National Defence Committee on Feb. 10th, 2023

Wonderful. Yes, first of all, I wanted to discuss something that I call the “ransomware from hell”. It's a scenario that I made and that I think needs to be aired here.

Let's say you're a hospital administrator. You get an email and it says, “One of your employees just clicked on that phishing email from a Saudi prince and now we're inside your system, but we are not going to hold your data for ransom or erase it.” They say they have a much better idea: that they've traversed your network and they know that you have 75 Picker X-ray units, four Siemens MRIs and 2,000 BD infusion pumps. They're all there and they all have vulnerabilities.

There are zero-day vulnerabilities in many technologies that the manufacturers don't know about.

They say they're for sale on the dark web. They say they bought them on the dark web and they need to get their money back, so you have to pay them $10 million in Bitcoin by tomorrow, and, if you don't, they're not going to encrypt your data—that's so old school—they're just going to kill a patient every day.

I did look up an article from Israel on “Seven Ways to Kill a Patient with a Picker X-Ray Unit”: from hitting them physically with it to giving them too much radiation.

The reality is that I took this to a bunch of hospital administrators in the U.S., and they said that either they would pay the ransom—and I said, “Okay, great, then they'll be back for $20 million tomorrow”—or they'd ignore it. I said, “Well, then, you'll be on the front page of the New York Times under 'Hospital Kills Grandma by Refusing to Pay Ransom'.”

They also said they'd try to air gap it. This is where we get technical. They'd say that they will separate all the different hospital systems so that they can't do this. My medical colleagues says that's nonsense because that Picker X-ray unit has to talk to the doctor, the lab computer and the intraoperative MRI. My point is that it's a tightly connected network.

The answer is—and I've taken this to everybody I know who's smart—that there is no answer.

I would agree that it is a major risk, particularly with.... I don't recall the name of the communications company that was recently suspended because of ties to Chinese firms.

I'd say that is a constant, ongoing problem, as we have seen evidence that China will actively taint supply chains to try to implant surveillance capabilities. The most recent one, I believe, was almost a full fleet of cars in the U.K. that were found to be bugged through this manner.

At the same time, with certain other firms.... I want to parse the different risks between, let's say, large consulting firms and those at the end of the supply chain as two completely different risks. In cyber-defence and cybersecurity, McKinsey and these large consulting firms are, really, the big names in the business that will be doing much of this business. There really is no getting around them.

When you are taking into account the massive inflation and the massive competition to get these skilled individuals, you can't necessarily compete with them.

I will completely agree that there is a need for more transparency, I'd say, across the board on Canadian cyber-defence policy. Most of my research is from looking at audits and looking at departmental results, and then I'm surprised that people are surprised by what I know about the Canadian Armed Forces.

As much as I know broad themes, there are still a lot of gaps in my knowledge. That's simply because the Canadian Armed Forces doesn't want to tell you and because they are prevented from doing so. It's very much a policy problem.

I really want to stress that there is a difference between the transparency and putting more demands on the Big Five or these firms, because there are already quite a few demands.

I would agree. It's endemic to the system.

Recently the National Security and Intelligence Review Agency found out that there were 180 independent databases in the Canadian Armed Forces, meaning that you need personnel management, not information management, in order to access much of this data.

Thank you so much for mentioning Shoshana Zuboff's idea on surveillance capitalism. My son is actually a cybersecurity researcher and worked with her on that book.

There is no question that we give up too much information on social media. There is a wonderful video on The Onion, a satire site, in which Mark Zuckerberg is honoured as CIA agent of the year because he got people to give up so much information about themselves—where they're going to go, what events they will attend. If you want to arrest them, you just have to look at their schedule.

Absolutely, we need a greater awareness. There's a reality there that people love sharing information. It's not necessarily a good thing. At the very least, everyone needs to look at who gets access to their information. Is it you, your friends, the friends of your friends or the whole world?

I want to mention that I have a wonderful graduate student, Anika Kale, who has been studying intelligence curricula around the world, particularly from the point of view of gender. She finds that there is almost no awareness of gender in there.

You are absolutely right. One source can pollute another source, and there's really no control on that. The best thing to know about this is that AI generally doesn't explain itself. It gives you an answer. My big objection to ChatCPT is that it makes that answer look very authoritative when it's making it up out of nowhere. I got it to write a poem once, and it put a disclaimer at the bottom that I thought was very interesting. It said that this was a creative work and it didn't really have any facts in it.

You are absolutely right. One data source can poison another data source. I have no doubt that intelligence agencies around the world are busy trying to poison our wells of open-source data right now.

There's no question that we've seen this in U.S. presidential campaigns and other campaigns. Bots are created for the explicit purpose of getting people riled up. Sometimes they'll do both sides; they'll do the left and the right. The reason is that they want to sow discord in the United States. You can probably think of what countries are doing this.

I want to mention technology—because it was mentioned before—and where the risks are. The American military tried an e-voting project where soldiers who were posted overseas could actually e-vote. I was asked to comment on the security of the system. It was great. You had to do a video selfie of yourself, and you really proved who you were. However, some of those soldiers had cellphones that were made by Huawei, Xiaomi, Meizu. Here you had the end point, the cellphone, that could be vulnerable. It's the weakest link theory. That could be the way in which the e-voting system might have been corrupted.

I want to first take your example of being unable to take pictures as a security issue. We're now dealing with the greater proliferation of open-source intelligence. We're able to use just Google Maps to conduct that same exact intelligence and analysis that 20 years ago was illegal. Using this kind of open-source intelligence can also feed into operations on critical infrastructure. It is often the individuals, the people, who are the draw or the vulnerability in a system.

Any organization will have professionals to watch this and work on cybersecurity. You look for any weak link in a system. It can be any small thing. If they can gain entry, they will attempt to lock it down and use it for whatever means they have. If it is a state, they'll just lie in wait for a conflict to happen to then initiate it. If it is a criminal, usually it will involve locking down the system, preventing its use, such as the Colonial pipeline attack, and demanding money. If they don't get that ransom, they'll publish that data online, no matter how secret or sensitive that data is.

As the CSE official confirmed on Tuesday, CSE is able to support and help the CAF on cybersecurity and cyber-defence issues. When doing so, they take on Canadian Armed Forces mandates. That would mean if the CSE were required to be called upon in a conflict, particularly a war, CSE civilians who are assisting the Canadian Armed Forces would be considered combatants in a war.

You have to contend with and understand to what degree this extends to the rest of the organization at that point.

I can't comment too much on that, as the information I have is limited.

I will say that a big reason for the difficulty in retaining those with the skills in the CAF is that they simply don't have the infrastructure and means to actually do the work. There are a lot of bureaucratic walls and slow procurement. They are joining the forces to do this work, but they don't necessarily don't want to be sent out to just set up radios.