National Defence Committee on March 28th, 2022

Mr. Chair, members of the committee, good afternoon.

I'm Cherie Henderson, the assistant director of requirements at the Canadian Security Intelligence Service. Thank you for the opportunity to appear before you once again this year, this time to discuss cybersecurity, which of course is a very important topic.

As Canada's principal government agency responsible for investigating threats to the security of Canada, CSIS also investigates cyber-threats. As such, we employ all our investigative tools to collect intelligence on cyber-threat actors' exploitation of cyberspace to conduct espionage, sabotage and foreign-influenced activities against Canada and Canadians. CSIS also co-operates with a wide range of domestic and international partners.

Our unique value lies in our ability to collect intelligence on the nature and scope of hostile cyber-activities and the intentions of the actors behind them. This intelligence supports the mandates of our Government of Canada partners, enabling them to better formulate foreign and domestic policies, protect critical Canadian entities and strengthen our nation's overall cybersecurity posture.

Under the CSIS Act, the service also has the legal authority to use threat reduction measures in order to reduce cyber-threats to Canada. One of the most important challenges to address in protecting our national security is the sharing of timely and actionable intelligence. CSIS is addressing this particular challenge in a number of ways, including through regular outreach and partner engagement. We have delivered briefings to partners on the espionage and foreign influence threats posed by state cyber-actors, as well as the potential national security impacts of ransomware attacks carried out by criminal groups.

With today's rapidly evolving technology, we are witnessing an unprecedented level of change in the threat environment. It has become more complex, increasingly fluid, less predictable and consequently more challenging. Threat actors are conducting activities in the online space, simultaneously taking advantage of the technology that enables them to disguise their activities and their identities. Moreover, cyber actors have more opportunities than ever to conduct malicious activity as our world becomes increasingly interconnected.

We investigate the criminal elements as well as the hostile state cyber actors who conduct malicious activities to advance their countries' interests, whether they be political, economic, military, security or ideological. Hostile state actors seek to compromise computer systems by manipulating their users or exploiting security vulnerabilities to gain access to trade secrets or to achieve various objectives through the disruption of critical infrastructure and vital services. These types of activities are not going away, and in fact are currently on an upward trajectory.

CSIS has observed persistent and sophisticated state-sponsored threat activity for many years. We continue to see a rise in the frequency and levels of sophistication of this threat activity. Canadian companies in almost all sectors of our economy have been targeted and compromised.

Unauthorized, malicious access to Canada's critical infrastructure can have drastic consequences for the safety and security of Canadians. If you think about all the systems we rely on in our lives, including systems that support our telecommunications, energy, transportation, supply chain, health and financial activities, any interference with these systems can have unforeseen impacts on our personal safety, our well-being and our national security.

For example, the COVID-19 pandemic has given rise to an unprecedented number of individuals working from home offices, which are much less secure environments. This new standard of work increases the risk of exposure to malicious cyber-activities on networks and sensitive information. We have all heard accounts of cybercriminals conducting ransomware acts on companies and public institutions, including hospitals at the height of the pandemic.

The increasingly interconnected and global nature of security threats means that CSIS cannot fulfill its mandate in isolation. There is tremendous co-operation and ongoing work within the security and intelligence community to provide the Government of Canada with the best intelligence and advice possible concerning cyber-threat activity.

Today's global threat environment requires that each partner use their unique mandate and legal authorities to protect Canada and Canadians. That is exactly what CSIS has been doing and will continue to do.

Again, thank you for the opportunity to discuss this issue with you today. I am pleased to answer any questions.

Thank you, Mr. Chair, and members of the committee, for the invitation to appear today.

My name is Sami Khoury. I'm the head of the Canadian Centre for Cyber Security, often referred to as the Communications Security Establishment's cyber centre.

CSE, reporting to the Minister of National Defence, is one of Canada's key security and intelligence agencies, with the five-part cyber-centric mandate derived from the CSE Act introduced in 2019. We use our technical expertise across all five aspects of our mandate, and we do so to keep Canadians safe and secure.

I'd like to give you an overview of the current cyber threat landscape.

Clearly, the cyber threat environment is rapidly evolving. Cyber incidents, including those involving critical infrastructure, are increasingly numerous and sophisticated.

People rely on the Internet for a growing number of important daily activities, from banking, government services and health care to business and education, which puts them at risk. We saw that during the pandemic, when people had to become more reliant on digital infrastructure. Threat actors took advantage of the pandemic and stepped up efforts to exploit human and technological vulnerabilities.

In addition to this increase in cyber incidents, I'd like to highlight some of the specific trends we've observed.

We assessed that cybercrime remains the most likely threat to impact Canadians. Now and in the years ahead, Canadian individuals and organizations will continue to face online fraud and attempts to steal personal, financial and corporate information. We also assessed that ransomware directed against Canada will continue to target large enterprises and critical infrastructure providers. The protection of these organizations and networks is crucial to the productivity and competitiveness of Canadian companies and vital to Canada's national defence. While cybercrime is the most likely threat to impact Canadians and Canadian businesses, the state-sponsored cyber programs of China, Russia, North Korea and Iran pose the greatest strategic threat to Canada.

If you'd like to learn more about the cyber threats facing Canada, I encourage you to read CSE's “National Cyber Threat Assessment 2020”.

I am aware that Russia's invasion of Ukraine is a current cause of concern for the committee. I can't comment on our specific operations today, but I can confirm that we are keeping a close eye on cyber threat activity associated with those military manoeuvres.

Today, we're not aware of any specific threats to Canadian organizations in relation to events in and around Ukraine. But as the situation evolves, I can assure you we continue to monitor the cyber-threat environment in Canada and globally, including cyber-threat activity directed at critical infrastructure networks.

Although the trends I have outlined today seem quite worrisome, the cyber centre is working tirelessly with stakeholders and building strong partnerships across Canada to develop a shared awareness of the threat landscape and promote the necessary measures to protect and defend against them.

