National Defence Committee on March 31st, 2023

Thank you for your question.

What we can do immediately is ensure that the Department of National Defence, our government and our critical infrastructure are equipped with what we call the latest technologies, AI-driven technologies. That is not the case right now.

Right now there are two large problems. One is that there are not enough cyber professionals in the world. There are more than three million vacant jobs globally, and in Canada there are probably around 200,000. The Department of National Defence and critical infrastructures agencies suffer with that as well.

You have to complement that with machines, with AI, because there are more than 400,000 new malware samples a day. This is proven technology. BlackBerry's, for instance, was developed in 2012. We're in our seventh generation.

That can be implemented. Ensure in the procurement specifications, etc., that we do not include specs that tie us to previous generations of technologies, signature-based technologies. That's number one.

Number two, we have to continually invest in R & D, as was mentioned previously, to ensure that we outpace our rivals. We're already seeing cybercriminals use ChatGPT and others for phishing attacks. We need to ensure that our AI is better than their AI when it comes to defending.

That's something that we can do immediately. Quantum cryptography technologies exist, but some of those issues we need to continually work on. That is an endeavour that's ongoing. I would suggest using the technology that we have now.

Thank you.

That's a great question.

The reality right now is that a lot of the public-private partnership or collaboration in Canada is, again, reactive. It's in the wake of an incident or an indicator of vulnerability, and it's largely one-way. We provide information to the government; it disappears into a black hole.

BlackBerry maintains good relationships with the Canadian Centre for Cyber Security, etc., but that could be much more robust.

What I would suggest, again, is moving to a prevention-first approach. Let's plan before an incident. Let's develop operational plans, contingency plans and mitigation plans in turn that clarify roles and responsibilities when a critical infrastructure system is hacked.

In terms of working with hackers, absolutely, we work with white hackers, ethical hackers, to test vulnerabilities in systems, whether that be in automobiles or in other connected devices. They're a key part of our community.

I'm not so sure about the situation in Canada, but in some contexts, their ability to work in cohort in collaboration with businesses and government is limited because the legal framework to enable that is not allowed. In the U.K., for instance, they're currently considering changing that legal framework so that there can be much more robust collaboration between the white hackers, the good hackers, and government, etc.

It's a fantastic question.

Thank you.

I think that the collaboration with ethical hackers is crucial if we want to secure western nations.

I would use the Pentagon's pilot bug bounty program as an example. They opened up their systems on the bug bounty platform, where ethical hackers could test the systems and report their vulnerabilities. The result was that the systems got compromised. The first report came in, I believe, in the first seven minutes and, in the first six hours, there were 200 to 300 reports. That means 300 security vulnerabilities, 300 security holes that an adversary could exploit to gain access to their systems.

Because of this collaboration, the Pentagon was more secure. I believe that it was Mr. Ash Carter who complimented the initiative and in a way concluded that they didn't realize how many good ethical hackers and how many good IT professionals there are who would like to help but don't have the opportunity to do so.

As the experience in Ukraine has shown, using crowdsourced intelligence, using crowdsourced efforts, is the key in such environments, especially in the cyber environment, to achieve desired results. Without it, I don't think it's even possible.

I think a lot is riding on that word “target” and what you were speaking about in terms of what the CSE presented to the committee.

It's true that the CSE, through its mandate and through the CSE Act, cannot target Canadians, but in collecting signals intelligence and in carrying out their work, including on cybersecurity and protecting cyber-infrastructure, as I mentioned, they collect all kinds of information, and then they sift through it. There's information that's known as unselected information, which is information that is not specifically targeted, but they may accumulate it in carrying out their collections, and then that information is retained, and some of that information may relate to Canadians. That's where they came into problems, as I mentioned earlier, in terms of sharing Canadian information with the Five Eyes and with other countries.

It isn't that they are targeting Canadians—there's that word “targeting”—but rather that they are incidentally collecting that information and retain it, and it is still used in other ways, so that's what we see. When they're pushing up against the boundaries, that's what they do.

There's another category of information, metadata. Metadata isn't the communications themselves; it's all the information around the communication, like who sent the information, who received it, at what time, from where, what kind of software was used and what kind of equipment. There's a debate of long standing around whether or not metadata should be considered private information. It's been clear that metadata taken together can paint a very clear picture of what individuals do and can lead to being able to identify certain individuals, yet the CSE has consistently argued that that doesn't amount to private information. Again, it's not targeting Canadians but collecting that kind of information.

