National Defence Committee on March 10th, 2023

Good morning. Thank you again for the invitation to appear before this committee.

Today I will provide you with the perspective of the Canadian defence and security industry and the subset of companies that make up Canada’s cybersecurity industry.

Canada’s cybersecurity industry is world-class. According to studies carried out by ISED and StatsCan, between 2018 and 2020 the sector grew over 30% in terms of employment, R and D activity, and revenue. It's a fast-growing global sector expected to outpace traditional IT in terms of spending.

However, only 8% of the sector’s revenue is derived from Canadian government contracts. The sector sells three times as much to our Five Eyes allies as it does to the Canadian government. Those numbers speak to a central challenge we face in this country when it comes to cyber. Our allies see more value in Canada’s cybersecurity sector than Canada does. Something's wrong with that picture.

On one side of the coin, Canada needs to acquire more from its our own industrial base, using procurement as a policy lever to drive innovation and build scale in Canadian businesses; on the other side of the coin, Canada needs to procure at the speed of cyber. A slow procurement process is a recipe for buying out-of-date or obsolete technology. Innovation cycles in this domain are measured in months, sometimes weeks.

Resolving these issues boils down to one word: collaboration. Canada requires a much greater degree of collaboration, co-operation, knowledge sharing, and co-development between government and the private sector.

Some positive steps have been taken towards this, but we’re nowhere near where we need to be. While agencies like CSE are very capable, CADSI's research has shown that our government is falling behind our allies when it comes to working with the private sector in an institutionalized way. Our allies are collaborating with industry in real time right now in Ukraine.

The Canadian government needs to establish a recurring forum for dialogue and discussion on cyber issues with all the key players—industry, DND, CAF, CSE, CCCS, GAC and Public Safety—at the table.

Canada needs improved systems for threat sharing that combine open sources with government and industry sources of information about breaches, indicators and potential responses. This will mean rationalizing what is unclassified and what remains classified and who has access to what. Again, our allies are on the forefront of this activity.

We should consider sandboxes and collaborative lab spaces to test new technologies and capabilities together at scale, as well as talent exchanges between the public and private sectors, like the U.K. Industry 100 program and the new talent exchange just launched by CSE. That could start to address the cyber-talent shortages we’re all facing, because cannibalizing each other isn’t going to work. Reservists with cyber and computing skills who are employed by companies could be an attractive way to support reconstitution of the CAF, so long as the government does not claim the IP and patents that reservists create while employed in the private sector.

It's also important to note that the broader defence industrial base, or DIB, which includes companies making everything from satellites to ships, has become a prime target for cyber-threat actors. Companies are increasingly incorporating technologies like artificial intelligence into their products. We know that countries like China and Russia will pursue Canada's AI through all available vectors.

Canada’s DIB is closely integrated with the CAF and with the American DIB. What we do in this sector is highly valuable, and that makes us vulnerable, given that 90% of Canadian defence companies are SMEs and many lack the ability to defend themselves against a state-sponsored cyber-attack. There's a growing requirement to secure Canadian defence companies large and small. The Americans are, not surprisingly, ahead of us. Very soon, a demanding and mandatory cybersecurity standard will start appearing in Pentagon defence contracts. This is known as the cybersecurity maturity model certification, or CMMC. CADSI has argued that Canada should adopt this standard by reference. CMMC will likely become a de facto Five Eyes, if not global, standard for defence firms. Taking time to contemplate a separate standard in Canada could become a competitive disadvantage for us and a non-tariff trade barrier.

While CMMC is new, other regulations need modernization for cyber, which needs to be done with industry at the table, since we’re at the technological bleeding edge and own the lion's share of the infrastructure.

In conclusion, effective cyber-defence at national levels is a team sport. If our allies get this, why can’t we?

Thank you. I will be pleased to take your questions.

Good morning. I thank the members of the committee for the opportunity to appear before you today.

My name is Tim Callan and I am the chief experience officer and chief compliance officer at Sectigo, which is a global leader in solutions for digital identity, public key infrastructure and digital certificates. These are foundational elements in securing digital operations and ecosystems. My experience in this technology space goes back to 2004. I have previously been a vice-president and leader at Verisign and Symantec and a member of the board of directors at DigiCert. I am co-creator and co-host of the popular IT security podcast called Root Causes, which focuses on digital identity, encryption and PKI.

