Public Safety Committee on Jan. 28th, 2019

Chief superintendent is the official rank.

Good afternoon, Mr. Chairman and honourable members of the committee, and thank you for the opportunity to speak with you on this issue of cybersecurity in Canada's financial sector.

As introduced, I am Chief Superintendent Mark Flynn, the director general of financial crime and cybercrime within the federal policing criminal operations area.

I'm here today with my colleague Chris Lynam, the acting director general of the national cybercrime coordination unit, who will also provide a brief opening statement following my remarks.

I'll start by describing what cybercrime is and the types of activities cybercriminals are engaged in.

Cybercrime includes crimes where technology is the primary target as well as where technology is the enabler or instrument for other types of criminality, whether it is financial crime, including fraud and money laundering, the trafficking of illicit drugs or other national security offences.

Cybercrime is a global problem that is multi-faceted and complex with multi-jurisdictional elements and new and continually evolving technologies that impact the safety and economic well-being of Canadians and Canadian businesses. Canadian businesses and individuals, especially vulnerable members of our society such as the elderly and young people, are targets for cybercriminals because of our relative wealth and open, Internet-dependent economy. ln particular, the financial sector is targeted by cybercriminals both directly and indirectly. ln other words, Canadian financial institutions' systems are attacked from two sides, namely, via a company's infrastructure itself or via the portals through which the company's clients access its systems.

To explain this further, I'll go into more detail. Cybercriminals may attempt to directly compromise the financial institution's computer infrastructure through attacks that grant unauthorized access to the core systems themselves. These attacks are attempts to make a profit through the theft of money from those systems or through the movement of money through those systems, to steal private information or, in some cases, to damage the reputation of the company. These crimes are perpetrated by individuals working alone, organized crime groups or professional cybercriminals employed by larger entities, including foreign state actors.

Criminals also indirectly attack financial institutions by obtaining user credentials or other personal information to gain unauthorized access to individual user accounts. Obtaining these user credentials can be done in a number of ways: by using accessible tools from the Internet to obtain passwords, through social engineering or by simply purchasing large databases of personal information on the dark web. The relatively low cost of these attacks has enabled both malicious individuals and new organized crime cyber groups to undertake these attacks on an unprecedented scale.

The wide availability of a whole new range of illicit cyber tools has given rise to an entirely new cyber environment which consists of a wide range of entrepreneurial actors, including malware developers, infrastructure providers and administrators, and platform data resellers who collaborate with others in global networks or independently offer their services and expertise to others via the Internet for profit. We refer to this as the criminal cyber-ecosystem or, on some occasions, we call it cybercrime as a service.

When it comes to Canada's financial and commercial sectors, the volume and severity of cybercrime affecting Canadians and businesses is significant. Global financial services and institutions continue to be targeted by a range of malicious cyber-attacks that generate significant illicit profits for the perpetrators.

Also, the advancements in technology that can be used to assist traditional crimes such as theft, fraud or money laundering has led to a shift in the way that law enforcement must respond to large-scale cyber and financial crimes. Essentially, what we are witnessing are new cybercrimes and old crimes perpetrated in new ways.

In addition to cybercrime organized crime groups, professional money launderers and international money controllers are no longer bound by traditional methods of laundering money and moving their proceeds of crime.

Dark-web marketplaces, the growth of virtual currencies and complex trade-based money laundering schemes are examples of technology-enabled advancements and criminal techniques that have effectively eroded borders and allowed criminal organizations to set up a truly global footprint and a global reach that's associated with that.

Cybercriminals seek to profit through the deployment of malware, such as banking trojans; a multiplicity of online fraud scams; email compromise; or through extortion events, including ransomware or distributed denial of service, also referred to as DDoS attacks, etc. Any of these crimes can be perpetrated from inside or outside Canada.

These innovative cybercrime techniques reveal that the majority of current cybercriminality is financially motivated, as is the case with a lot of crime. It's about gaining access to money in the end and profiting from it.

While the RCMP has been gaining a better understanding of the scope and magnitude of the threat, challenges do remain. For instance, the global reach of cybercriminals means that law enforcement has to be concerned about criminal actors from around the world, no longer just the criminals who are within our borders. This is an international priority for many law enforcement agencies, which will continue to grow in significance and scale.

Furthermore, policing efforts in the cyber realm continue to face challenges largely due to the cross-cutting nature of cybercrime. It applies to all types of crime and it is borderless, as I stated. The borderless nature makes it possible for cybercriminals to commit their crimes across multiple jurisdictions. One cybercriminal can victimize numerous individuals on a massive scale in a way that is not possible in the physical world.

In response to the threats and challenges being faced, the RCMP's cybercrime strategy guides investigation and enforcement efforts to reduce the threat and help mitigate victimization and the impact of cybercrime in Canada. This approach is built on three pillars. The first is to identify and prioritize cybercrime threats through intelligence, collection and analysis. The second is to pursue the cybercrime and the criminals through targeted enforcement and investigative action. The third is to support cybercrime investigation with specialized tools and training.

The cybercrime strategy includes an operational framework developed to guide the RCMP's federal policing action against cybercrime. As cybercrime transcends all types of criminality, the use of specialized investigative teams is essential. The RCMP's federal policing cyber investigations are undertaken primarily today by our national division cybercrime investigative team. However, it leverages the expertise and other specialized investigative supports, such as undercover operations and tactical Internet operation support, which are necessary to augment the investigative outcomes.