The final thing I'll mention is around publicly available information. Despite every other restriction around the CSE's collection of information, they are allowed to collect publicly available information. Again, they're not allowed to collect information that has privacy impacts on Canadians, but there's still debate around what's considered private information or what maintains a reasonable expectation of privacy. For example, regarding information that we post on social media, there's an argument that it's publicly available information, but at the same time, are we expecting that to be collected, retained and possibly shared by our national security agencies?

That was at the heart of the debate around Clearview AI. They argued that facial images of Canadians online were considered publicly available information and that they could collect it. The Privacy Commissioner ruled that it was mass surveillance and was illegal. When they brought that to the RCMP, the RCMP said that they had no obligation to ensure that if they were working with Clearview AI, they were following Canadian law.

We don't know about the CSE's work on facial recognition technology, but if we can see that with the RCMP and that approach, that definition and the lack of clarity around publicly available information, we have to be worried that the CSE would be interpreting it the same way.

I'll just quickly say no. Several of the problems I raised were actually enshrined in Bill C-59, the creation of the CSE act. One of the things we think needs to be done is to bolster the powers of both NSIRA and the intelligence commissioner to be able to review these kinds of activities and be able to discuss their findings publicly.

Thank you, Ms. Gallant, for the questions. They're excellent ones.

Regarding the drones, it's actually about the pinnacle of the cybersecurity industry. That means it's about electronic warfare. I've recently had discussions with people who are really tightly involved with the field, and it's an ongoing game of cat and mouse. It is not a question that is easily answered, but there are technologies available in drones that are built more in the private sector that make them quite electronic warfare resistant. We had an opportunity to see some of them flying over Russian territory recently, and they continue to fly, so....

It is more of an electronic warfare question. The main point here is that all those electronic warfare units are able to pass the signal, but the most crucial problem is how to transform that signal to zeros and ones, to put it plainly. That's one of the biggest challenges that electronic warfare units of Five Eyes countries or NATO countries are currently experiencing, but they are working on that.

Regarding how AI is affecting the cyber-threat environment, I would say that it is a double-edged sword. It can be used for both defensive and offensive means, as our co-witness has previously stated. ChatGPT, as an example, has become one of the largest producers of malware. It was hacked in less than a few days. Like Head Hackers, they use it efficiently not just to produce phishing emails and content related to that, but you can effectively use it to produce very sophisticated malware. It's very easy to bypass the restrictions put in place by OpenAI and basically make it write whatever code someone would think of, including to attack SCADA systems or to duplicate the STUXNET worm or whatever. It all depends on the creativity of the person talking with it.

As to how to distinguish precursory attacks as something that would lead to kinetic attacks, I would say that every precursory attack is something that will lead to a kinetic attack, especially in terms of Russia and their capabilities. I would again like to point out that just yesterday information was released regarding the Vulkan files, which are very descriptive in terms of Russian cyber-capabilities. They actually proved that they have been systematically attacking western infrastructure for years—attacking our infrastructure and our industrial control systems, such as hospitals—and whatever information they can gather, they do gather within the database, and they simply wait for the right moment to strike. It is, as I've said, a black swan in the making, and we should start taking it very seriously.

It's a complex question, obviously, and a lot of it is outside my scope of expertise, but when it comes to protecting against, for instance, espionage or malicious behaviour that tries to either siphon off or sabotage IP and the entire R and D process, there are a couple of vulnerabilities, I think, that need to be filled immediately.

One, companies like BlackBerry, but not just BlackBerry, work very closely with the universities, research institutes and small and medium-sized businesses in Canada to create new products, new IP, across that supply chain. The security assurances required are not always in place. We need to ensure that security, guarding of the IP as we develop it, is as important as developing it itself. In essence, it should be considered a national asset. When it comes to universities, I do know that CSIS is starting to push forward programs to raise awareness about security within university research labs themselves to safeguard IP. We need to act similarly with SMEs that work on IP, so if there's one recommendation I can make....

The Insurance Bureau of Canada did a survey last year asking SMEs about whether they had invested in cybersecurity. Last year 47% of them had invested zero dollars in cybersecurity. We know that SMEs are critical to IP creation. We need to do something to incentivize these SMEs to protect their IP. They're not investing in it largely, apparently, because of the cost. It's a trade-off. I think as a government and as a society we need to shift the lens to start incentivizing security to be part of that.

The last thing I'll mention is that two years ago, ISED rolled out a fantastic program, in theory, called the Canadian digital adoption plan. The idea there was to increase the use of digital technologies by small and medium-sized businesses. Cybersecurity was not included in that initially. We worked with ISED later to include that in the assessment, but these kinds of programs need to embed cyber as a fundamental core of their operations.

Oh, oh!