Public Safety Committee on Jan. 28th, 2019

It's a small fractional per cent probably on the number of actual victimizations versus the number of charges that are laid.

The challenge in answering that question goes back to the definition of what exactly is a cybercrime, because it includes all of the cyber-enabled crimes whether they be fraud threats over email, compromises on large systems, etc.

To Chief Superintendent Flynn's point, it's probably small. If you would like, Mr. Chairman, we could get back to the committee with the—

Yes. Unfortunately, there are a lot of cybercriminals getting away with what they are doing.

Thank you.

It has been referenced many times here today what you feel the gaps may be. I would like to focus on your introductory speech where you talked about the investment in budget 2018 for the creation of this new RCMP national cybercrime coordination unit.

This sounds great, and I know it probably takes time to really get it fully up and functioning. Would you say it is right now, and if not, how long would it take, and what was in place before the creation of this unit?

I will start, and then maybe I will hand it over to Chief Superintendent Flynn, who can talk about the current RCMP resources that are devoted towards cybercrime.

The new unit will achieve its initial operating capability in April 2020 and then ramp up over three to four years from now to achieve full operating capability in 2023, and 2023 is when the full public reporting system would also be in place.

This is a new unit, as you can imagine, for the RCMP. We are hiring and training new people to do that and establishing partnerships with police services across Canada as well as within the private sector and non-governmental sectors. As well, as I mentioned, we're implementing a new IM/IT system to underpin its operations.

You said in your introduction that there were consultations done, and there was a laxing in two areas and that's why we are where we are.

What was in place before creating this unit?

Right now, within our federal policing criminal operations area that I'm in charge of, we have quite a few efforts under way to help build trust and confidence, build the relationships with the financial institutions, the banks, the private cybersecurity companies, as well as leveraging our Canadian Anti-Fraud Centre, our federal policing public engagement group, our contract indigenous policing education efforts that are out there, to ensure they were taking on the multipronged approach of partnership. We're leveraging what's already there within the cybersecurity industry, whether it be banks or in private-type security companies, building those relationships, ensuring we understand the problem itself.

As I stated earlier, we would be overwhelmed with the reporting. I'll go back and reflect on my first day in the cybercrime area in federal policing. I asked for a report of every incident, every possible technological attack that was going just against Government of Canada systems. It overwhelmed my email system with two reports, so the volume is too much.

We have to collaborate in our response to that. We put significant effort into it. I'm very much looking forward to the new centre being stood up so that we can appropriately hand over some of those responsibilities to the centre to perform those actions on behalf of all law enforcement in Canada because—

That's interesting. You say there's under-reporting from individuals and other companies, but you are overwhelmed with the amount of reporting there already is, or incidents that are happening.That's very interesting.

I believe Mr. Dubé touched on it a little bit, the difficulty to recruit cybersecurity specialists. You were talking about initiatives that are under way to increase experts. What are those initiatives? Can you shed some light? Who are the partners in that?

I know within government circles there's an initiative to collectively recruit and hire computer scientists. They are interviewed. There's a screening process. Then departments can follow up with those individuals to see if they're a good fit for specific individuals. Collectively, the federal government has an initiative to bring in computer scientists.

Is there a partnership with academia when it comes to that? Are we training enough people in Canada? Is there a gap there?

I think there is, as we've seen in many fields, a push to have more cybersecurity folks in Canada in the public or private spheres. I know in the RCMP we've had quite a few discussions and have explored options with different educational institutions about co-op intern opportunities of bringing in students early in their studies. Then it maybe translates into a full-time job once they graduate. We've also discussed with the private sector about interchange opportunities. There is some appetite in the private sector of having their IT security folks come and work with law enforcement and vice versa to exchange skills and what have you.

We're really putting forth a multipronged human resources strategy that looks at universities, current people in the public sector, as well as current folks in the private sector.

Are you hiring from outside of our borders as well to help when it comes to this?

Primarily, for the public servant approach here to be hired in the government it's Canadian citizens. I know there are some initiatives in some provinces and elsewhere to try to bring in cybersecurity expertise from abroad, but it's not my area of expertise.

My last question is on the coordination with the local police forces that you were talking about. You were talking about, or previously it was talked about, the romance cybersecurity crimes. In my experience those kinds of crimes were happening even before the cybersecurity part was added in. What I'm finding from people I speak to is whether it involves cybersecurity or not, there's been little the police forces can do about fraud. You willingly hand over your money to someone, and they're gone with it. What is going to be done in that regard to try to lay more charges, as the chair was talking about earlier?

I'll start with one element, and then I'll hand it over to Chris, because Chris will be responsible for some of this as we move forward.

Currently, we have the Canadian Anti-Fraud Centre. I'm not sure if you're familiar with that organization up in North Bay, which is a partnership between the OPP, the Competition Bureau and the RCMP. They do a lot of amazing work around fraud and understanding the problem. There is also severe under-reporting. We believe there's 10% or less, more likely less than 5%, reporting of fraud. However, that information, when it's collected en masse, is being utilized to shape some of our international operations in dealing with, say, call centres that are in other jurisdictions. There are actual results that are coming from that. A big part of that is understanding the problem, gathering the information, offering support to the victims.

I sat in on some calls when someone has called the Canadian Anti-Fraud Centre. The help that those call takers on the front line can give to those individuals when they call in to say they just lost a large sum of money, or even if it's a small amount of money.... They feel bad because of the fact that they've been victimized. Those call takers do an amazing job in helping those people understand they're not alone. They destigmatize it, help them get advice and guidance on where to go and what to do. It's making a significant difference.

They also have a very important—

I can start with that, Chris.

When you say “the centre”, I'm assuming you're—

I would agree that

the threats, in terms of cybercrime, are constantly evolving. It's therefore important that government and RCMP systems and structures be flexible and responsive to new threats.

What I will say as the person who right now is charged with putting together the new unit is that we did a lot of consultation, both with police services and with the private sector, to really understand how, particularly in the private sector, they are addressing this threat from a cybersecurity perspective. One of the key take-aways we had was that you have to constantly evolve.

We have the ability in building this new unit from the ground up to really push an innovation agenda and build a culture of being adaptive. We've even had success in terms of the funding, the number of positions we've been approved to have and ensuring we have enough IT developers within the unit to be able to change the IT system. If a new threat comes on the market and we need to very quickly change the public reporting systems so that Canadians and businesses can report it, we've accounted for that.

It will constantly be a challenge to try to even just keep pace with the cybercrime environment. From a culture perspective, we're going to do all we can to really make sure that it's not a bureaucratic structure that can't respond.