We continue to provide advice and guidance—largely informed by Russian cyber threats—to help Canadians and Canadian businesses become more cyber safe.

CSE is also sharing important cyber threat intelligence with Ukraine so that it can better defend its networks.

We are working with the Department of National Defence and the Canadian Armed Forces to support intelligence co‑operation and cybersecurity.

As Canada's cyber-threat environment rapidly evolves, we must all play our position. Cybersecurity is a “whole of society” concern. It will take all of our expertise and collaboration to protect Canada and Canadians.

Thank you again for the opportunity to appear before you today. I'm pleased to answer any questions you may have.

My understanding right now is that Canada regularly suffers thousands of cyber-threat attacks on a daily basis all across the country, and numerous organizations are under that attack. I wouldn't have for you actual stats on which particular countries those are coming from. I would leave that to my colleague Sami, but what I can say.... Or the quantity...let me correct that: I wouldn't know the quantity from each particular country. Sami may have better stats on that.

What I can say is that we certainly use all of the tools that we have in our tool box to investigate any of those threats—

Yes, I would. It is an ever-increasing issue, and it's something that we all need to be alive to.

As we have moved forward in technology advancement, there has been much more cyber-activity in that area and many more cyber-actors. Historically, we focused on state-sponsored attacks, but with the proliferation of tools, many more actors have entered the arena.

I can start with that one.

This is one of the things I worry very much about. The service investigates and tries to do a lot of outreach to inform our research industries and our companies that are involved in research and development. As you know, Canada is a top leader in research and development and has a lot of very valuable intellectual property.

There are numerous countries out there that would like to get their hands on that research without having to put the money and investment into it. For all those industries, we really work on outreach to try to increase that awareness so they can protect themselves.

We are also very focused on our critical infrastructure. Critical infrastructure is necessary to maintain our day-to-day lives, and that is another area that is very vulnerable and would need to ensure a very high level of protection and awareness.

Perhaps I can pass this to Mr. Khoury for some further comments.

Thank you for the question.

From the cyber centre perspective, our priority is to defend Canada against all sorts of cyber incidents, regardless of the sector, but we are paying particular attention to the critical infrastructure sectors to make sure they have the necessary tools to protect themselves.

In our national cyber-threat assessment of 2020, we called out the capabilities of the four of them—Russia, China, North Korea and Iran—as being state-sponsored programs of the greatest strategic threat to Canada. It's difficult to compare one against the other, but I would suggest that in the current context we have to be mindful of the geopolitical tensions and the Russian cyber-threats.

Anonymous, like many other organizations, brings a certain level of threat to the cybersecurity of a country. We've seen some of them align with Russia and some of them align with the Ukrainian cause in the context of the current geopolitical tension.

Again, we learn as much as possible from all of the incidents, and that's why we encourage all victims to report to us so that we can learn and promote new cybersecurity practices. We take all of that information, digest it and put out new advice and guidance.

I will defer to Australia to comment about the nature of the incident that—

We track the activities of Huawei and other telecom operators around the world, and that helps inform the security of the Canadian telecom infrastructure.

Again, we track all of these reportings. They help formulate the position of the cyber centre on how to protect the Canadian telecommunication infrastructure.

Yes, I am aware of that law. It is a law that I believe was brought in in 2017, if I'm correct. That law does compel all Chinese companies to support any requirements of the Chinese government.

That's a very good question. Thank you for it.

It's very important, as I think both Mr. Khoury and I have said, that every agency that has national security responsibilities is able to investigate those attacks using the tools that each agency brings to the fight, in a sense. That's why it's extremely important that we all co-operate together in order to fulfill each of our mandates. Within that umbrella, then we can successfully combat the current threat environment that we're facing.

It's also important, I believe, that all Canadians and all businesses and industries also are very aware of the cyber-threat and can then take the necessary precautions and measures to protect themselves. I think it's also important, as we move forward in the future, to make sure that we are continually looking at whether or not we do need new tools and whether or not there are ways in which we can improve. That's why we do talk about looking at modernizing, for example, the CSIS side just to see if there are new tools that we would be able to bring to bear that would help protect Canada and Canadians as we move into the future.

I would reiterate that it's extremely important that each agency co-operate and we do communicate very well together to make sure that we're all using all the tools we have in our tool kit at the moment.

I would echo what Ms. Henderson said. This is a whole-of-society effort. We learn a lot from all of the cyber-incidents in the government. From that experience, we promulgate that information to the public sector and the private sector and Canadian citizens at large and we collectively make a dent in the cost of cybersecurity.

There are no obstacles, per se, that would prevent us. What I think we need to do is make sure that, one, we have all the tools that are necessary and are fully aware of where technology is moving and how it's developing. Then, it's also extremely important that we balance the rights and privacy of Canadians as we're moving forward.

It's a very delicate way to move forward—to make sure we have the tools to catch the bad guys but also protect the rights of Canadians. It takes quite a bit of research and study to make sure we're getting to where we are and what we need in order to protect our national security.

From a cyber centre perspective, that teamwork across government and across Canada is extremely important. Reporting cyber-incidents will be very important, so that we learn from all of those incidents that are happening and then we can up the cybersecurity of the country.

What I would say is that Russia is an extremely capable threat actor. We know that Russian intelligence services have previously engaged in disinformation campaigns to discredit and create divisions in the west, to promote Russia's influence abroad, and to push for an end to western sanctions. We also know that Russia covertly gathers political economic military information in Canada through targeted threat activities in support of its own interests.

While I can't go into any specific measures, I can say that CSIS uses the full suite of its tools at its disposal to counter those Russian activities.

Thank you for your question, but I, personally, don't have that information.

I would direct you to FINTRAC, which would be the better department to answer that type of question.

