Public Safety Committee on Jan. 30th, 2019

Good afternoon, Mr. Chair and members of the committee.

It's a pleasure to be here again, I think. I guess I was just scrummed, so I got a little taste of what your lives are like.

As you know, my name is Scott Jones and I'm the head of the Canadian Centre for Cyber Security, which is a change from the last time I was here. The launch of the cyber centre was imminent. I am joined today by Eric Belzile, the director general of our incident management and threat mitigation team.

Launched on October 1, 2018, the Canadian Centre for Cyber Security is a new organization but one with a rich history. The cyber centre brings together operational cybersecurity experts from across the Government of Canada under one roof.

In line with the National Cyber Security Strategy, the launch of the Canadian Centre for Cyber Security represents a shift to a more unified approach to cyber security in Canada. The Canadian Centre for Cyber Security continues the work of the Communications Security Establishment's (CSE) IT security mandate. It provides advice, guidance, and services to federal departments and agencies and other systems of importance to the Government of Canada.

The Canadian Centre for Cyber Security also keeps Canadians safe in cyberspace by providing easily accessible information on cyber security matters, as a single, clear, and trusted source of information. With the amalgamation of parts of Public Safety Canada and Shared Services Canada, the Canadian Centre for Cyber Security continues the work of these departments to encourage collaboration with other levels of government, the private sector, and academia.

Our partnerships with industry are vital. Governments everywhere are simply not able to keep pace with the rapid innovation that the private sector is able to bring to bear. The Government of Canada cannot improve cybersecurity for Canadians without collaborating with the private sector.

This brings me to the specific topic of today's discussion: cybersecurity in the financial sector as a national economic security issue.

A significant disruption to the financial sector could have effects that reverberate across Canada's entire economy. The effects of a cyber-disruption could be immediate, such as financial loss, or they could occur over the medium to long term in the form of decreased consumer confidence. The risk of a cyber-compromise increases as the financial sector continues its transition to digital services and connects more devices to the Internet.

Nevertheless, this digital transformation has the potential to create tremendous opportunities for growth. To not leverage innovations in digital technology would mean being left out of the global economy. Retrenchment is not an option.

To this end, Canada needs to remain vigilant and take action to prevent, detect and respond to cyber threats to the financial sector, and all sectors of Canada's industry.

In this effort, the Canadian Centre for Cyber Security was proud to release Canada's first National Cyber Threat Assessment in December 2018. This assessment describes our view of the current cyber threat landscape in Canada. The intent is to ensure that as cyber threat actors pursue new ways to use the Internet and connected devices for malicious purposes, Canadians are well informed of the cyber threats facing our country. The assessment includes several key judgments on the current cyber threat environment, including that facing Canada's financial sector.

First, we assess that cybercrime is the cyber-threat most likely to affect Canadians and Canadian businesses in 2019. While all businesses are at risk, the financial sector is a frequent target of cybercriminals.

In a survey on the impact of cybercrime on Canadian businesses, researchers at Statistics Canada found that nearly half of Canadian organizations in the banking sector were impacted by cybersecurity incidents in 2017. Cybercriminals can target the financial sector, such as banking institutions, for immediate financial gain, but they can also target this industry for data about its customers and partners or for proprietary information. Stolen information is often held for ransom, sold or used to gain a competitive advantage.

These incidents can result in major financial losses and can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions and recovery expenses.

More sophisticated threat actors, including nation states, could also target the financial sector for its value as one of Canada's critical infrastructure sectors. However, we assess that at this time it is very unlikely that state-sponsored cyber threat actors would intentionally seek to disrupt Canadian critical infrastructure. While the financial sector is an attractive target for cyber threat actors, it is also a relatively hard target.

Indeed, in its 2017 survey, Statistics Canada found that two-thirds of banking institutions had a policy in place to manage or report cybersecurity incidents. The Canadian Centre for Cyber Security also plays an important role in helping to protect systems of importance to the Government of Canada.

We currently have ongoing and tailored initiatives with partners in Canada's financial sector. For example, the cyber centre regularly shares reports on indicators of compromise with critical infrastructure providers, including partners in the financial sector, with the goal of promoting the integration of cyber-defence technology.

