Evidence of meeting #125 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
Liberal
The Chair Liberal John McKay
Ladies and gentlemen, our witnesses are here. Let's reconvene.
I believe our witnesses are experienced in the ways and wonders of parliamentary committees, so I'll just say welcome to Scott and Rajiv. We'll try to be as informal as possible, but it is what it is.
Whoever is going to lead off may do so.
Scott Jones Deputy Chief, Information Technology Security, Communications Security Establishment
Good afternoon, Mr. Chair and members of the committee.
My name is Scott Jones. It's a pleasure to be back again. I'm the deputy chief of IT security at the Communications Security Establishment and the head-designate of the soon-to-be established Canadian centre for cybersecurity.
I am joined today by Rajiv Gupta, the director of standards architecture and risk mitigation. Thank you for inviting us to discuss this very important topic.
The Communications Security Establishment is the lead technical and operational agency for cyber security in the Government of Canada. We are mandated to protect information and information infrastructures of importance to the Government of Canada.
This expertise in protecting and providing information is over 70 years in the making. The protection of government communications has been a part of CSE's mission since it was first established in 1946 as the Communications Branch of the National Research Council.
It goes without saying that the world of 1946 was much different from the world of today. What has not changed, however, is the need for innovative and skilled leadership to meet the challenges of an evolving world.
Canada's new national cybersecurity strategy, announced in June of 2018, recognizes this and sets out Canada's vision for security and prosperity in the digital age. Among the new measures in this strategy is the creation of the Canadian centre for cybersecurity, to be housed at the Communications Security Establishment.
Combined with the investments made in budget 2018, these efforts will enable us to remain resilient against cyber-threats and to continue to protect the safety and security of Canadians—and there's a great deal worth protecting.
Recent innovations in technology have created incredible opportunities for economic growth in Canada. The benefits of an increasingly digital society are many and should not be understated.
The Internet has brought enormous benefits to the lives of Canadians. Many federal government services are online. Budget 2018's investments in strengthening digital services demonstrate that the government is embracing new and innovative technology.
But of course, Canadians can only reap the benefits of online commerce when they can conduct their online activities with confidence and trust. These risks should not dissuade us from adopting new technologies, but they should be acknowledged and mitigated.
Unfortunately, we have all seen how cyber-compromises can result in significant financial loss, the loss of intellectual property and reputational damage to a company, an individual, or a government. For example, recent cases involving ransomware demonstrate the increasing threat of cybercrime and the effects of a cyber-compromise.
Today's cyber-threat actors have a variety of motivations and capabilities. They include state actors, hacktivists, criminals and terrorists capable of a broad range of disruption, from denial of service attacks to the exposure of personal information.
CSE plays an important role in stopping threat actors from achieving their goals. Our expertise helps identify, prepare for, and defend against the most severe and persistent threats to Canada's systems and networks.
There are three keys to success: partnerships, appropriate authorities and talent.
Let's begin with partnerships.
Cyber security is everyone's business. Our relationships with industry are critical to defending Canada and Canadians from cyber threats.
Equally important are our relationships with other government departments, including Public Safety Canada, Shared Services Canada, the RCMP and the Canadian Security Intelligence Service.
Beyond the government and the private sector, CSE's partnerships also extend to academia and leading-edge research groups.
The Canadian centre for cybersecurity will greatly improve our ability to work with industry, other government departments, other government partners and academia. The cyber centre will consolidate the key cybersecurity operational units of the Government of Canada under a single roof. In doing so, the cyber centre will establish a unified source of expert advice, guidance, services and support on cybersecurity operational matters, providing Canadians with a clear and trusted place to turn for cybersecurity advice.
An important part of this is ensuring continuity in the functions of the Canadian Cyber Incident Response Centre—also known as CCIRC—at Public Safety, once it becomes part of the cyber centre. Specifically, a crucial element of CCIRC's work is the notification of victims in the event of a cyber-compromise. This is an important role and one that will need to continue under the cyber centre.
Second, I would like to talk about CSE's authorities.
As you all know from debates on Bill C-59, under the proposed legislation, CSE would retain its current cyber security and information assurance mandate and would be given a new authority to defend important networks outside the Government of Canada.
The proposed Communications Security Establishment Act would also explicitly allow CSE to share cyber threat information with owners of systems outside the Government of Canada, so they can better protect their networks and information. For example, CSE could more extensively share information about specific cyber threats with the owners of critical infrastructure such as communications companies or the banking sector.
Finally, the CSE act would give CSE the ability to take action online to defend important Canadian networks and proactively deter cyber-threats before they reach important Canadian systems. These new authorities will better protect Canadians' most sensitive information and important cyber-networks from compromise and strengthen Canada's cyber-defences.
Third, and most key for me, is people. Among the new measures introduced as part of the national cybersecurity strategy is funding to develop Canadian cyber-talent. We are fortunate at CSE to have incredibly bright and talented Canadians working to address these tough cyber-challenges. However, to continue the success, we need to build on this talent and harness the tremendous brain power in the cyber field that exists here in Canada.