I, too, was going to say that the Financial Transactions and Reports Analysis Centre of Canada, FINTRAC, would be in a better position to answer that question.

Thank you for your question.

I would say that they absolutely do. We are constantly in contact with our neighbours at CSIS and our counterparts in the Canadian Armed Forces. In fact, we support two of their missions, operations Unifier and Reassurance, so we have good lines of communication when it comes to sharing information with both of those organizations. We also work with institutions government-wide to mitigate risks to the federal government, as well as with provincial and private sector partners.

For an answer to that question, I would refer you to the Canadian Armed Forces. If the armed forces can't answer, I can provide the information.

I would prefer to get back to you in writing, if I may.

The Canadian Centre for Cyber Security plays an important role in the integrity of our supply chains. If we had to examine the privatization of a service—within the federal government, I mean—we would have a hand in evaluating the program.

If you're talking about a domestic threat, I would refer you to Ms. Henderson, who can provide more clarity on that.

Of course, we work with private sector stakeholders on a number of issues. In some cases, they provide us with details related to cyber threats. I would say the relationship is more complementary, but when it comes to cyber incidents, there are things that CSE does not do.

For example, the private sector is responsible for helping a victim get back on track.

Thank you for your question. I'm going to switch languages to answer.

This is another very interesting question. What I would say is that, under section 12 of the CSIS Act, we can do an investigation overseas if it is determined that there is a threat to our national security. What we cannot do overseas is any activity under section 16 of the CSIS Act, which is allowing us to collect political information or economic information in the support of national defence or foreign affairs.

Under section 12—threats to the security of Canada—it's not an issue. It's under section 16 that we must remain within Canada to collect any intelligence.

In the “National Cyber Threat Assessment 2020”, we mentioned that the Internet was at a crossroads and that we are seeing more and more misinformation and disinformation that's not limited to political campaigns or election periods. We're seeing much broader use of misinformation and disinformation. We're definitely seeing it in the context of the Russia-Ukraine conflict.

From a cyber centre perspective, we are calling out those activities. We're not a regulatory agency, so we're not here to offer a comment on the social media platforms themselves. Rather, it's about how we can work with Canadians, at large, on identifying misinformation and disinformation, on being informed readers, on making sure that they get the news from reputable sources—in terms of both a news perspective and an IT perspective—and making sure that the domain that's hosting the information is reputable too.

We put out a bulletin very recently, two or three weeks ago, specifically on disinformation and misinformation and malinformation. We hope people will read it and draw from it some nuggets of information that will help them in their information gathering or in their social media presence.

From the cyber-centre perspective, our role is to defend the country from cybersecurity incidents and give Canadians and Canadian businesses the necessary tools to raise the cybersecurity bar.

We are not an agency or a centre that is here to regulate social media. I will defer to other government agencies to maybe answer that element of the question.

I believe that Mr. Khoury has answered the question. Neither of our two agencies is here to regulate social media platforms. That is the responsibility of other departments and perhaps society as a whole, as to how we want to manage that situation.

CSIS has a very active recruitment program to look for the right talent, and we are always exploring new ways to find the right talent and bring them into the service.

There are many Canadians out there who are extremely interested in working in national security in our department, and we are finding ways to encourage them to join and encourage them to stay. You mentioned retention. With the changing work environment, that sometimes gets a little challenging in a national security world, but we are looking at all avenues to recruit and retain our staff.

CAF is a much larger organization than we are, so they would have much different types of recruitment challenges than we do. We certainly have witnessed a huge interest in working for this service just from the volume of applications that come to us on a regular basis.

From a cyber-perspective, the security of the telecom infrastructure is something we take very seriously. The government is conducting an examination of these emerging technologies and notes that a decision will be announced in due time.

In the meantime, we are working with partners and other agencies to mitigate the risks stemming from the use of these designated technologies, including the Huawei entity.

I'm not going to speak specifically to Huawei, but I would note, further to a response to a question I answered earlier, that the Chinese national security law compels any of these companies to engage in activities in support of the government's requirements.

What I would say is that right now, the Government of Canada is engaged in an ongoing review that's being led by Public Safety and it's determining the Canadian approach for the implementation of 5G technology and telecommunications networks.

All of our allies have taken different approaches to 5G and to Huawei and to the implementation, and they're adopting various mitigation measures to protect their national security in response to the needs of their unique environments, and we all continue to talk and work very closely together.

I couldn't speak to what the allies are thinking at this point, but what I can say is that we all work very closely together.

We work very closely with our partners around the world as well as with our domestic partners to really educate and inform the critical infrastructure, the various business enterprises, industry and our own government departments to shore up their resources and protect their cybersecurity, and we constantly work together to learn about new ways in which we may be attacked so that we can prepare and help support all of our departments to protect themselves against a massive cyber-attack.

Lots of things keep me up at night.

I would say at the moment that we are all working extremely hard and closely monitoring the current situation and environment, and monitoring the advances in technology so that we can make sure we have the defences to protect ourselves. We are only as strong as the weakest link, which means we really need to work together, educate, and learn from anybody's mistakes so we can shore up everything and protect ourselves today and into the future. It's a constantly evolving environment, and we can never let our guard down, because there is always a threat actor out there that would be willing to try to take advantage of our systems and our country and to have a hugely negative impact on our national security.

No, I would not, because as I noted earlier, every country needs to find the mitigation measures that work in its specific instance, and we all work extremely closely to share information to make sure that we're all helping each other protect ourselves as we move into the future.

As I noted earlier, we work really closely with our partners because, as Mr. Doherty pointed out, I did say that we're only as strong as our weakest link, and because we all work so closely together to share each other's experiences, to learn and to develop, I would not say that we were collateral damage. I would say that we are a partner and we work closely with our allies to build those partnerships and our knowledge and awareness.

I was going to echo what Ms. Henderson said.

