National Defence Committee on March 31st, 2023

Thank you very much.

Thank you, Mr. Chair.

On behalf of BlackBerry, I'm delighted to speak with committee members today.

For over 35 years, BlackBerry has invented and built trusted security solutions to help keep people, governments and communities safe and secure. Today, we are a global leader in cybersecurity software and services. We protect more than 500 million systems worldwide. Our customers include all G7 governments, NATO, 45 of the Fortune 100 companies and nine of the top 10 banks, just to name a few.

Given that every aspect of our lives is intertwined with the cyberspace, we must act proactively to decrease our cyber-risks in Canada. This can be done by adopting technologies and approaches that have proven to prevent cyber-attacks.

Required, however, is a fundamental shift in our approach from the current reactive model to a proactive stance, and from a focus on incident response to a prevention-first approach to cybersecurity. At an operational level, that means, first, ensuring that we are equipped with the most advanced AI-driven cybersecurity solutions that can prevent malware before it executes. Second, that means clarity in roles when it comes to cyber-preparedness and response. Third, it means enhancing public-private collaboration to boost our collective cyber-defence.

When it comes to technology, the majority of today's cybersecurity solutions operate on the model of knowns. These are known malware, known attack techniques and known attackers. These knowns are based on a collection of malware samples and indicators of compromise. Once these knowns are gathered, they are triaged, examined and published into cloud repositories, and only after that are systems updated, tested and tuned to defend against these known threats.

This reactive model forces us to deal with the after-effects of a cyber-attack. We need to shift our focus from this incident response to incident prevention.

At BlackBerry, we know this can be done, because in the last 90 days, we stopped more than 1.5 million malware-based cyber-attacks, including more than 200,000 new malware samples, before they had a chance to execute. We did this by leveraging advanced AI and machine learning to continuously uncover and prevent attacks, including ones that had never been seen before. Without prevention-first, advanced AI-driven cyber-solutions like these, Canada is constantly in reactive mode.

Proactive defence also requires clear role definition and a unity of effort. Today, cyber-responsibilities in the federal government are distributed across at least 12 departments and agencies. Multiple ministers have cyber-responsibilities, yet it is unclear who leads and who is responsible for ensuring coherence and a unity of effort.

When cybersecurity doesn't have a dedicated person pushing and fighting for the issue, it sits in the middle of everyone's priority list.

Australia and the U.S. tackled this issue head-on by appointing a cyber minister. In the case of the U.S., it was a presidentially nominated and congressionally confirmed national cyber director. Canada should consider establishing a cabinet or other senior position responsible for ensuring government-wide coherence and action on cybersecurity.

Finally, improving public-private collaboration on cybersecurity should be a priority. Companies like BlackBerry have unique insights and expertise to defend against adversaries, while federal agencies have the means and authorities to act. We should foster proactive collaboration between government and the private sector at the operational level. This would help close gaps in our situation awareness, foster incident response playbooks that are aligned and help create a culture of proactive collaboration at scale.

BlackBerry stands ready to work with the committee to strengthen Canada's cyber-resilience. I thank you for this opportunity today.

Thank you very much, Chair, for the opportunity to speak to the committee today.

The International Civil Liberties Monitoring Group is a Canadian coalition that serves as a watchdog around national security, anti-terrorism and civil liberties in Canada. We have long-standing experience examining Canadian work regarding surveillance and cyber-activities, including the work of the Communications Security Establishment.

We agree that it is vital that Canada take steps to modernize cybersecurity laws to protect the private information of Canadians and the information infrastructure on which we rely. It is also clear that as cyber-attacks increase in activity and sophistication, Canada must take steps to defend itself; however, these actions must not come at the cost of accountability and transparency of government activities, including those of the CSE.

In our work, we have seen how overly broad powers and extensive secrecy result in the violation of the rights of Canadians and people in Canada. This can have real-world impacts, including when the information of Canadians and people in Canada is shared internationally with the Five Eyes as well as with other foreign agencies. When this information is in the hands of foreign jurisdictions, Canada loses control over how the information may be used, including in ways that can result in rights violations, abuse and even torture.

