Evidence of meeting #145 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was enforcement.
A recording is available from Parliament.
5:20 p.m.
Acting Director General, National Cybercrime Coordination, Royal Canadian Mounted Police
Yes. As I've already mentioned, the partnerships with the private sector are very important for the new unit. The public sector, private sector, police officers and other stakeholders will work together to address these threats.
5:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
From the beginning, we've been in reactive or defensive mode. Attacks occur, and we must then determine whether our systems are effective. You're currently responding to complaints. You find that there aren't enough complaints and you want there to be more complaints so that you can take broader action.
According to the RCMP, are the cybersecurity structures of Canadian financial companies, such as banks and everything related to money, up to standard? There's certainly still room for improvement, but do you think that the banks are doing enough for Canadians?
5:20 p.m.
Liberal
The Chair Liberal John McKay
You're going to have to work that into another answer. Unfortunately, Mr. Paul-Hus is out of time.
Sorry.
5:20 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you, gentlemen.
Maybe to help us focus on more limited angles, because this is a very wide study, what triggered the creation of the unit—the enabler aspect of technology, the target aspect of technology, a new sector of activity? What was the basis for deciding that we need a unit for cybercrime?
5:20 p.m.
Acting Director General, National Cybercrime Coordination, Royal Canadian Mounted Police
There were a few things and you touched on a couple of them. Really, from both the statistics we had and the knowledge about the under-reporting, it was an area where there was victimization going on in Canada that we did not have sufficient resources to address. Canadians and businesses actually also told the government that. When the cyber consultations happened in 2016, addressing cybercrime and making sure law enforcement had a solid coordinating mechanism was part of what they heard in those consultations.
As well, police across Canada, through the Canadian Association of Chiefs of Police, also called for creation of such a unit, both in a resolution and in a pretty dedicated study on cybercrime, which they did in 2015. That led to the creation of the unit as well as to new resources for the RCMP to increase its enforcement capability.
5:20 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you.
We look at past fraud—Norbourg, $135 million, and Norshield, $400 million. In the credit card business, we report close to $1 billion in credit card fraud yearly. Numbers are great, but they target companies specifically.
Do we face attacks—hacking or fraud—that put at risk limited companies still, or do we start to look at fraud or the impact that may affect a whole sector of activity? Let's say that someone hacked the stock market with a service denial attack and they closed down the stock market for one week. Imagine the impact on our economy, which may then create a national security issue.
Where do we stand today in terms of threat?
5:25 p.m.
C/Supt Mark Flynn
My biggest fear today is around the collective threat of all of the smaller compromises that are going on, or the number of small compromises that are used to then gather information that is leveraged in attacks against the banks and other online service providers that are out there.
When you add that small piece from each offence together, it creates some pretty significant numbers. When you talk fraud in general, and just look at seniors in 2017, and realize that there is 22 million dollars' worth of actual reported losses in the small number of reports that we get, that's a staggering number. You have to understand that has a significant impact on all of those individuals.
Gathering that information together, better understanding it and collecting the technical information that allows for investigation of those things is where we're going to have a bigger impact on Canadians. Also, it's important to move beyond just the security, and when we think of large corporations and the amount they invest in cybersecurity, it's appropriate. The attack platform that's out there, the number of criminals around the world who can now reach across the Internet to cause that harm is something they all should be concerned about.
Obviously, we're not on the defensive side; we're on the investigative side. We need to have the appropriate balance between the two in order for us to be able to both protect Canadians from a security perspective and pursue the people who are responsible for it. When we just do security, that allows the criminals to still be out there, to still commit their crimes without repercussions. We have to have an effective investigation going after them.
It's the same as a physical bank robbery. We would not just make banks more secure and throw every armed robber out on the street. We need someone to pursue them, and we have to do that in collaboration.
5:25 p.m.
Liberal
Michel Picard Liberal Montarville, QC
I have 30 seconds.
Your mandate is not to recoup the money but to try to investigate from a criminal standpoint. Is your challenge trying to avoid a fraud occurring? If you find money, money is usually recouped and sent to the treasury and not to the victims.
5:25 p.m.
C/Supt Mark Flynn
Right. We always try to reduce the amount of victimization that goes on. In fact, that's a change that I would say the RCMP can be credited with in some of our international law enforcement conversations, in which we've brought to the table the traditional practice of having an isolated investigation where victimization is allowed to occur to ensure we can investigate without compromising the fact that we're investigating. We're turning that a little bit on its head. We're directly engaging with the financial institutions, as an example, while we're investigating, to ensure that they have the information that we can provide.
Even though it may compromise our ability to pursue the investigation, we feel it's more important to reduce the victimization and reduce the losses as soon as we can. We're doing that in a collaborative manner with them to ensure that we do have viable prosecutions at the end of it as well.
5:25 p.m.
Liberal
The Chair Liberal John McKay
Thank you for that.
If cybercrime is virtually risk free from the standpoint of the criminal, and that's on a 3G or 4G network, what preparations, if any, are you making with respect to the inevitability of the 5G networks?
Can you answer that in less than 30 seconds?
5:25 p.m.
C/Supt Mark Flynn
For us, the difference between 3G, 4G and 5G from the types of cybercrime that I identified as the one I'm most concerned about is really the speed at which those offences can be carried out and where. There are obviously technological elements. We're concerned about the ability and further anonymization that's permitted by that.
5:25 p.m.
Liberal
The Chair Liberal John McKay
So it's speed and anonymization, and we're not catching people right now.
5:25 p.m.
C/Supt Mark Flynn
I would not like to leave you with the impression that there are not consequences. We are becoming much more effective. You've seen some of the news releases out of our national division cyber investigative team and some highly successful operations they've pursued. I believe you'll be seeing some additional news articles in the near future about some other large successes in which there are significant collaborations.
5:25 p.m.
Liberal
The Chair Liberal John McKay
We'll look forward to those successes and that good news.
On behalf of the committee, I want to thank you. I appreciate both of you coming and making a contribution to this study.
Colleagues, we have two routine motions.
You have before you a budget for this study. I'm assuming it's acceptable to you. Does someone wish to move it?
Mr. Dubé will move it.
Second, I'm suggesting February 20 as a deadline for written briefs for this study.
With that, the meeting is adjourned.