I'm happy to maybe take a first crack at that.

We are aware of the connection between the Russian intelligence services and cybercriminal organizations. That is something we identified in our national cyber-threat assessment of 2020 and more recently in the context of the Ukraine and Russia conflict.

We have seen cybercriminal organizations take sides one way or another. From a cyber centre perspective, we have the task of defending the country, defending Canada and defending critical infrastructure against all sorts of threats, irrespective of whether they are by nations states or cybercriminals, and to promote cybersecurity across the board.

Obviously, calling out a country for cyber-activity is a whole-of-government...and GAC has the lead on the attribution framework. We would provide, from a cyber centre perspective, one piece of input to the dossier that will help the Department of Foreign Affairs, GAC, make the determination on naming a country more publicly.

I would say that it's a hacker without ill intent. It's somebody who will hack into a system to discover a vulnerability and then report it to the system owner and say, “I found this vulnerability in your system and here's how you should fix it.” That's opposed to a hacker who goes in and steals information and then maybe holds it for ransom or damages the system.

Cyber-attacks, from the perspective of the cyber centre, come from pretty much everywhere. We defend the government against cyber-attacks that come from everywhere, and also for different intents, be they state sponsored or criminal. To defend is to raise the bar and to put out, as much as possible, timely information. The measure of success here would be how quickly we detect it, how quickly we mitigate the incident and how quickly we turn it into a lesson learned so that we can help protect Canadians.

Thank you for your question.

We work closely with our FINTRAC colleagues, but we don't have a mandate to investigate. Oftentimes, cyber currency is used in cases involving ransom or other criminal activity, so I would refer you to the RCMP. This is more their responsibility.

CSIS is a domestic intelligence agency. As I said, we have the ability and the authority to investigate any threats overseas that are a threat against our national security. We do have representation overseas, as is publicly acknowledged—we have an officer in Paris, London and Washington—that supports any of the working relationships with our partners overseas.

We do have the ability to investigate to protect our national security.

It's hard to put a figure on the number of incidents because they are under-reported. Not all cyber-attack victims report the incidents to us. I can talk about attacks against the government or its attack surface, but it's hard to draw a comparison with ransom-based attacks.

That said, the government is certainly an attractive target.

We know from, again, the cyber-threat assessments that China has a state-sponsored cyber program in the same way as Russia. We have to defend the government, and more broadly Canadian society, against both threats, be it a strategic threat against the government or international property theft or things like that.

On the nature of the relationship between Russia and China, I would defer to our intelligence colleague, who might be in a better position to speak about it.

I wouldn't want to speak particularly about the relationship between China and Russia, but I would say that both of them are extremely capable threat actors who will operate in their interests and what works best for their requirements.

I wouldn't be able to answer that question. I don't know if Mr. Khoury would have a response for you on that front.

I would defer to DND to answer that question on the specific state of their IT.

We have worked tirelessly with DND but also with the rest of government to increase the coverage of the sensors that the cyber centre has made available to the government for defence. Definitely we are in a much better space today than we were in 2017.

As far as technology and legacy systems are concerned, I will defer to DND. They know their environment best to say whether or not certain technologies have been updated.

I would say we're much, much better, but patching a system is not without risk. Every department, including Shared Services and others, has to weigh in the impact of patching a system. Sometimes it breaks technology, or it breaks systems currently in use. I will defer to them to assess it.

We have put together quite a slew of security capabilities to protect the federal government that we're very proud of, at this point.

When we have seen cyber-activities directed against Ukraine, we have shared those cyber indicators with Ukrainian officials so that they can better defend their networks. Beyond that, on the question of cyber operations, I am unfortunately unable to answer that.

We are familiar with the Conti Group. They were active in Canada pre-invasion, so we have a good body of knowledge on how to defend against them. We launched a major campaign on ransomware in December to call attention to the problem. As a follow-up to the Russian invasion of the Ukraine, we've twice issued threat bulletins to critical infrastructure operators, calling attention to the threat posed by Russia and Russian-affiliated groups, to better defend themselves.

We're constantly learning from what is going on out there, updating our advice and guidance, updating our threat feeds and our indicators of compromise, and defending—

Yes. While the cyber centre's primary mission is to protect the government and lead the response to cyber incidents, we work side by side with the public and private sectors. We have a number of engagement platforms with the sectors through sectoral tables, be it energy, electricity or health care. Some meet more regularly than others. With the health care round table, which includes the cross-Canada health care community, the hospitals and the clinics, we meet weekly if not every other week.

With the electricity sector, we have started a pilot called Lighthouse for them to appreciate the threats posed to their networks. Likewise, we have another pilot with the Canadian Gas Association where we work collaboratively for them to appreciate the threats to their landscape.

Beyond that, we also care about national-level outcomes. We have worked with the Canadian internet registry to make available, free of charge to Canadians, a protective DNS service so that when you browse online, if you point to the Canadian shield, you can be assured that there is no malicious website where you are going. We have a pretty broad engagement program with the private sector.

It's difficult to compare one sector against another. The threats could be different. Our role at the cyber centre is to make sure we pass on all the information to all the critical sectors—be those finance, energy, transportation or health care—and to make sure they all have the necessary tools to protect themselves in the event of a cyber-attack. It's difficult to simply say which one is better prepared than the others.

There's a program under which we can work with the various entities to assess their cybersecurity maturity, and we're happy to work with all of them. Every sector needs something different, so the programs that we tailor to, for example, municipal engagement, are different from the programs we tailor to the banking sector. We have to cover the entire waterfront of Canadian sectors so we can make sure they're all protected.

We know that ransomware incidents are under-reported, so we encourage everybody to reach out to us, whether an incident is big or small, to share with us the nature of the cyber-incident so we can learn from it and quickly turn around to mitigate the threat across Canada. The more reporting, the better it will be to raise the collective bar across Canada.

