Public Safety Committee on Sept. 20th, 2018

Good afternoon, Mr. Chair and members of the committee.

My name is Scott Jones. It's a pleasure to be back again. I'm the deputy chief of IT security at the Communications Security Establishment and the head-designate of the soon-to-be established Canadian centre for cybersecurity.

I am joined today by Rajiv Gupta, the director of standards architecture and risk mitigation. Thank you for inviting us to discuss this very important topic.

The Communications Security Establishment is the lead technical and operational agency for cyber security in the Government of Canada. We are mandated to protect information and information infrastructures of importance to the Government of Canada.

This expertise in protecting and providing information is over 70 years in the making. The protection of government communications has been a part of CSE's mission since it was first established in 1946 as the Communications Branch of the National Research Council.

It goes without saying that the world of 1946 was much different from the world of today. What has not changed, however, is the need for innovative and skilled leadership to meet the challenges of an evolving world.

Canada's new national cybersecurity strategy, announced in June of 2018, recognizes this and sets out Canada's vision for security and prosperity in the digital age. Among the new measures in this strategy is the creation of the Canadian centre for cybersecurity, to be housed at the Communications Security Establishment.

Combined with the investments made in budget 2018, these efforts will enable us to remain resilient against cyber-threats and to continue to protect the safety and security of Canadians—and there's a great deal worth protecting.

Recent innovations in technology have created incredible opportunities for economic growth in Canada. The benefits of an increasingly digital society are many and should not be understated.

The Internet has brought enormous benefits to the lives of Canadians. Many federal government services are online. Budget 2018's investments in strengthening digital services demonstrate that the government is embracing new and innovative technology.

But of course, Canadians can only reap the benefits of online commerce when they can conduct their online activities with confidence and trust. These risks should not dissuade us from adopting new technologies, but they should be acknowledged and mitigated.

Unfortunately, we have all seen how cyber-compromises can result in significant financial loss, the loss of intellectual property and reputational damage to a company, an individual, or a government. For example, recent cases involving ransomware demonstrate the increasing threat of cybercrime and the effects of a cyber-compromise.

Today's cyber-threat actors have a variety of motivations and capabilities. They include state actors, hacktivists, criminals and terrorists capable of a broad range of disruption, from denial of service attacks to the exposure of personal information.

CSE plays an important role in stopping threat actors from achieving their goals. Our expertise helps identify, prepare for, and defend against the most severe and persistent threats to Canada's systems and networks.

There are three keys to success: partnerships, appropriate authorities and talent.

Let's begin with partnerships.

Cyber security is everyone's business. Our relationships with industry are critical to defending Canada and Canadians from cyber threats.

Equally important are our relationships with other government departments, including Public Safety Canada, Shared Services Canada, the RCMP and the Canadian Security Intelligence Service.

Beyond the government and the private sector, CSE's partnerships also extend to academia and leading-edge research groups.

The Canadian centre for cybersecurity will greatly improve our ability to work with industry, other government departments, other government partners and academia. The cyber centre will consolidate the key cybersecurity operational units of the Government of Canada under a single roof. In doing so, the cyber centre will establish a unified source of expert advice, guidance, services and support on cybersecurity operational matters, providing Canadians with a clear and trusted place to turn for cybersecurity advice.

An important part of this is ensuring continuity in the functions of the Canadian Cyber Incident Response Centre—also known as CCIRC—at Public Safety, once it becomes part of the cyber centre. Specifically, a crucial element of CCIRC's work is the notification of victims in the event of a cyber-compromise. This is an important role and one that will need to continue under the cyber centre.

Second, I would like to talk about CSE's authorities.

As you all know from debates on Bill C-59, under the proposed legislation, CSE would retain its current cyber security and information assurance mandate and would be given a new authority to defend important networks outside the Government of Canada.

The proposed Communications Security Establishment Act would also explicitly allow CSE to share cyber threat information with owners of systems outside the Government of Canada, so they can better protect their networks and information. For example, CSE could more extensively share information about specific cyber threats with the owners of critical infrastructure such as communications companies or the banking sector.

Finally, the CSE act would give CSE the ability to take action online to defend important Canadian networks and proactively deter cyber-threats before they reach important Canadian systems. These new authorities will better protect Canadians' most sensitive information and important cyber-networks from compromise and strengthen Canada's cyber-defences.

Third, and most key for me, is people. Among the new measures introduced as part of the national cybersecurity strategy is funding to develop Canadian cyber-talent. We are fortunate at CSE to have incredibly bright and talented Canadians working to address these tough cyber-challenges. However, to continue the success, we need to build on this talent and harness the tremendous brain power in the cyber field that exists here in Canada.

With strong partnerships, appropriate authorities and skilled people, CSE is working to address cyber threats facing Canada. However, cyber security is everyone's responsibility, and it will take all of our expertise and innovation to remain resilient.

Thank you for your invitation. We look forward to answering your questions.

Thank you for your question.

The first step is to establish the centre. As you said, that is something of a bureaucratic job.

What I think the key aspects of the cyber centre are going to be are building the trust and credibility to work with the private sector. We need to be very vocal about increasing all of our expectations—the private sector, the government—as we look at the security challenges we all face and start to have some of the more open discussions about the threats. All too often we concentrate on the threat after and not on the threat activity and how to raise that bar.

The first thing is increasing resilience. Canadian resilience, in general, is low. We don't talk about doing the simple things, and we're looking at defending against the most sophisticated threat. In reality, a few simple things can raise that bar for all of us and make us more immune and more resilient against basic things like cybercrime, so it's something as simple as patching our systems. Getting the message out, getting simple, straightforward advice that every Canadian can take and use is one of the first goals.

