Public Safety Committee on Sept. 20th, 2018

It's a challenge in terms of how we as the government respond. We would look at our law enforcement agencies, whether the RCMP or the Canadian Security Intelligence Service and where they have domestic authority, possibly but also at how to deal with this in a more general way. Also, unfortunately, with one person, we do have this kind of model of echo chambers in which people will create the appearance of real information.

We are trying to enhance people's knowledge of what's going on and trying to draw attention to pieces of it, but at the end of the day, it is outside of our mandate to start dealing with the fake accounts themselves.

When we look at this from a Canadian perspective, it's hard for me to comment on some of the internal decisions. We don't always see the internal government debates of our Five Eyes partners, but from our perspective, we've really been trying to focus on addressing the broad cybersecurity challenges in the telecommunications space. We think we have a really effective program in terms of how we deal with the cybersecurity risks that we're facing as a country, such as the vulnerabilities that are inherent in every single telecommunications product and how we start to mitigate those.

Do you want to maybe add a few things?

Yes.

As Scott said, in Canada we take a risk-based approach, so we look at the same set of risks. We assess them within Canada. We assess our relationship with telco operators and the type of influence we have there, and we work together to address it through a risk-based approach.

We've talked a little bit about the program we have had over the past years, and we still believe that's effective in terms of mitigating the risks. It's through evaluating that program that we actually determine whether we think this is a valid way forward.

One of the things we've been working on sharing with our Five Eyes partners is making sure that they're aware of our program and approach, which is very comprehensive in terms of dealing with the full risks across the telecommunications spectrum. Also, there's a productive relationship that we've built with all of Canada's telecommunications providers in terms of sharing information, sharing risks and collaboratively building solutions to cybersecurity challenges. It's something not all countries enjoy and it is a very good Canadian strength. I'm quite proud of the work the team has done. We look at risks across all vendors, but all products as well, in terms of how we layer cybersecurity and make sure it's being addressed as a systemic issue.

At the end of the day, I believe we have very secure telecommunications networks because of these relationships, but it is a complicated aspect of this issue.

In the long term, we need to look at how we systemically increase our cyber-resiliency, regardless of where our product is coming from. It's a sustainable path for starting to really look at this.

I can't really speak on behalf of the Americans on this piece, but from our perspective, we have a very advanced relationship with our telecommunications providers. Certainly from what I've seen, it's something that is different from most other countries.

We have a program that's very deep in terms of working on increasing that broader resilience piece, especially as we're looking at the next generation of telecommunications networks, making sure that we're able to evolve that program and looking at ways to innovate in cybersecurity but also increase the base cybersecurity of every product that's purchased, regardless of where it comes from in the world.

I think that's one of the biggest challenges we have. It's not about one piece; it's about how we make the whole system resilient. The communications environment is very complex, and we need to address it as a whole system.

We started with the telecommunications sector. That's the area we addressed immediately. We think we have a model that we can grow in terms of applicability to other sectors, especially in critical infrastructure. More broadly, though, we have to start addressing things such as digital policy, so there's some work going on in consultations on that. I think it's important that we start to.... Cybersecurity is one element of this, and it's something that we're looking to bolster, but I also think we need to get out more information about practical things so that small and medium-sized enterprises can do what those innovators need to do to protect their intellectual property from a cyber-breach. We need to try to grow that relationship side. It's about increasing the resiliency bar. The model we've taken for the cyber centre is “security through collaboration”.

We don't have all the expertise in certain fields. We bring expertise in threat, in cryptography, and we bring a lot of expertise in terms of how to mitigate. For example, if you're looking at the critical infrastructure in the energy sector, they bring expertise into their environment, and so we have to work together. In terms of addressing things like big data, we'd look to work with big data and ask what your biggest challenges are and how we would work on that and secure the data.

I think that's absolutely one of the goals. For example, the Canadian Cyber Threat Exchange is an non-profit organization that was set up by Canadian companies. We're working with it, and in fact we'll be signing our agreement shortly with it to try to make sure that we're getting information out to all Canadian companies. It's a place to pool resources in a space where we don't need to compete. We shouldn't compete on making ourselves more secure, so how do we do that?

At the same time, we're also looking at how we can foster innovation. The cyber centre will enable companies to come together to work jointly on projects so we can start to innovate around security.

We're trying to create opportunities to bring these things together. We think that occasionally there will be problems that we might not have time to tackle or that might not be ours, but I'd be really happy if we were the matchmaker. It would be a "Here's a Canadian company that has a really good solution. Here's a Canadian company with a problem. You two might want to talk" type of thing.

Certainly I would compliment my colleagues in the United Kingdom for the creation of the National Cyber Security Centre—

—and the work they've been doing on tying that in with innovation. We certainly work very closely with them. They would be kind of first.

There are my colleagues in Australia as well. The Australian Cyber Security Centre has recently changed to a different model. The U.K. is a little bit further ahead, but those would be the two shining examples.

There are some good examples in the European space as well.

That's one of the goals of the cyber centre: to be more open and transparent. In fact, we're making sure that we have a facility where people can come in and work. If you come and visit CSE now, we take all of your technology away because you're entering a top secret building. The cyber centre will not be that way. The physical facility for this will be a place where people can come and collaborate and, frankly, bring their stuff so we can see how it works and we can work together on things.

Also, I think we do need to be more fluid. There are opportunities and there are things to learn by working in each other's spaces.

There are draws in the public sector—our mission, a little bit of altruism, etc.—and there are draws in the private sector in terms of some of the innovation, the profit, and things like that. It just depends on people.