I would second that. I fully believe that we really need to have open communication, to discuss and raise the issues and to encourage anybody to report an incident. Many companies are very uncomfortable and think it will reflect very negatively on them, but all of that can be managed in a secure manner so we are not giving out identities but are collecting as much information as possible to protect them and other companies.

Thank you, Mr. Chair and members of the committee, for inviting me to appear before you. I will be making my opening remarks in French, but I would be happy to answer questions in both official languages.

I am a professor at the Université de Montréal and Canada research chair in cybersecurity. I am also the scientific director of the Human-Centric Cybersecurity Partnership, a group of 30 or so cybersecurity researchers, and government and private sector partners, including Microsoft.

Like other witnesses who have appeared before the committee, I want to focus on the technological changes that are currently redefining the parameters of the military conflicts in which Canada is, or will be, involved. With the invasion of Ukraine, cyber-attacks and disinformation are, of course, top of mind. Looking further ahead into the future, I would point out that digital technologies such as artificial intelligence, 5G networks, the Internet of things, quantum computing and the advent of neural interfaces are also challenges that have the potential to radically alter armed conflicts.

With these predictable changes on the horizon, we must think about the strategies that need to be put in place now to prepare. It is essential to consider the medium- and long-term policy implications of these technologies and anticipate their role in future conflicts, for instance, in 2025 or 2030. We must start preparing now, by acquiring new technical capability and by recruiting and training the people who will be called on to leverage that capability. This foresight work is crucial if our armed forces are to adapt proactively to a constantly changing environment.

These technological changes must go hand in hand with fundamental changes in the recruitment and training of cybersecurity experts, whose role will become increasingly important. The general labour shortage in this field—which I believe my colleague Christian Leuprecht talked about—is affecting the private sector, so the armed forces will have to be creative if they are going to attract skilled workers. Some countries have already introduced specific recruitment strategies for their armed forces, while others have opted to build reserve forces with specialized skills to quickly mobilize skilled personnel in times of crisis. To my knowledge, Canada's examination of the issue is still in its infancy.

Beyond human resources, it is crucial that Canada develop digital sovereignty in defence, specifically over key areas such as artificial intelligence and quantum computing where Canada leads the way in research but lags behind in industry. That involves the deliberate development of industrial innovation ecosystems that can contribute to Canada's defence and that of its allies. I want to draw your attention to the AUKUS security pact between the U.S., the U.K. and Australia, a pact that Canada was not invited to join. Announced in September 2021, the arrangement focuses on more than providing nuclear-powered submarines to Australia; it calls for a very high level of integration across the three countries' R and D and commercialization efforts in the strategic areas of cybersecurity, artificial intelligence and quantum computing.

In conclusion, the cyber threat landscape is becoming increasingly complex and adversaries are stepping up their cyber-attacks. These challenges cannot be dealt with effectively using traditional solutions, whose limitations have become painfully clear. The innovative solutions we need cannot simply be carbon copies of those our neighbour and allies have devised and implemented. We must genuinely engage in a process to thoroughly examine our interests, resources and strategies if we are to implement the bold measures needed to make up for lost ground.

Good afternoon, Mr. Chair, Mesdames Vice-Chairs.

Let me begin by thanking you for inviting me to appear today to inform this committee on the cyber-threats affecting Canada, and the Canadian Armed Forces' operational readiness to meet those threats.

My name is John Hewie. I'm national security officer with Microsoft in Canada.

One of our principal and global responsibilities as a company is to help defend governments and countries from cyber-attacks. Seldom has this role been more important than during the past weeks in Ukraine. All of us at Microsoft are following closely the tragic, unlawful and unjustified invasion.

This has become both a kinetic and digital war, with horrifying images as well as less visible cyber-attacks on computer networks, accompanied with Internet-based, state-sponsored disinformation campaigns.

Our single most impactful work in this area in Ukraine has been assisting with the protection of Ukraine's infrastructure against Russian cyber-attacks. These ongoing cyber-attacks have been precisely targeted, and we are especially concerned about those on Ukrainian civilian digital targets, including critical infrastructure, emergency response services and humanitarian aid efforts. We have deployed cybersecurity technical protections to dozens of targeted organizations in concert with the Ukrainian government. We are also assisting organizations in Ukraine to move services to the cloud so they may continue to potentially operate from outside of the country. Our disaster response teams have also been supporting numerous groups that are providing aid to the Ukrainian people.

Our efforts have involved constant and close coordination with the Ukrainian government, the European Union, the U.S. government, NATO and the United Nations. We are committed to supporting Ukraine and helping to protect its government, citizens and our employees.

While the events in Ukraine certainly have the world's attention, other cybercriminals continue targeting and attacking all sectors of critical infrastructure, including public health, information technology, financial services and the energy sectors. Ransomware attacks are increasingly sophisticated and successful at crippling governments and businesses. The profits from these attacks are soaring, which leads to fuelling criminal and state-sponsored financial interests. Global estimates indicate that the cost of data breaches worldwide will reach in excess of $5 trillion by 2024.

During the past year, 58% of all nation-state cyber-attacks observed by Microsoft have been attributed to Russia, followed by North Korea, Iran and China. Russian actors are increasingly targeting government agencies involved in foreign policy, national security and defence for intelligence gathering.

The SolarWinds compromise at the end of 2020 by a Russian actor is an example of the increasing and concerning attacks observed against the supply chain. These and other insights are further detailed in the second annual Microsoft digital defence report, which provides our view into the global cyber-threat environment.

Microsoft recently made an unprecedented global commitment to invest $20 billion in cybersecurity over the next five years. Our overall security strategy has a comprehensive approach across diplomacy, by promoting digital peace and advocating for norms of acceptable behaviour in cyberspace, disruption of cybercriminal infrastructure using innovative civil litigation and law enforcement partnerships and, of course, defensive cyber-attacks that target Microsoft and our customers globally using advanced cloud technology—a zero-trust approach to security that involves information-sharing partnerships and thousands of highly skilled people.

