Public Safety Committee on Jan. 28th, 2019

Okay. We both have something to say here, but I'll let Mr. Lynam go first.

What I'll say is that the sheer fact that this committee is looking at cybersecurity and cybercriminality is adding to the conversation about what a challenge it is for not only Canada but also others to determine how to deal with this. The more attention that is brought to either the challenges law enforcement has or how we're going to address them or how other departments, including the new Canadian Centre for Cyber Security, are going to make sure that Canadians and also businesses know how to protect themselves better and what to do when they are victims of cybercrime.... From that perspective, I think bringing more attention to the issue is of importance.

I'll add to that. The attention that comes to this has to be in a way that removes, as I stated earlier, the stigma attached to it, because I've seen over the last couple of years that I've been involved in cybercrime as an area of focus that a lot of organizations do not report it because of the stigma. When a large corporation is compromised, if it does not report the information to law enforcement or to other organizations through which we can gain access to the information, there's nothing we can do about it. The more we paint them, as opposed to the cybercriminal who actually perpetrated the offence, as the evildoers, the more that drives that reporting down and the more that takes away from our being able to successfully investigate it.

There would be an interesting challenge that could occur in that.

There has to be a balance, as my FINTRAC colleague spoke about earlier, in the threshold for reporting. The system could be inundated with reports alone.

We're very much focused on the trust and confidence and on finding the right balance in the volume of reporting. Through the national cybercrime coordination unit that's being set up, we'll have that public reporting portal. If we have people reporting to police and police aren't prepared to receive the reports and offer sound advice or guidance, such as you experienced or your constituent experienced, reporting alone will not solve this problem. There has to be a balance between reporting and being able to respond, and we have to have the systems in place to be able to receive and make appropriate use of a report when it comes in.

In reality, they're not connected. The obligations under PIPEDA are related to data breaches and the regulations around that where the new public reporting system that we'll put in place is voluntary. It involves either individuals or primarily small and medium-sized businesses that want to make sure they have an ability to let law enforcement know they're a victim. The ability of their doing that can help police in their investigative and intelligence efforts.

To the example that was provided here, unfortunately, there will likely always be cases where that money is not going to be returned, but by having a very robust and modern public reporting system that has strong analytics behind it, we could very quickly understand that perhaps 10 other people in Canada have been victimized by that same person or that same cyber entity, moniker or email address. Because of that level of impact—we can see that at a national level—we can then work with other police services across Canada to go after that cybercriminal. Right now that doesn't exist.

We're going to do some outreach with the Privacy Commissioner to understand more how they are handling or managing these data breach reports. Again, under that regime, there's no obligation for that information to be accessible to police. There may be some things on the prevention side or things like that which might be useful, but we're moving forward with a voluntary scheme that has the public or businesses report directly.

You're right. We could have businesses that report to both and we would encourage them to do that.

I'll step in.

If we learn about a compromise that has a significant impact on Canada, there has to be a balance. We will follow up with those companies and encourage them to report to us in detail.

The mere fact that there's been a compromise does not allow us to effectively pursue a criminal investigation. We need much more information than the simple fact of a compromise. It has been challenging at times but we will work with some of those large corporations because it's often difficult to get to the right person to gather the information we need. We do that outreach. We do not have to wait until the organization reports to us. However, it is only an effective investigation when that corporation is willing to work with us in the investigative stages of our response to what's occurred.

Yes. The unit will not only have new people focused on enabling that collaboration with police services as well as the private sector, but it will be underpinned by a new information management and information technology system to allow information sharing between law enforcement to do some of the analytics, as I mentioned, in the public reporting, to really allow the law enforcement cybercrime capabilities that may be with the local or provincial level to get more capacity.

I would say, for anybody, whether in the public sector or private sector, who is looking to hire cybersecurity talent, there's only a limited pool out there right now. There are initiatives to increase that to find the right people who have the right technical background or the right critical and analytical thinking who you can bring in and train to the right level. There are some challenges there.

A lot of the approaches we've developed to date are really playing on that. There are a lot of Canadians out there who want to help law enforcement pursue cybercriminals. They are less interested in working in a cybersecurity field or another field. They want to help serve their country. They may not make as much money as they would in the private sector doing it, but we've had some success in that approach.

Mr. Chair, I wouldn't have that figure in front of me. We can get back to you.