will bring our questioning to an end. I want to thank Professor Dupont and Mr. Hewie for this very enlightening and somewhat scary peek into the new world. I'll be sure not to talk to my wife in front of our refrigerator any longer.
5:30 p.m.
Voices
Oh, oh!