Good examples of partnerships are our 15-year relationships with Canada's Communications Security Establishment and now the Canadian Centre for Cyber Security, where we share information on emerging threats and cyber-defence techniques enabled through the Microsoft government security program.

As we look around us, it's apparent that digital technology plays a vital role in almost every aspect of our lives. Microsoft's mission is to empower every person and every organization on the planet to achieve more. We can only do so by protecting the digital world we all use. What has become very clear to the world is that cybercrime and state-sponsored attacks are critical threats to national security and Canada's economy. No single entity can combat these threats effectively on their own. Working together with industry, academia, civil society and government, in Canada and internationally, is paramount.

As a company at the forefront of cybersecurity, we are here to support, build knowledge and expertise, and play a key role in helping to enhance preparedness for Canada, the whole of government, including the Canadian Armed Forces.

Thank you, members of the committee, for your time and attention. I welcome your questions.

Thank you for that question.

Certainly, technology providers have a critical responsibility to ensure that their software and services are as secure as possible. Microsoft takes this responsibility extremely seriously.

While we have led the world and led technology organizations worldwide with the development of and education around things like the security development life cycle, which Microsoft pioneered over a decade ago, and of course with continued improvements around information-sharing and partnerships with organizations and governments around the world, and working with our competitors, including Amazon, Google and many others across the security community, in doing our absolute best to build reliable and trustworthy software, we're really, quite frankly, up against adversaries that are very determined, very patient and very well funded.

Software today is incredibly complex, and while we aim to minimize vulnerabilities in software, it is a task that we're continuously vigilant on and continue to work towards.

Thank you.

It's a great and in fact very important question. We are also acutely aware of that resource and skilling shortage across the security community. We're taking a number of steps.

Here, specifically in Canada alone in the last year, Microsoft has invested millions of dollars in the security skilling, tools and programs to help bring new individuals and much more diversity into the security space here in Canada. We have partnerships in supporting various academia and academic institutions across the country with skilling programs and I think we're trying to build awareness across the broader community that this is not simply something that's going to be solved by technical nerds who know how to configure networks. There are legal issues, civil rights issues and just a diversity. We need a broad range of thinking brought in to fill this skills gap to, together, help combat this problem.

Microsoft's threat intelligence center tracks a number of actors around the world on a constant basis. We've been doing that for a number of years, and that's really to help inform not just how we build cybersecurity protections into our products and services but to help inform and provide intelligence to our various customers around the globe.

I don't believe I have details at hand on exactly whom we've attributed FoxBlade to, but that was certainly a malware wiper attack that was targeted at the Ukrainian infrastructure.

From what we're seeing, the FoxBlade wiper is a good example of what appears to be a ransomware-type attack on infrastructure, but is actually a destructive attack. While the intention is to encrypt data, there is no ability to restore that data or an intention on the part of the adversary to actually ransom the victim.

The Government of Canada just announced an $80-million investment in the cyber security innovation network through ISED. I think this is a great initiative, because it's going to bring together more than 120 academics and industry partners from the private sector and from the provincial, municipal and federal governments. I think this needs to be supported and probably accelerated, as well.

In terms of training, we need to bring in people from all kinds of disciplines, since you mentioned it's an interdisciplinary approach. When we reviewed all of the disciplines involved, we identified more than 40 disciplines, from public health and political science to psychology and computer science, of course. I think we need to foster a lot more engagement in cross-disciplinary work in Canada and to think about how this could be put to work to protect Canadian assets, vulnerable groups and critical infrastructures.

I would build on what my colleague just said. Absolutely, no single entity can combat these threats on its own. We heard similar themes from the previous witnesses. We need strong collaboration across government, industry and academia, both domestically and internationally.

I think it's important to recognize that, when we're talking about cyberspace, the private sector—private industry, especially cloud service providers like Microsoft—operates much of that infrastructure. It's what the Canadian Forces would call the “cyber battlespace”. We certainly have a unique view, and it's probably a different view from what government organizations have. By working together, we can really complement each other's abilities to defend and protect customers, organizations, governments and all Canadians in that space.

Maybe I'll go first.

There's a short answer from Microsoft. Microsoft does not condone or involve itself in offensive cyber-activities.

This is something I have very little information about. I work in academia, so this is something that is very remote from my work.

There is a real effort to try to coordinate with the Canadian Centre for Cyber Security and through other initiatives, but it's probably still lagging. This is such a complex issue, and we probably need to inject a lot more effort, energy and money into it.

I think a lot more work remains to be done. A lot of people are very much aware of the need to de-silo all of those isolated groups.

FireEye is a private firm, not a think tank. It has more or less the same type of expertise as Microsoft.

I think Canada is behind because security and cybersecurity issues are not high on the political agenda. They are considered important, but not necessarily seen as priorities that need to be dealt with at the highest political levels, unlike in other countries, where the office of the president or prime minister plays a direct role. That's where we differ from our allies.

We could certainly look to Europe for some worthwhile initiatives. The U.K.'s armed forces, for instance, created a cyber reservists unit to attract people from the private sector to work on matters of national security on a temporary basis.

My colleague Christian Leuprecht mentioned something Germany is doing. The country established a specific recruitment pathway to attract people to careers in the military. They obtain the rank of lieutenant-colonel and gain very specialized skills to speed up their integration. France set up a cyber defence reserve as well.

Certain countries have introduced really positive measures, and some of those countries are comparable to Canada in size and don't necessarily have the unlimited resources the U.S. has. We can look to initiatives of those countries as models.

Yes. It does indeed depend on how much of a priority the country has made the issue and its level of investment in recent years.

When very specialized skills are needed, people want assurance that they are going to stay in their position for a number of years.