The RCMP also plays a central role in the Government of Canada's overarching priority to provide for the safety and security of Canadians.

At this moment I'll turn it over to my colleague so he has a moment for opening remarks as well in relation to the new cybercrime centre that's being set up for law enforcement.

Good afternoon, and thank you, Mr. Chairman, for the opportunity to speak with you today.

As my colleague touched on, law enforcement is facing several challenges in addressing cybercrime. The traditional Canadian policing model is predicated on the assumption that the offender, the victim and the justice system are largely collocated jurisdictionally. However, as we know, most cybercrimes are multi-jurisdictional, if not multinational, impacting victims across traditional jurisdictions, and this brings into sharp focus the need for a coordinating mechanism.

Law enforcement requires a means to gather information and intelligence regardless of the jurisdiction, and a mechanism to coordinate investigative efforts. It is not efficient for multiple police services to be allocating scarce investigative resources on the same criminal activity in an isolated fashion.

Another key concern is that cybercrime is under-reported and there are varied reporting mechanisms in Canada, which is confusing for the public.

The 2017 Canadian survey of cybersecurity and cybercrime undertaken by Statistics Canada found that about 10% of businesses impacted by a cybersecurity incident reported the incident to a police service in 2017. Despite under-reporting, the number of cybercrimes reported to police in Canada has increased in recent years. In 2017, nearly 28,000 cybercrimes were reported to Canadian police, which is an 83% increase compared to 2014.

The under-reporting of cybercrime prevents law enforcement from connecting the dots and responding to cybercrime on a larger, coordinated and more targeted scale. It also hampers governments in understanding the magnitude and extent of the problem we are facing.

In response to challenges and to bolster Canada's ability to fight cybercrime, budget 2018 announced $116 million over five years and $23.2 million per year for the creation of the national cybercrime coordination unit.

The unit will be a national police service, stewarded by the RCMP, supporting and working with law enforcement across Canada. lt will act as a coordination hub for cybercrime investigations in Canada and will work with international partners on cybercrime.

It's challenging depending on the technical elements of that contracting. There are different jurisdictional elements to it as to who owns the data, where the actors, the individuals, the cybercriminals are when they perpetrate their offences. It's not a straightforward answer for all situations.

Where a contracted service was for handling calls, all the data was in another country and the person that committed the crime was in another country, there would not be an offence against the Canadian Criminal Code in that scenario. However, in many situations it's difficult to even state with some of the modern technologies that are used for data storage in which country that data resides solely. There are a lot of cloud services where the data is residing in Canada and in another country all at the same time. In some of those situations, there would be contraventions of the Criminal Code. In others, there simply would not. However, we would work with our international partners when there is a Canadian interest to ensure that what can be done to investigate it and hold the individuals to account for their action is done in the Canadian interest.

Statute policy recommendation would go beyond what would be appropriate for me to make—

One of the main objectives of the new national cybercrime coordination unit will be to work with the financial sector on a couple of fronts. One is to make sure that information about threats is being exchanged or shared. As well, if the financial institution is a victim or has victims as clients, they will have an easy way to bring that to the attention of law enforcement so that action can be taken.

What's happened to date is, in many respects, there are really good relations among the financial institutions and law enforcement and the RCMP. With this new unit and some other resources that the RCMP is getting in an investigative capacity, it will increase the ability for us to work with the financial institutions to deal with new threats or when they are victims.

For example, if you're meaning if a financial institution is reporting....

Mark, do you want to answer?

Yes.

The biggest challenge we have today in those reports is the sheer volume of the victimization that's occurring, and the fact that the anonymization that's available on the Internet is being taken advantage of by the cybercriminals makes it much more difficult to track them down. However, we are combatting that through the international collaboration that we have, the much closer relationships that we do have with the financial sector. We are leveraging the resources that many of those large banks and other financial institutions have to secure their own networks and integrating them into our investigative efforts to help de-anonymize or help take advantage of errors that occur while cybercriminals are using the Internet to commit their crimes, to tackle them more effectively.

We've gone well beyond the days of the police saying, “Thank you for the report.” Now we will go and investigate and we will tell you what you need to know. We are working much more collaboratively. In fact, in one significant incident we had recently, we actually integrated security staff and financial institution security staff and private sector cybersecurity expertise into our investigative efforts, and the benefits are proving to be very high.

I would not say there's consistency. We see quite a broad range of responses when a corporation is victimized.

We are working closely in our public messaging to ensure that there is trust and confidence in the police to be able to do something about it. As in the example that the honourable member spoke about earlier, it is not helpful when someone does report to the police and they get a response of, “Sorry. We can't do anything for you.”

We're trying hard to build trust and confidence. That is bringing more people to the table to report. Under-reporting of cybercrime is a significant challenge for us and we need to remove the stigma of victimization that is associated with cybercrime to enable us to learn more about it and tackle it appropriately.

In the RCMP, our mandate is the investigation of criminal offences. We do have the Canadian Centre for Cyber Security as well as other entities that give advice on the securing of systems and other technological assistance that they provide there.

However, from an investigative perspective or a public safety perspective, we are putting a fair bit of effort into education and ensuring that people are aware of what can occur, that people are taking steps to assume there's going to be a compromise and make efforts to identify when someone unauthorized is in their networks and report to us. Even if we can't do anything about that individual incident, the gathering of the information from that incident along with the other victims who forward information to us can lead to a successful conclusion down the road in holding to account the people who are responsible for multiple compromises.