The second one is obviously establishing a centre where, if there is an incident, we are able to manage. We have done a number of exercises over the summertime to make sure we're ready to manage any incident, be it large or small, international in scope or national in scope, within the federal government or in the private sector, to make sure that we are ready to do our part so that on day one we'll be able to provide the federal lead, working with either the victim or other jurisdictions to make sure we're ready to manage an incident.

I think those are the two key things.

Right now, with the environment we have, patching is one of the key aspects of improving our cybersecurity. Companies are releasing patches. The model in the industry is “release fast and patch what doesn't work”. The same goes for security elements as well. As they discover new things and new ways of compromising systems, vendors put out software updates. It's important that we apply those very quickly and diligently on our systems.

I think the key thing is that defensive cyber-operations are proposed in Bill C-59. It's a tool we can use to respond against any malicious cyber-activity.

There are a number of elements. The first one is the permission to undertake that activity. It's up to the Minister of National Defence, with consultation of the Minister of Foreign Affairs, to ensure that if there are any foreign relations aspects, they are taken into account.

But this wouldn't be the first measure, if you were taking a defensive action. You would want to increase your network defences. You would want to try to increase your resiliency against the activity. This type of activity is something that, if there were no other option, you would turn to as things escalated.

There are a number of other things we would look to do. If the activity were originating from a foreign actor, we would engage our international CCIRC community. The Canadian Cyber Incident Response Centre has relationships around the world with national computer emergency response teams to respond. We could ask them for help. We would certainly look for law enforcement, if that were a better option.

The expertise is an area in which we have to do two things.

In the short term we have to look outside of the traditional fields of computer science and engineering. There are other skills to be brought to bear here. There are skills that are very close to the cybersecurity analytic capabilities.

In the long term, it's about looking to build a coalition from universities and colleges, attracting more people into the field. We still have under-representation of women in science, technology, engineering and math. There is a large untapped market.

Enrolment in these fields is down in universities, yet a tremendous number of jobs are being created. How do we attract people into this field? It's one of the tertiary goals, but certainly I would like to see enrolment up and more people participating, in the long term.

I think it's important, as we look at our telecommunications networks, that we take the approach that we really want to look at this as an entire system and defend against all forms of cyber-risk. We look at it really from a few different viewpoints. Number one would be how we make sure that we're increasing the resilience across, regardless of where the product comes from. We want to build in security measures no matter what.

How do you make sure the supply chain is adequately protected, for example, making sure that you are bringing in products that have good security practices, which are built in as they are building the product? How do you use the technology in a way that is secure? You could take a very secure product, for example, but if you open it up to the world, you can unsecure our technology very quickly.

We have a very well-established relationship with all of the telecommunications providers in Canada. I think it's important to work on raising the resiliency bar regardless of the vendor, regardless of where the equipment is coming from, and to work collaboratively to try to make sure that this happens. It's really trying to address all of the risks and not just one specific one.

We talk about it. We make the decision is in the best interests of Canadian security. We look at the holistic piece. We want to make sure that Canada has secure, resilient networks that are able to operate in a way that provides confidence for our networks. At the same time, we realize that there are the tools that are needed for intelligence gathering and that there are the techniques that are required. We do have to strike a balance between understanding both sides of those coins.

At the end of the day, though, our system is designed to.... We will default to defence, meaning protecting Canada and making the decision. In reality, the decisions are much more clear-cut than that. We very rarely get something close to the edge. The decisions are very evident. If it's Canadian security, meaning releasing things for defence for purposes—protecting cybersecurity, updates, etc.—we're going to do that.

If it's something that lets us protect Canada from counterterrorism and gain proper foreign intelligence, we're going to make that decision, but we always know that, no matter what, it's going to be reviewed. We're going to respond to, right now, the CSE commissioner and, at the end of the day, the court of public opinion, if we make the wrong decision. We take in a number of factors that way.

The analogy extends to a point. Then, I think, the issue really is that if we're talking about something that's a systemic vulnerability, then we default to defence, but protecting Canada through the foreign intelligence side of things is something that we obviously care deeply about. We want to make sure that we have the intelligence we need.

Part of it, I think, is actually having these conversations and talking about it. It's the fact that it's now in the consciousness. It's something that we can now talk about and, as consumers of information, we can start to become connoisseurs, consumers of information who are a little more judgmental, who are not just believing what we're seeing in social media.

I think the second piece is about asking questions or looking for multiple sources. I might be putting a bit too much credit in our consumption of social media. I think the other thing is that our report that we published last year on the threat to Canada's democratic process was a little piece of that in terms of trying to start the conversation.

At the end of the day, it's about our literacy, our civic literacy in what's going on, but also, can we start to talk about this and not believe everything we see?

On the social media regulation piece, I'm probably not the right person. I haven't really assessed that.

On the small and medium enterprise piece, part of it is that we have to raise the general resiliency bar. I think it's unreasonable to expect them to be able to launch a cyber-defence initiative like, for example, the one we run for the Government of Canada. That's unaffordable for every small and medium enterprise.

How do we raise the tide? How do we raise the general cybersecurity in the industry that they can then take advantage of? Second, how do we partner with the larger service providers, the people who provide this, for something that small and medium enterprises can consume? I think the third piece is going to be that the insurance industry has a remarkable ability to nudge small and medium enterprises, and I think that is coupled with the small and medium enterprise program that's been announced as part of the cybersecurity strategy.

I think those can all help, but at the end of the day, we have to place a value on it.