Remuneration is another important consideration. Even though those who consider a career in the armed forces are not motivated by money, it's still important to offer them competitive pay vis‑à‑vis the private sector, which has the ability to pay people in the field very well. It's important to think about the system for compensating people with these special skills.

When I talk about digital sovereignty, I'm talking about Canada developing its own businesses and capacity so that it can produce Canadian technologies and services in response to strategically important technological needs. This means helping to build Canadian companies and industries with the ability to not only sell their products outside the country, but also supply our armed forces with technologies we can have full confidence in.

That's right.

Yes, the same skills are required to carry out the same type of analysis in determining the appropriate response. The only exception is that, in cases involving ransom, negotiating skills can come into play, but more in the private sector.

Oh, oh!

When I was talking about a neural interface, it's a new brand of technology trying to connect human brains to machines in order to communicate faster between those two components. For example, Elon Musk is investing a lot of money in a company called Neuralink, which is trying to implant electrodes into human brains in order to communicate much faster, and in a more effective way, with computers. The initial aim is to blend artificial intelligence with human intelligence.

This is not science fiction. This is what's happening right now in research and development.

That is one of the examples. It is one of the early use cases, but the applications will be much broader than that.

Yes. We could be thinking about implanting neural interfaces in the brains of soldiers to make them much more effective combatants.

It's hard to know, because it's all very sensitive and confidential. This is being developed at the moment. There are papers and documentaries. Investors are investing millions of dollars in these technologies. This is coming for sure.

I'm not aware of legislation being brought forward. I'm sure those technologies would be regulated by public health and pharmaceutical regulatory frameworks.

I think the needs are still very acute. The types of profiles we need are pretty much the same. We need technically trained people. They are in very high demand, not only from the private sector in cybersecurity but from other sectors in AI development and video games. All the IT industries are hungry for all those people, and they're competing ferociously to attract those talented people.

I mentioned SolarWinds just in the context of the emerging trend we're seeing across nation-state adversaries, but especially Russia, in compromising the supply chain. What I mean by “compromising the supply chain” is that, instead of individually going after a specific entity individually, those actors will go after and try to compromise the software or technology systems that those companies use.

In the case of SolarWinds, Russia was attributed to the compromising of the SolarWinds company itself, whose software is used by many companies around the world, including governments, and the data that we have indicates that the single compromise of SolarWinds ended up impacting over 18,000 organizations worldwide.

I don't have any detail to provide this committee on the current status of that investigation.

I'm not aware either way.

I don't have insight into that or have information on that either, but I can say that this is not the first time that this destructive malware has been used by a nation-state actor.

I suppose, if it were targeted at critical infrastructure in a way that had some type of catastrophic chain of failure, then it could certainly impact human lives in a negative way.

I'm sorry, I'm not aware of the term “threat emanation technology”.

Threat emulation technology.... No, I'm sorry, I'm not aware of that term either.

I think it's really difficult to predict a future in this space, and it's why we've seen a theme of needing to work together on sharing intelligence and looking at different ways to combat these threats, not just from the defensive perspective, but advocating for things such as what Microsoft is doing around our digital peace objectives and advocating for cyber-norms of acceptable behaviour in cyberspace so there are consequences to these actors.

Specific to your question about IoT, absolutely, that is a concern to Microsoft and many others across the industry, in that these devices are being plugged into the Internet at a prolific rate, and there isn't necessarily the structure or the organization among the vendors or even regulation around this to ensure that these devices are built and secured by design and securely operated, or even have the ability to be updated at a later point in time by the vendor. Those things are easy targets for actors to compromise and then use against either governments, critical infrastructure, Microsoft or any organization in a future cyber-attack.

I'm sorry. We do not have any information on that particular situation.

Oh, oh!

I'd like to share a very timely and close-to-home example, and that's the work that Microsoft has done. I mentioned our long-standing collaboration with the Communications Security Establishment and the Canadian Centre for Cyber Security. Part of the threat intelligence that the Canadian Centre for Cyber Security develops and curates, as part of what they see through their various sensors and lens that is shared with critical infrastructure here in Canada, is also shared with Microsoft. That's been done over the past two years in an automated way.

Those indicators and signals that are contributed by the Canadian Centre for Cyber Security end up helping to improve the protections within all Microsoft products and services globally across the cloud. They help provide that additional level of protection to customers worldwide and in Canada, including the Canadian government and consumer organizations around the world.

That's very much a great example of that industry partnership and having real impact by sharing key information.

Another great example is the CCTX—the Canadian Cyber Threat Exchange—which brings together 150 Canadian companies. It provides them with threat intelligence from the Canadian Centre for Cyber Security, but the private sector also blends all of these [Technical difficulty—Editor] intelligence and shares that with Canadian companies, big and small.

One of the major issues is that we've talked a lot about critical infrastructure, but Canada is a country of small and medium-sized business and those businesses are being hit by ransomware and they cannot often afford the same kind of cybersecurity technology. We also need to be thinking about how can [Technical difficulty—Editor] we need to be thinking about more.

Do you want me to repeat the last few sentences?

It might have been Chinese.

I was just saying that the Canadian government needs to keep thinking a lot more about how to help SMBs—small and medium-sized businesses—because they employ 95% of the Canadian workforce and provide a lot of services and some of the critical functions to bigger companies. They are also involved in supply-chain attacks, and they have very limited resources to deal with cybersecurity issues.

Number one is that cybersecurity basics matter more than ever now. When I say the “basics”, I mean keeping systems up to date, using modern technology and enabling things like multifactor authentication.

In our view of all of the attacks and customer compromises that we see, doing the basics and enabling MFA would prevent the vast majority of those. Unfortunately, as much as we work with things like Get Cyber Safe to build that education, there's still a lot of improvement we can make around the basics.