With strong partnerships, appropriate authorities and skilled people, CSE is working to address cyber threats facing Canada. However, cyber security is everyone's responsibility, and it will take all of our expertise and innovation to remain resilient.
Thank you for your invitation. We look forward to answering your questions.
Liberal
Liberal
Michel Picard Liberal Montarville, QC
Thank you, Mr. Chair.
My question will be more general, so that you can provide us with a more detailed answer.
The creation of this new centre is occurring at a time when you have clearly established the risk level we are facing in cyber security, taking into account all the threats. So that new centre is being created to address a well-established problem by dealing with specific and constantly evolving threats.
On its first day, what expertise and quality tools will that centre have to deal with the current reality? As the threats it will have to face already exist, will the centre be somewhat behind? What will be its short-term goals, and what will you need to achieve them?
Deputy Chief, Information Technology Security, Communications Security Establishment
Thank you for your question.
The first step is to establish the centre. As you said, that is something of a bureaucratic job.
What I think the key aspects of the cyber centre are going to be are building the trust and credibility to work with the private sector. We need to be very vocal about increasing all of our expectations—the private sector, the government—as we look at the security challenges we all face and start to have some of the more open discussions about the threats. All too often we concentrate on the threat after and not on the threat activity and how to raise that bar.
The first thing is increasing resilience. Canadian resilience, in general, is low. We don't talk about doing the simple things, and we're looking at defending against the most sophisticated threat. In reality, a few simple things can raise that bar for all of us and make us more immune and more resilient against basic things like cybercrime, so it's something as simple as patching our systems. Getting the message out, getting simple, straightforward advice that every Canadian can take and use is one of the first goals.
The second one is obviously establishing a centre where, if there is an incident, we are able to manage. We have done a number of exercises over the summertime to make sure we're ready to manage any incident, be it large or small, international in scope or national in scope, within the federal government or in the private sector, to make sure that we are ready to do our part so that on day one we'll be able to provide the federal lead, working with either the victim or other jurisdictions to make sure we're ready to manage an incident.
I think those are the two key things.
Liberal
Michel Picard Liberal Montarville, QC
You just mentioned patching. Is patching a system a temporary approach to the solution that you're looking at, or is it a permanent way to work, considering the system we have, instead of rethinking the system we use?
Deputy Chief, Information Technology Security, Communications Security Establishment
Right now, with the environment we have, patching is one of the key aspects of improving our cybersecurity. Companies are releasing patches. The model in the industry is “release fast and patch what doesn't work”. The same goes for security elements as well. As they discover new things and new ways of compromising systems, vendors put out software updates. It's important that we apply those very quickly and diligently on our systems.
Liberal
Michel Picard Liberal Montarville, QC
It's been mentioned that we will allow offensive tactics in order to better protect our system.
From a diplomatic standpoint, how do you see the impact of engaging in an offensive attack instead of taking a defensive approach? We had this conversation with I don't remember what commissioner. I asked if he considered any offensive attack as an act of war.
Deputy Chief, Information Technology Security, Communications Security Establishment
I think the key thing is that defensive cyber-operations are proposed in Bill C-59. It's a tool we can use to respond against any malicious cyber-activity.
There are a number of elements. The first one is the permission to undertake that activity. It's up to the Minister of National Defence, with consultation of the Minister of Foreign Affairs, to ensure that if there are any foreign relations aspects, they are taken into account.
But this wouldn't be the first measure, if you were taking a defensive action. You would want to increase your network defences. You would want to try to increase your resiliency against the activity. This type of activity is something that, if there were no other option, you would turn to as things escalated.
There are a number of other things we would look to do. If the activity were originating from a foreign actor, we would engage our international CCIRC community. The Canadian Cyber Incident Response Centre has relationships around the world with national computer emergency response teams to respond. We could ask them for help. We would certainly look for law enforcement, if that were a better option.
Liberal
Michel Picard Liberal Montarville, QC
This week we received Norway's justice committee. One of their concerns was the lack of expertise, of capacity to answer the threats we have.
How do you evaluate the actual expertise that is able to work with the situation from day one? How do you address the need for more and/or better expertise?
Deputy Chief, Information Technology Security, Communications Security Establishment
The expertise is an area in which we have to do two things.
In the short term we have to look outside of the traditional fields of computer science and engineering. There are other skills to be brought to bear here. There are skills that are very close to the cybersecurity analytic capabilities.
In the long term, it's about looking to build a coalition from universities and colleges, attracting more people into the field. We still have under-representation of women in science, technology, engineering and math. There is a large untapped market.
Enrolment in these fields is down in universities, yet a tremendous number of jobs are being created. How do we attract people into this field? It's one of the tertiary goals, but certainly I would like to see enrolment up and more people participating, in the long term.
Liberal
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
Thank for being here today.
Our Five Eyes allies, for example, have come out against Huawei, and I guess many people are wondering why Canada would not. As we know, their operating within Canada could obviously create some breaches in privacy that could impact our Five Eyes network.
Do we as a country, or does your establishment, have an obligation to follow suit with our allies when it comes to cyber?
