Public Safety Committee on Sept. 20th, 2018

I would love to see that. I think it would be very creative.

I have two questions, and they're kind of related.

Under Bill C-59, you've been given the authority to lead the cyber centre, and you talk about the other government agencies: Public Safety, Shared Services, the RCMP, Canadian Security Intelligence Service, the military.

Being a former policeman and having been involved in major crimes in larger communities, I know there are always conflicts, perhaps the bullheadness of one department over another department.

You've had some time since Bill C-59 came out, and we have been discussing it in the House and around. Are your agencies getting together already and working together? Do you see that this will be a fairly easy transition and a joint effort, or do you feel that there may be some stumbling blocks and pressure back and forth maybe because you've been given the lead?

The cyber centre, when it stands up in about 10 days from now, will be relatively new. However, we have long-established relationships in terms of deconflicting. For example, cybercrime is the scourge of the Internet. We'd love to see law enforcement. I'd love to see some successful prosecutions so that we could start to create a disincentive for cybercriminals. With regard to our work with the cybercrime coordination unit that the RCMP will be setting up, for example, we're looking at making sure that we're in the same building so that we can be co-located.

We have a long-standing body that sits down with the Royal Canadian Mounted Police and the Canadian Security Intelligence Service just to make sure that we're deconflicting anything operationally and that we're assigning the appropriate lead. For example, in the case of a national security investigation, I want CSIS to be able to go out and do some work on that, but we'll support in the mitigation piece. We know how to remediate the threat. We know how to work with the company and we want to see successful prosecutions. We want people to report cybercrime.

We're working it out. I've been in this long enough to know that there'll be some hiccups and that there'll likely be a little bit of posturing, but we're trying this out.

You led into my second question.

We have a number of accredited police forces across Canada that have cybersecurity departments and details. I imagine they work very closely with the RCMP, as you are. Do you foresee developing a program to work with the other police forces—city police in Vancouver, Edmonton and Calgary, let's say—that already have these departments set up?

Do you see anywhere that you may, as a federal agency, assist these police departments financially? A lot of them are municipal police departments that are actually doing work to protect Canada. Do you see a role whereby maybe you can financially assist or help or train these other departments across Canada?

Certainly, we'd look to work with the RCMP on that to engage all law enforcement and to follow their lead on that.

In terms of financial contributions, it's not really within our authority or remit to do those types of things, but we do offer training. We run our IT security learning centre right now, where we do offer training. For example, I know that we've had a few provincial police forces come in for training programs, etc., in terms of IT security. I think we'd really look to leverage that relationship with the RCMP and things like the national police college and do what we can to try to support training in that environment.

Certainly this is something that we see as police forces. We need to be able to work together. Also, we need to know when to get out of the way and allow the police forces to do their important work without any tainting of the evidence, right? At the end of the day, I really encourage that.

I'm not sure which one of you mentioned this earlier, but how do we ramp up the training of our Canadian people to give them the intelligence and the ability to work within your department and other departments? I want your opinion on that. How do we go about that? We need to go about it fairly quickly.

In terms of training and helping...?

Yes.

I think there are a few things. It's in cyber-literacy. It's in demystifying IT. We've made it the domain only of experts, and yet we all use it every day. Most people are scared to actually touch it when it breaks, etc. It shouldn't be that hard. As an industry, we have to get better at that.

I think the second piece is that we need to draw people into the programs. The fact is that there isn't the enrolment. We went to one of the universities that was one of the biggest recruiters in 1999 for CSE. The computer science class is a quarter of what it was that year. That doesn't bode well for being able to recruit people into the cyber-field, regardless of whether it's in government or the private sector. I think those are the things that we really have to start concentrating on.

Sure. Assemblyline is the system we use when doing malware analysis. Let's say you're getting a malicious file. How do we break it down and basically do all the cyber-analysis? We automate it. That's how we scale for the government. It wasn't done by people; it was done by automating and taking advantage of some creative things. Also, we open-sourced that. We made the code freely available to the world.

In terms of what worked really well, it was aimed at cybersecurity professionals, people who do this for a living, and we did see pickup around the world for it. Also, people are contributing back in.

It is a lot of work to maintain an open-source project. When we release this, we have to continually invest in it managing the open-source software, etc.

I think that on the whole it's been very good for us, not just from a public perception point of view of us putting something out there, but in trying to add a tool into the cyber-community.

My goal would be to see more people contribute to it and make it better, and see where can we use it across Canadian.... We're starting to see pickup for that. Also, how do we now start to share some of the analytic components that ride on top of it?

We made the tool available. We didn't make our instance of the tool available. You can download the software, install the software on your system, and run it in your own environment to protect it. It's not connected in, so you don't use our instance of the tool, and we don't collect.... It's not a data collection platform or anything like that.

Patching is number one. It really is.

The second one, depending on what infrastructure you're using, is just not logging in as administrator, not logging in with super privileges, etc. That's a simple thing. It just slows things down.

There is also backing up your data. If you have something critical, make sure you're backing it up, because if ransomware hits, then all you do is restore and you get your data back, and things like that. I'm kind of making it a little simpler than it really is in practice, but these are some basic resiliency things that we'd really look at doing.

We've put out our top 10. Those are more oriented towards larger organizations, but I can translate those into personal actions. It's also knowing what's important to you and making sure you're protecting it, such as keeping backups. For me, I care about family photos and things like that. I honestly don't care about the email I'll never read again that I get on my personal email.

In some cases, it's inconvenient. It's inconvenient to update. It's inconvenient to run the patches, etc. In other cases, people just don't see the need. They say, “It's working for me. It's good enough” or “I'm afraid I'll break it.” That's kind of an unfortunate legacy of our industry.

Right now, in some cases, it's the product itself. It's not updating itself frequently enough. When you buy into, let's say, a smart phone, you're buying into an ecosystem, so if it is the vendor who updates it, it could be a really cheap device that doesn't come with good support. Things like that all kind of factor into things. Sometimes it's manual, so some of the systems actually take a lot of manual effort to update versus some of the easier ones, for which, frankly, a little red bubble appears, and you just hit “Install” and you're good to go. It's kind of all of those factors. Sometimes we make it really hard in the industry.