I'll go first. Their role makes the work of government agencies even more complex. It becomes very hard to know who is doing what in this new environment where anyone can call themselves a hacker to answer the call for help, with very good intentions, I don't deny that.

The risk is that some of the hackers may not necessarily know all the ins and outs of the systems they are attacking. As a result, they may launch attacks against critical infrastructure in Russia to the detriment of Russian civilians, who don't necessarily have anything to do with the attack on Ukraine. Those cyber-attacks have the potential to spill over into other countries, beyond Russia's borders, and be hard to control.

I think the situation needs to be approached with a great deal of care. It's important to not get excited and to think about all the uncontrolled and unforeseen implications of cyber-attacks mounted by isolated groups.

I would reinforce Microsoft's position that we certainly do not support cyber-offensive activities, primarily for a number of reasons.

We have seen that cyber-weapons are typically very difficult to target, and the potential for collateral damage to spill beyond the intended targets, much like the NotPetya attack in Ukraine a few years ago, which ended up impacting organizations around the world and costing hundreds of millions of dollars to recover from. That is example of where there's a potential for that collateral damage that could be extreme.

I could maybe start with that one and Mr. Dupont could follow.

Certainly in our digital defence report we outlined some of the activity we have seen and detected, which includes espionage by some of the nation-state adversaries that I mentioned previously. These actors, quite frankly, whether they are cybercriminals or nation-state actors, are looking for gaps in our protection, gaps in our processes, and are looking to exploit those.

The general guidance that Microsoft would have, whether protecting against espionage or other types of ransomware attacks, quite frankly, would be similar. We would certainly encourage organizations with sensitive IP, or what we might call the “high-value assets”, to invest additional protections in those high-value assets, versus trying to just protect everything in the organization equally.

The Canadian government has launched a new research security program to try to help, or to force or compel, universities to better protect their intellectual property and raise their awareness. I think that's an excellent initiative to try to counter the leakage of Canadian IP.

The government needs to think about helping universities to fund these new efforts they are required to undertake. That would maybe be a piece of advice.

Maybe I can take a crack at that.

“Cybersecurity” is really about protecting your computer infrastructure or your identity in the digital context, on the Internet or connected to a network. It's those security protections extended to the cyber domain.

A “vulnerability” is a problem within a piece of software code that could be exploited for unintended purposes by a particular adversary.

“Threats” can be considered across a spectrum of criminal organizations or nation-state adversaries.

We've also done work at Microsoft with the Citizen Lab at the Munk School at the University of Toronto to try to shine a light on what we call “private sector offensive actors” who are building spyware for sale to governments and other organizations.

Really, risk and risk management are what all organizations at the core are looking to focus their business efforts on. There's always a trade-off between risks and benefits, and there's only a limited amount of money and people—

Well, just on top of that, I would say that cybersecurity is not only about protecting systems but also about protecting the information that resides on those systems and helping the people using those systems adopt the behaviours that will actually strengthen the whole architecture of the people, machines and information working together.

Maybe the government could be offering tax deductions to cover those bounties. Maybe that would help those organizations take these bounties more seriously. Or, as well, it could regulate this area of activity.

I would say that Microsoft has quite extensive experience in this particular topic. We'd certainly be happy to consult and to inform some views on that particular topic following this committee meeting.

We certainly encourage confidential vulnerability disclosure. We work with a community and have fostered a community with security researchers around the world. We have extensive bug bounty programs to try to direct that research into areas of our products and services that we feel are the most sensitive or where we'd like to see more inspection. Quite frankly, we've found that works generally very well.

There are certainly situations where.... Technically, these patches are updates to address these vulnerabilities, and they take time. We don't want to roll out a patch before it's ready and end up disrupting or negatively impacting existing infrastructure out there.

Yes, absolutely. I would say that the techniques being used most predominantly are twofold. One, attackers are using vulnerabilities or exploiting vulnerabilities in software that for the most part have been patched by the vendor, but the customer or organization or agency just hasn't yet had a chance to deploy that patch.

In the shared responsibility model in which we operate for cloud services, there's a security responsibility for both the cloud provider and for the actual end-user or the customer. In a case where we see attacks against identities, meaning that people are trying to access someone's username—their login and password, so to speak—certainly we've seen Russian actors use password spray and other types of techniques, including phishing, to gain access to those accounts.

We work with those customers to be able to notify them of suspicious activity when we see attempts to compromise those particular accounts or if we do have intelligence to detect that they have been compromised.

In the vast majority of cases, because these systems are massive and at scale, the tooling has been empowered so that there are alerts generated. It's the responsibility of the end-user, the end customer, to monitor those alerts and that suspicious activity themselves.

Oh, oh!

I think the side of good pays better than the side of evil, so I would say there is an edge for white-hat hackers.

I would like to agree with Mr. Dupont in that regard.

I think the area where there is an ethical line is in the security research community. The security researchers who are looking for vulnerabilities can do basically one of two things. They can provide that back to the vendor, which is part of the confidential responsible vulnerability disclosure program, and have it fixed, or they can sell that vulnerability to the cybercrime industry or others.

We try to provide “bug bounty” programs and other incentive structures to encourage and align those security researchers with the good guys.

Unfortunately, they are very creative in finding ways to monetize data that's been stolen from organizations.

In the case of ransomware—I'm sure it's a term most people are familiar with—there's the traditional encryption of your files and holding them for ransom with the intent that you'll be given a key to decrypt those files. Then there's the second stage where they steal that data and leak it to the public.

In the last several years, I think we've seen a professionalization of that crime industry where it's not just one actor or two actors doing things; it's a whole economy of actors.

Another example is compromised accounts, where a username and password for a particular Canadian organization is compromised. It gets put into a market on the dark web and sold to the highest bidder as a way to gain access to this particular organization. They may have more experience dealing with critical infrastructure or the mining industry and know how to further monetize attacks against those organizations.

Oh, oh!