We also disagree with the premise that the private information of non-Canadians outside of Canada is simply fair game for mass collection and retention. This approach reinforces ongoing global systems of mass surveillance and associated rights violations.

This was revealed in detail by Edward Snowden, and while it did lead to promises of reform within Canada, it is unclear to what degree the CSE's activities have truly changed. While many of these concerns are related to the CSE's signals intelligence work, they also apply to CSE's cybersecurity and cyberwarfare activities. For example, while the CSE may have two distinct areas within its mandate, signals intelligence and cybersecurity and information assurance, they do not exist in a silo.

Recently, the BC Civil Liberties Association published material obtained from disclosure in their lawsuit against the federal government regarding the CSE's operations. These documents revealed, for example, that under an agreement with the former department of foreign affairs, information that CSE collected during its provision of cybersecurity support to the department, including the private communications of Canadians, could be shared with its Five Eyes counterparts. While this agreement dates to 2012, this concern persists under the CSE Act adopted in 2019.

Specifically, the National Security and Intelligence Review Agency, or NSIRA, noted in its 2021 annual report that the CSE Act explicitly allows for this kind of information sharing between the CSE's various mandates, including cybersecurity and foreign intelligence. NSIRA raised concerns that this sharing must be narrow and case by case and that the CSE should obtain legal advice on compliance with the Privacy Act. The CSE disagreed.

Why is this important? Bill C-26, currently being studied by Parliament, would formalize the CSE's role in ensuring the protection of cyber-infrastructure and would see the CSE obtain information about the security of critical infrastructure.

This means that a lot more information will flow to the CSE, including potentially private information relating to Canadians. Without adequate safeguards in place, both in the CSE Act and Bill C-26, information collected by the CSE, including information relating to Canadians, could be used in unexpected ways and shared with unaccountable foreign partners.

For more on this, I'd like to direct the committee to an open letter that we co-signed with several other civil society groups regarding a recent report from Citizen Lab entitled “Cyber Security Will Not Thrive in Darkness”. I can send those along to the committee afterwards.

The CSE also has a troubling history of obfuscating the nature of its work and violating its mandate. For example, the CSE tracked the Wi-Fi connections of Canadians at major airports, despite not being allowed to conduct surveillance within Canada. It collected massive amounts of Internet traffic through 200 Internet backbone sites worldwide. Despite prohibition, it regularly collects Canadians' information. It received it from foreign partners, and it violated Canadian law for five years by failing to minimize Canadian information shared with Five Eyes partners.

The CSE also resists fully complying with review and oversight. For example, the CSE refuses to grant NSIRA full access to records that the agency needs to carry out its review function. Instead, the CSE requires NSIRA to submit a request, and CSE staff provide what they say are relevant documents. This approach, NSIRA wrote in its latest annual report, “undercuts NSIRA's authority to decide whether information relates to its reviews and contributes to significant delays in the provision of information to NSIRA.”

The intelligence commissioner has also raised concerns that CSE authorizations for both foreign intelligence and cybersecurity have not included information crucial to the approval process, particularly regarding the outcomes of previous authorized activities or explanations of specific activities based on facts.

Finally, NSIRA has also raised concerns that the CSE is not providing adequate information on the impact of active or defensive cyber-operations nor appropriately delineating between the two kinds of activities, despite each requiring a different approval process.

I do have some recommendations, very short ones, but I will save those for the question period.

Thank you very much.

Thank you, Mr. Chair. It's an excellent organization.

The focus of cybersecurity up until now has been largely on what we call enterprise IT systems. One of the largest gaps that has emerged is in operational technology. These are typically systems that control, for instance, an electricity grid, gas-powered turbines, industrial control systems in pipelines, etc. A lot of these systems are now coming online. What we witnessed in the U.S., for instance, related to the Colonial Pipeline attack, or even in Florida's Oldsmar water system, is that these systems were not designed to be connected to the Internet, including farm equipment etc., and people are now trying to enable optimization through connection to the Internet.

