Good morning. I thank the members of the committee for the opportunity to appear before you today.
My name is Tim Callan and I am the chief experience officer and chief compliance officer at Sectigo, which is a global leader in solutions for digital identity, public key infrastructure and digital certificates. These are foundational elements in securing digital operations and ecosystems. My experience in this technology space goes back to 2004. I have previously been a vice-president and leader at Verisign and Symantec and a member of the board of directors at DigiCert. I am co-creator and co-host of the popular IT security podcast called Root Causes, which focuses on digital identity, encryption and PKI.
Today, nearly every organization depends on digital processes. Even the most traditional and off-line of businesses cannot perform properly without the aid of both customer-facing and internal digital services that depend on complicated interconnected networks of servers, devices, work streams, automated programs and more. These systems have grown to feed each other in complex webs of interdependency, and, consequentially, the concept of an isolated system failure is becoming rarer and rarer, replaced instead by cascading failures that can bring down entire sets of services.
A perfect example is the multinational cellular outage of December 6, 2018. On that date, approximately 40 million users of O2, SoftBank and other cellular providers experienced an outage that lasted nearly a day. This owed itself to a single failure of a single system in a single third party service provider. This failure cascaded outward until eventually the entire data networks for multiple major mobile service providers were unavailable.
The specific failure was with a digital certificate, which is a component that proves the identity of one element of a networked system. Absent proper digital identity, malicious actors can use a variety of techniques to inject themselves into the system to steal information, take down services or co-opt processes. Digital identity is irreplaceable for defence-in-depth strategies, like zero trust network access and passwordless authentication. Digital identity is necessary to securely operate modern IT architectures, such as DevOps, public cloud and the Internet of things.
Securing digital identities occurs through public key infrastructure, or PKI. PKI is a time-proven method of exchanging cryptographic keys to verify connected systems and encrypt data. PKI prevents third parties from reading or modifying data in transit and from pretending to be legitimate actors in a digital ecosystem. Most PKI implementations depend on digital certificates, which encapsulate core cryptographic functions in a way that enables essential capabilities such as life-cycle management, human-readable identity information and automatic expiration.
The question before this committee today is how to protect Canadians against evolving sophistication in cyber-threats. The events of recent years have shown us time and again that proper and comprehensive use of digital identity is essential to providing secure digital processes across businesses, government, infrastructure, finance, transportation, health care, education and nearly all other walks of life. Unfortunately, significant implementation gaps exist in organizations of all types. They may consist of poor PKI implementation, weak cryptography or failure to deploy automated certificate management to ensure all certificates are current and correct. These failures can result in service outages or security breaches of every stripe.
Plus, the stakes are rising with the advent of quantum computers. Quantum computers will be able to easily defeat more than 99% of the world’s encryption. In particular, the RSA and elliptic curve cryptography algorithms will be breakable in many orders of magnitude less time, rendering encrypted data subject to exposure by any attacker with access to a quantum computer. The response to this threat is deployment of new cryptographic primitives, known as post-quantum cryptography, or PQC. New PQC algorithms have emerged from a joint global effort among government, academia and industry, and standards bodies are now working to incorporate them. The eventual result will be PQC-enabled products from software, hardware and services providers available for deployment across IT systems everywhere.
Government and industry should begin preparing for PQC by inventorying their cryptography, implementing automated deployment and management solutions and establishing crypto-agility. Crypto-agility is the ability to monitor, understand and update all cryptography across all processes and environments, now and in the future. The time for this action is today.
Thank you.