Deputy Chief, Information Technology Security, Communications Security Establishment
I think it's important, as we look at our telecommunications networks, that we take the approach that we really want to look at this as an entire system and defend against all forms of cyber-risk. We look at it really from a few different viewpoints. Number one would be how we make sure that we're increasing the resilience across, regardless of where the product comes from. We want to build in security measures no matter what.
How do you make sure the supply chain is adequately protected, for example, making sure that you are bringing in products that have good security practices, which are built in as they are building the product? How do you use the technology in a way that is secure? You could take a very secure product, for example, but if you open it up to the world, you can unsecure our technology very quickly.
We have a very well-established relationship with all of the telecommunications providers in Canada. I think it's important to work on raising the resiliency bar regardless of the vendor, regardless of where the equipment is coming from, and to work collaboratively to try to make sure that this happens. It's really trying to address all of the risks and not just one specific one.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you for that.
We heard from the experts in our first hour. I want to ask the question that I think was brought up by them. It would be good to get your perspective on it.
How does CSE balance the tension, the relationship tension, between defensive tactics and offensive tactics when it comes to our cybersecurity program and its impact on our infrastructure or any aspect of our Canadian practice and program?
Deputy Chief, Information Technology Security, Communications Security Establishment
We talk about it. We make the decision is in the best interests of Canadian security. We look at the holistic piece. We want to make sure that Canada has secure, resilient networks that are able to operate in a way that provides confidence for our networks. At the same time, we realize that there are the tools that are needed for intelligence gathering and that there are the techniques that are required. We do have to strike a balance between understanding both sides of those coins.
At the end of the day, though, our system is designed to.... We will default to defence, meaning protecting Canada and making the decision. In reality, the decisions are much more clear-cut than that. We very rarely get something close to the edge. The decisions are very evident. If it's Canadian security, meaning releasing things for defence for purposes—protecting cybersecurity, updates, etc.—we're going to do that.
If it's something that lets us protect Canada from counterterrorism and gain proper foreign intelligence, we're going to make that decision, but we always know that, no matter what, it's going to be reviewed. We're going to respond to, right now, the CSE commissioner and, at the end of the day, the court of public opinion, if we make the wrong decision. We take in a number of factors that way.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
We heard from the Bill C-59 conversations that it's like a hockey analogy, in that it depends on the coach. They say that a good defence is a strong offence. I'm intrigued by how we always defer or default to a defensive posture when actually that defensive posture may be an offensive posture.
Deputy Chief, Information Technology Security, Communications Security Establishment
The analogy extends to a point. Then, I think, the issue really is that if we're talking about something that's a systemic vulnerability, then we default to defence, but protecting Canada through the foreign intelligence side of things is something that we obviously care deeply about. We want to make sure that we have the intelligence we need.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
As we've seen in the election in the U.S.—it was brought up in the first hour—we are always susceptible to disinformation and misinformation from foreign actors. In our own election that's coming up within a year, how in particular do we protect ourselves from that aspect and still maintain our freedom of speech?
Deputy Chief, Information Technology Security, Communications Security Establishment
Part of it, I think, is actually having these conversations and talking about it. It's the fact that it's now in the consciousness. It's something that we can now talk about and, as consumers of information, we can start to become connoisseurs, consumers of information who are a little more judgmental, who are not just believing what we're seeing in social media.
I think the second piece is about asking questions or looking for multiple sources. I might be putting a bit too much credit in our consumption of social media. I think the other thing is that our report that we published last year on the threat to Canada's democratic process was a little piece of that in terms of trying to start the conversation.
At the end of the day, it's about our literacy, our civic literacy in what's going on, but also, can we start to talk about this and not believe everything we see?
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
I have two very quick questions.
For the first question, it's basically a yes or a no. Does our social media data sharing require regulation? That's one aspect of it. The other piece is what you mentioned in your presentation. How do we do this for small businesses that don't think of cybersecurity because they have a million other things to do? They're small. They have maybe 100 employees. Whatever the size is, it doesn't matter. How do we get them thinking differently than how they're thinking now?
I know. Those are two different questions. I'm trying to get them both in, with the chair's indulgence.
Liberal
The Chair Liberal John McKay
The chair is not going to be very indulgent, because you only have 30 seconds.
Deputy Chief, Information Technology Security, Communications Security Establishment
On the social media regulation piece, I'm probably not the right person. I haven't really assessed that.
On the small and medium enterprise piece, part of it is that we have to raise the general resiliency bar. I think it's unreasonable to expect them to be able to launch a cyber-defence initiative like, for example, the one we run for the Government of Canada. That's unaffordable for every small and medium enterprise.
How do we raise the tide? How do we raise the general cybersecurity in the industry that they can then take advantage of? Second, how do we partner with the larger service providers, the people who provide this, for something that small and medium enterprises can consume? I think the third piece is going to be that the insurance industry has a remarkable ability to nudge small and medium enterprises, and I think that is coupled with the small and medium enterprise program that's been announced as part of the cybersecurity strategy.
I think those can all help, but at the end of the day, we have to place a value on it.
Liberal