We noted, for instance, in the manufacturing sector over the past year that the number of attacks has risen by 2,000%. The three sectors most targeted over the past year by cyber-criminals have been health care, financing and manufacturing, but manufacturing is rising the most quickly. Why? Our assessment is that because of the supply chain vulnerabilities that we're seeing and because of the intrinsic link between economic security and national security and the fact, as I mentioned earlier, that everything is intertwined, those are becoming increasing attack vectors.

Cybercrime, which is the term we usually use to describe both industrial espionage and ordinary crime activities, is in fact the third-largest economy in the world. By 2025, the damage resulting from cybercrime is going to amount to $15 trillion. It grows by an amount of $1,500 billion a year. It is a huge problem. Efforts conducted in this matter are not on par with the damage that is occurring and growing.

Taking into account what the previous witness was talking about, attacks on critical infrastructure especially, which are forbidden by the Geneva Conventions because they attack civilian infrastructure, are growing daily. We have to take nation-state actors into account, especially Russia.

This was what I was trying to bring into force before the Vulkan files. Before, we were just speculating on their capabilities, but now we are certain, and we have confirmation that they are collecting data all over the world. They are compromising systems, power plants, hydroelectric power plants, electricity grids and civilian infrastructure from hospitals to everything else. They are collecting that, scanning systematically and collecting vulnerabilities in one huge, giant database and preparing, in a way, for a black swan scenario.

What I'm really concerned about is that western countries, NATO countries, are not protecting their infrastructure in the manner that they should be. It is a huge problem, and it should be addressed promptly.

Just very briefly, it's clear that there's a role for the federal government in supporting private companies in increasing their cybersecurity and protecting national security. We think that one thing that's key to this is that there's trust and transparency around that process so that private companies can trust what the government is going to be doing when they provide that support. The public needs that trust and understanding around what those services are. We think that needs to be a central component of legislation like Bill C-26.

That was in 2021, but the data remains the same today. We are laggers when it comes to R and D investment. While we welcome, for instance, the renewal and revision of the SR & ED announced very recently, enterprises benefit much more from developing R and D outside of Canada, particularly multinational corporations, because there are much more collaborative support systems in place, whether with university-based research or elsewhere.

BlackBerry has made a commitment to invest in Canada. We invest about 24% of our annual revenue in R and D, working very closely with Canadian universities, etc., but not all companies are incentivized to do so.

There really needs to be a concerted partnership between government and the private sector, not all across the board, but betting in particular niche areas where Canada has a comparative advantage. Our post here was that cybersecurity is one of the areas where Canada has a comparative advantage. We rank fourth in the world in the number of cybersecurity companies, but we're not keeping up the pace with Israel, the U.K. or the U.S., which is far ahead of us.

I think one of the key things here is commercialization.

There's a lot of what we call lower TRL—technology readiness level—or very initial-stage R & D that takes place in Canada, but then, after it passes this initial stage, it goes through something called the valley of death, which means that it's very difficult to productize this R & D here in Canada.

There are very few programs, for instance, that support Canadian companies to help launch initial products to test them and get them to market, while in the United States, for example—of course, U.S. government procurement budgets are much larger—their procurement process is much more agile. They have systems in place to help companies get through that valley of death to help commercialize their products.

One of the suggestions that we put forward with the Canadian Chamber of Commerce was to establish a Canadian commercialization fund that would help Canadian companies move towards that productization.

The Canada innovation corporation, which was announced in the 2022 budget, may be a start, but we have yet to have very much detail about that. We're hopeful that the whole commercialization question there, which will help commercialized products here in Canada keep IP in Canada, would be a key aspect to that question.

BlackBerry, because it created devices, was very focused on ensuring that all of the components in those devices, including software, were what they said they were. We even developed software that helped us identify the provenance of each component.

This is a huge concern in the U.S. You have executive order 14028, which is about the nation's cybersecurity. It mandates what they call a software bill of materials that would basically produce an ingredients list of all software contained in every device. Right now, if you ask people what software is in their system or in their device, very few people know about it.

Part of the problem is also open-source software. This is free software available on the Internet that is used widely, but there are high security vulnerabilities there.

I think one thing that Canada should consider that many other countries in the EU and the U.S. are considering is making sure that there's a commitment to secure-by-design principles. You can't bolt on security afterwards.