Today, nearly every organization depends on digital processes. Even the most traditional and off-line of businesses cannot perform properly without the aid of both customer-facing and internal digital services that depend on complicated interconnected networks of servers, devices, work streams, automated programs and more. These systems have grown to feed each other in complex webs of interdependency, and, consequentially, the concept of an isolated system failure is becoming rarer and rarer, replaced instead by cascading failures that can bring down entire sets of services.

A perfect example is the multinational cellular outage of December 6, 2018. On that date, approximately 40 million users of O2, SoftBank and other cellular providers experienced an outage that lasted nearly a day. This owed itself to a single failure of a single system in a single third party service provider. This failure cascaded outward until eventually the entire data networks for multiple major mobile service providers were unavailable.

The specific failure was with a digital certificate, which is a component that proves the identity of one element of a networked system. Absent proper digital identity, malicious actors can use a variety of techniques to inject themselves into the system to steal information, take down services or co-opt processes. Digital identity is irreplaceable for defence-in-depth strategies, like zero trust network access and passwordless authentication. Digital identity is necessary to securely operate modern IT architectures, such as DevOps, public cloud and the Internet of things.

Securing digital identities occurs through public key infrastructure, or PKI. PKI is a time-proven method of exchanging cryptographic keys to verify connected systems and encrypt data. PKI prevents third parties from reading or modifying data in transit and from pretending to be legitimate actors in a digital ecosystem. Most PKI implementations depend on digital certificates, which encapsulate core cryptographic functions in a way that enables essential capabilities such as life-cycle management, human-readable identity information and automatic expiration.

The question before this committee today is how to protect Canadians against evolving sophistication in cyber-threats. The events of recent years have shown us time and again that proper and comprehensive use of digital identity is essential to providing secure digital processes across businesses, government, infrastructure, finance, transportation, health care, education and nearly all other walks of life. Unfortunately, significant implementation gaps exist in organizations of all types. They may consist of poor PKI implementation, weak cryptography or failure to deploy automated certificate management to ensure all certificates are current and correct. These failures can result in service outages or security breaches of every stripe.

Plus, the stakes are rising with the advent of quantum computers. Quantum computers will be able to easily defeat more than 99% of the world’s encryption. In particular, the RSA and elliptic curve cryptography algorithms will be breakable in many orders of magnitude less time, rendering encrypted data subject to exposure by any attacker with access to a quantum computer. The response to this threat is deployment of new cryptographic primitives, known as post-quantum cryptography, or PQC. New PQC algorithms have emerged from a joint global effort among government, academia and industry, and standards bodies are now working to incorporate them. The eventual result will be PQC-enabled products from software, hardware and services providers available for deployment across IT systems everywhere.

Government and industry should begin preparing for PQC by inventorying their cryptography, implementing automated deployment and management solutions and establishing crypto-agility. Crypto-agility is the ability to monitor, understand and update all cryptography across all processes and environments, now and in the future. The time for this action is today.

Thank you.

That is a slightly different question. Digital certificates are foundational to every digital process we have, so Canadian citizens depend on them whether they know it or not.

If your question is whether the country should demand digital ID, as is done in a lot of European countries, that certainly is a wave that the world is moving toward. It provides a lot of benefits. It makes it easy to identify that you're real and not spoofed. Used properly, it can make interaction much easier for the average citizen who doesn't necessarily have a computer science degree. These have been used successfully in a number of European countries.

There's also a pan-European standard called eIDAS, which is used broadly across the EU and the U.K. in order to do exactly that. It is a non-trivial effort to establish these kinds of things throughout government organizations, but government is a good place to start.

When you're talking about resources, I assume you mean both services and products. The challenge right now is that much of the.... Certainly within the agencies, the resources are within the agencies and the products typically have been developed within the agencies, so there isn't a lot of bleed-over between where the capability gaps exist and the exposure of those capability gaps to the industry, because it's not in the nature of CSE to expose where it has capability gaps. That is one of the number one issues, which is that we don't know what we don't know. They do not know what we have, and we do not know where their capability gaps exist.

However, what I can say is that the industry itself, about 60% of the industry, has capability in securing networks and data infrastructure, which generally means that we look after mission assurance. Mission assurance can be for networks in threat environments, and it can also be for sensors and assets like planes, ships and tanks that operate in networked environments, as in the Canadian Armed Forces, as well as the infrastructure—like the cloud, for example—that the Canadian Armed Forces itself uses for its enterprise.