When looking at what Canadians and businesses can do to protect themselves from cyber-threats, it is important to remember that adopting even basic cybersecurity practices can help thwart cyber-threat actors. Cybersecurity is everyone's business.

Thank you. I look forward to your questions.

The Statistics Canada survey found that two-thirds of organizations had a policy in place on how to report, and I would imagine that has been filled in as boards are starting to ask more questions around cybersecurity and cyber risks that organizations face.

We're concentrating on building the relationship so they feel comfortable approaching us quickly at the start when they're not even sure they have an incident yet, so we can start to work together to react. We're trying to encourage them to report while it's in its early stages so we can engage quickly and hopefully provide assistance before it becomes a compromise.

Furthermore, the earlier they report and the better information we get, the more we can share with the entire sector, and that's really important to us from an incident management and threat mitigation perspective.

Just so I'm clear, are you talking about computer accounts that people use to log into systems, not bank accounts that are abandoned?

That's absolutely critical. One of our top 10 actions is managing credentials: revoking those credentials when somebody leaves an organization, and making sure that your authorities meet the requirements of your position when you log into a system.

For example, when I log into a system at CSE, I don't have any administrative privileges whatsoever. I can't even change the time on the clock because I don't need that for my job. Our systems administrators take care of that. I can't install software. Our systems administrators take care of that after proper testing. Managing those credentials and making sure they're the most limited set possible is really important, and then for those employees who have elevated privileges, there are other steps that you should take to protect.

For example, if you are a systems administrator, controlling access—what employees can do and how they can do it, what they can do on that account.... One of the easy examples we give is, don't read your email from your administrative account and don't browse the web from your administrative account, because you're operating with elevated privileges. Some simple things can have a remarkably large effect on cybersecurity.

That's part of our public advice. We say it as part of our top 10. We certainly have been singing this song to government in managing administrative privileges. It's also a standard cybersecurity practice that you would hear from the SANS Institute or other organizations that promote good cybersecurity hygiene.

We certainly talk about it. Doing the basic top 10, even the top four of the top 10, has a remarkable effect on improving your cybersecurity.

In a lot of cases, they absolutely are. Certainly we've seen a significant change in the Government of Canada over the last five to six years, probably, as we've tried to show the consequence of not following the top 10, and I think businesses, boards of directors, etc., are very much looking for something they can measure their cybersecurity efforts against, so they do use the top 10 to evaluate how they're doing, and they go through them one by one.

The Statistics Canada survey is probably the best survey we have right now. The issue we have is that cybercrime is one of the most under-reported crimes, so it's hard to tell. If you're duped into, say, clicking on a link or paying for something, etc., there's a large stigma attached to complaining or filing a complaint, and people don't know where to go.

I don't have a hard number. I think the Statistics Canada survey is probably the closest we have right now. One of the things we are trying to promote, in collaboration with the newly formed national cybercrime coordination unit at the RCMP, is, first of all, to encourage people to report crimes to the police so they can take action, and also to start tracking some of those statistics so we can see the impacts on the Canadian economy.

What type of data? I didn't hear.

I think the key thing is looking at the supply chain risks. That's one of the things we highlighted in the national cyber-threat assessment. Businesses need to be particularly conscious of the supply chain they're engaging in and the companies they're engaging with, and they need to put proper security provisions into their contracts, so that they can hold them accountable and make sure they get proper breach notification, etc.

Lowest cost is something we always say is not usually compatible with cybersecurity. Businesses need to find the best, most capable cybersecurity firm that can protect their data as well.

Thank you for your question.

First, our mandate is to provide advice and guidance to Canadians, but it started off as the Government of Canada, so practical security advice. One of the mandates we've been given is also to ensure that Canadians have the information they need to take action on their own to protect themselves.

With the creation of the cyber centre, that mandate was expanded with the consolidation of the CCIRC, the Canadian Cyber Incident Response Centre, which had the role of the national CERT, the national Computer Emergency Response Team, the incident response team.

Our goal is to provide not only advice and guidance but also actionable things that people can take.