Thank you very much, Chair.
Thank you very much to the committee for having me. I'm honoured to appear before you today to discuss the critical issue of cybersecurity and the capabilities of foreign actors.
To effectively address the issue, I believe the government should take a multipronged approach. Now, I understand the urgency of the issue, so rather than discuss the current state of cybersecurity—we already heard from the previous two witnesses about the various threats we face as a country—let me begin at the end and offer a few thoughts about what I think you can actually do about it.
I've had the benefit of reviewing the comments of my colleague, Wesley Wark, so I will focus on a different set of prescriptions, although I will say that I agree with what he's going to offer.
First, I think the government should incentivize companies to adopt the latest security measures, such as the “CyberSecure” standard established by ISED and CSE for small and medium organizations. The standard provides a high level of protection, but its adoption—this is the problem—has been limited.
Implementing a tax credit system as an incentive to help increase the overall level of cybersecurity in the country and reduce the risk of cyber-attacks on businesses would be a way forward. These attacks result in significant financial loss, damage to reputation and disruption of operations. If we were to advance this, we could attract investment and increase productivity and profitability. The standards are already there, but too few companies are doing them. There's that old saying that you cannot herd cats but you can pick where you put the food out, so incentivize those businesses through a tax credit.
Second, the government should establish a clear and concise legal framework for dealing with cyber-attacks that includes guidelines for attribution, response and liability, but the governance structure should be nimble and responsive to the fast-changing environment. The regulations should be expert-driven, focusing on sound policy and not good politics. The Governor in Council should be able to approve standards, codes of practice and certification programs to act as an integrated compliance mechanism.
Third, the government should establish an annual multistakeholder platform for collaboration and engagement on cybersecurity issues. This platform should include participants from all levels of government, private sector, indigenous communities, academia, not-for-profits, law enforcement and industry leaders. In my view, cybersecurity is a whole-of-society concern for Canada. Everyone, including think tanks, needs to do more to address this issue.
As a consequence, my organization, CIGI, plans to host the first Waterloo security dialogue in June to bring together various stakeholders and focus on discussions and simulations to better understand the impact of cyber-incidents, response and recovery measures, and the roles and responsibilities of different parties.
Let's talk about the threats. As previous speakers have mentioned, there are active persistent threats, or APTs, in coordinated and highly targeted cyber-attacks often carried out by state actors who aim to steal sensitive information or disrupt critical infrastructure over a long period of time.
You have ransomware, which we've talked about already as well. That's malicious software that encrypts the victim's files and demands payment for a decryption key. There's also now something called double extortion, where they threaten to release very sensitive information. Not only is your information locked up, but they threaten to release sensitive things to either embarrass you or push you to payment.
Then we have supply chain attacks. Supply chain attacks occur when an attacker actually compromises the software or hardware of the supplier to deliver malicious code to its customers. Probably the best known of these in recent memory is the 2020 SolarWinds incident, where that popular IT management software was used to compromise thousands of organizations.
We also have election interference and foreign actors using cyber means to hack into voter databases, spread disinformation and manipulate social media, all with the view to influence public opinion.
We also then have critical infrastructure attacks. This was already talked about in terms of the Ukrainian power grid. This is a great example of a critical infrastructure attack having a real-world effect where, in 2015, 225,000 people were without electricity.
The full capabilities of states will certainly vary, but here's my view: In light of current geopolitical trends, I believe the safest operating assumption for Canada is that we will be existing in a grey zone for the foreseeable future.
As for what I mean by “grey zone”, I'm actually going to adopt the definition from Canada's defence policy, which I thought was the best definition I'd seen.
Here, it says:
State and non-state actors are increasingly pursuing their agendas using hybrid methods in the “grey zone” that exists just below the threshold of armed conflict. Hybrid methods involve the coordinated application of diplomatic, informational, cyber, military and economic instruments to achieve strategic or operational objectives. They often rely on the deliberate spread of misinformation to sow confusion and discord in the international community, create ambiguity and maintain deniability.
In conclusion, my own view is that this is a whole-of-society concern for Canada. It's not just about government. It's actually about governance.
I believe it's our collective duty to better prepare the country for an existence in this grey zone.
Thank you, Mr. Chair.