National Defence Committee on March 10th, 2023

You're very right. You have sticks and carrots—I like to look at it that way. In some cases, the sticks could be compelling businesses to disclose their breaches. Most businesses we talk to say that as long as they are involved with how that would occur and where the information would go, and as long as it is done in a proactive way such that their brand or their business is not damaged in the process.... In other words, you flip the lens and say that proactive disclosure is a good thing. No one should be ashamed that they have had a breach, because it's only a matter of time. You frame it in that way, and then you say that when they proactively disclose to you, the return they will get from that is that they will get others' vulnerabilities so that they can become a better business. It's a quid pro quo type of relationship.

I think those are the missing pieces. If you want to compel, you need to invite businesses in, to figure out how to do that in an effective way that doesn't damage their business. In the same vein, you're going to be sharing that information back, which is something we want and something that will make us better and more secure in the overall ecosystem.

It was Industry 100, in the U.K.

Yes. It's a collaborative model. It's not so new anymore. Essentially, it's a program that helps solve short-term labour supply shortages of specialized talent.

Industry companies put staff into the National Cyber Security Centre, on their team. That would be like us placing our resources into CSE, for example. They do that on a part-time basis. There is no separation between the industrial partners, meaning that these industrial partners could be competitors at some point in time, but when they come and moonlight at the NCSC, they are doing so together with government staff on a new, neutral territory on a non-transactional basis, so they're not paid for that activity for the common good of U.K. national security.

These individuals in the private sector can do everything from drafting white papers or developing software to being the liaison between their organization and the government entity on threats and incursions that are going on. It's a national type of activity.

I think that's a very true statement. We see that kind of urgency all the time. The EU is in the theatre of war right now, and while Canadians sort of feel it, we don't feel it to any great extent. That's one of the reasons we say that if there is a portion of the population or a portion of the business community that is wired to be a bit more accepting of those kinds of things, it is the defence industrial base, by its nature.

Canada is studying CMMC right now. The Canadian embassy in the United States and, to some extent, DND, Public Safety and PSPC are actively monitoring and looking at that standard.

The challenge is that they're trying to understand whether the standard needs specific “Canadianization”. We believe that if we do that, developing the Canadianized portions of the standard will create a different standard. It will mean that Canadian companies have to have two standards, which increases costs. If we don't get it right, the Americans could be moving forward and Canadian companies could be waiting for the Canadian standard and therefore be left behind when it comes out in procurement. There's that sense of urgency.

They are working on it. We have a pathfinder program right now that is trying to pull in Canadian businesses to actually participate in the American standard as it goes through.

Arguably, it's already too late, in that there's an attack called “harvest and decrypt”, which means that if someone gets inside your system, they can grab blobs of encrypted data and just store them, and then at some time in the future, when they have a quantum computer, they can open that up.

For secrets that will still be valuable in 10 years, let's say, like military secrets or advanced industrial secrets, those things may already be lost. For other secrets, maybe not, but it is very urgent that we get post-quantum cryptography in place as soon as we can.

It's hard, because I'm stepping out of my swim lane a bit. I'm not really in the university or high school models anymore, but I do think that across Canada we understand that there is a talent shortage. We also understand, I think, that we're a bit shy about being directive in terms of incentives for pushing certain classes of study or areas where we want to develop talent to have it come out the other side, meaning that we don't really do things like saying that students can get a bigger bursary if they go into this particular area of study. We want to encourage all Canadians to have equal access to education—post-secondary education, university education—and we're not very directive about what pipelines we want that education to occur in so that we can develop the talent for the future.

I do think that we could do more as a nation to have incentive programs, potentially, around directing education and talent into a variety of swim lanes, if you will, to create the next generation of individuals in the areas that we believe are critical for the country, but that comes down to setting national priorities about where you want your talent base to emerge.

I think you'd have to do your appropriate due diligence and screening to ensure that they would be trusted partners. First and foremost, before we go down that path, I would say that you have a lot of veterans leaving National Defence and security agencies who have security clearance, and the day they walk out the door, they lose their clearance and it takes them two years or a year and a half to get it back.

Maybe we would want to look inside to expedite the processes and deal with the barriers that currently exist, first and foremost. After that, yes, it could certainly be a possibility to look at individuals from, most assuredly, our Five Eyes partners to provide competency and talent within our own country.

I think, as we said, we've been quite slow at it. Certainly, the agencies and even to some extent National Defence.... Our siloed approach means we look after ourselves. The agencies look after the government. The CAF looks after the CAF, and industry looks after itself. What we're learning is that the approach we use is not working.

If we want to secure supply chains from the lowest common denominator—which is where a lot of the incursions occur, because the most vulnerable is the small business or the small business provider who may or may not have the equipment or skills to be able to do the cyber-hygiene at the level necessary—then we have to create those institutions or agencies or that outreach to get them to be more cyber-aware and to have the appropriate protections. We have to make those protections available to them. We have to help protect those companies and incentivize them. Incentivizing can involve that stick and carrot, meaning that if they want to do business with the Canadian government, if they want to do business in the supply chains, they need to get their CMMC certification, for example.

We have to impose regulations on companies in order to up our game, with a quid pro quo of “Once you're inside the tent, you're inside the tent.”

As I said, about 25% of the industry...and 60% of that is along that mission assurance, so that's 60% of 25%. Please don't ask me to do math, because I'm an English major, but that portion is actively engaged in government contracts of our Five Eyes partners.