We're also very strong in niche areas like encryption, penetration testing and threat monitoring, and the space assets that we maintain, operate and deploy, such as RADARSAT-2, are used for intelligence collection and targeting.

I can tell you what we have; I just can't tell you where the capability gaps exist within the agencies.

I think we are seeing a great movement by countries to secure supply chains. I referenced CMMC, which is effectively a way in which the Americans are looking at securing their entire supply chain. We would say that failure to adopt these kinds of standards or these kinds of methodologies to ensure you have a secure supply chain is leading to increased vulnerability.

We would also suggest that what you want in this particular sector, your best way of ensuring that your vulnerabilities are reduced in this particular sector, is to employ Canadian citizens with Canadian security clearances in Canadian businesses that are paying Canadian taxes and that have Canadian supply chains. That's probably the best way you can ensure that you would be reducing the vulnerabilities, as much as possible.

I think the challenge is.... It may not necessarily be adopting technologies from foreign countries. I believe it's investing most of its funds, whether that's funds for resources or funds for technology, into its own organization. CSE is increasing its resource pool and increasing the software and technologies that it creates itself, for its own purposes. That is okay. We're not against that kind of behaviour or activity. We're saying that there's a lot more that the private sector—certainly the Canadian private sector—could be bringing to the table if we look at this issue holistically.

It's something our allies have realized quite quickly. In our 2020 report, I believe, we interviewed a number of security experts from other countries, particularly the U.K. and the U.S. They identified that over 50% of their cyber-operations now are split fifty-fifty between contractors and the agencies themselves. They are moving in that direction.

Well, I spend a lot of time trying to keep up. I guess it comes down to having an entire industry around me that keeps me informed. We share information and we share knowledge. We have to be open to collaborating.

There are a couple of things. One is securing the supply chain, which means, on one hand, adopting regulatory standards as they become available. We are concerned. Fifty per cent of the defence industrial base exports, half of those exports, go to the United States. If we want to be a trusted partner in an American supply chain, we will need to be moving in lockstep with them to ensure that we can be trusted partners and that they will be able to procure from us. That's number one. That's a pressing economic consideration for us as a country.

The second thing is just the sharing of information on threats. You would have seen in the papers recently that there have been breaches through the private sector, through critical infrastructure providers or through the defence industrial base. We need to ensure that there is tighter connectivity and sharing of those breaches in a proactive disclosure manner, so that we can leverage the technologies and agencies in order to get the best protections. It's that quid pro quo and it needs to be done in an institutionalized way. It can't be done every time an incursion occurs. There has to be a system that's already in place so we can draw back on it if and when, potentially, cyber-attacks escalate, which we have seen happening in the theatre of war in Ukraine right now.

There is a very robust private sector that has a lot of activity in terms of industry standards bodies and co-operative organizations. Again, I referred to the post-quantum cryptography as a great example of this. People around the globe came together to build a new architecture that was going to be able to defend against an identified emerging threat. Canadian companies and academics did play a very important role in that. I dare say Canadians punched above their weight in this regard in this particular effort.

That's really what we need. Nothing can exist just inside the boundaries of one nation. The Internet and technology are bigger than any one country. We need to partner with each other to get the best, because the attackers do. They don't care about borders. They just care about getting what they want to get.

Working together with other organizations—be it governmental or private—around the world is how technology providers can give the very best security posture to enterprises and government, etc.

As we suggested, you need almost like an institutionalized method by which you can create the connections to collaborate between industry, the private sector and the agencies or the government bodies.

In part, there has been good forward motion being taken by CCCS, the Canadian Centre for Cyber Security, which has started to stand up a portion of its organization. There are, I believe, six people right now, but it can probably use a lot more, considering the number of businesses that are out there. It has started to stand up a portion of its organization that is responsible for securing portions of the industrial base. Right now the focus is on critical infrastructure, but, as we understand it, they're starting to look at the defence industrial base, which includes the manufacturing component you're talking about.

It's this slow creeping out of the idea that we need to be engaging companies. We need to make them more aware of their responsibility to have more cyber-hygiene. In return for that, we will let those companies into the secret tent a little bit more.