Public Safety Committee on Jan. 30th, 2019

We're using whatever tool is the appropriate one at the time. If Bill C-59 is passed by the Senate, gains royal assent and comes into force, then we would re-evaluate how we approach these problems, given those new—

That is correct. As we've said repeatedly, we have a tendency to re-victimize the victims of cybercrime. We publish, and we punish them. We're looking for them to take ownership and respond. Our goal is to help them recover, to help them defend, and then to share the information widely.

No. However, one of the trends I have certainly seen with larger companies and boards of directors is that cyber-risk is becoming the number one topic. I think we're starting to see that trend now. It is becoming a huge reputational risk, but also a huge business continuity risk to organizations, so they're taking it seriously.

In our discussions, and the discussions I've had with numerous companies' C-suites or boards of directors, it's very much about the reputational damage. It's hard for them to calculate the cost of that. We certainly saw reputational damage in some of the larger U.S. breaches. I think the key thing for us is that—you're right—the equipment we're buying does not come secure by default. It's very poorly built, and that's getting worse with the Internet of things. That's a dynamic that we have to change, and we're encouraging industry to ask for security to be built in. They shouldn't have to pay extra. There are security features that should come in as part of any piece of equipment.

When you look at this, you're absolutely right. The human factor is part of cybersecurity. We tend not to put security on top of our products sometimes if it makes it harder for a user. It's all about usability.

I think part of it is also education, but you can't rely on that. For example, some of the cybercrime tools and some of the cybercrime spear-phishing types of things that we've seen are incredibly sophisticated. Even I—and this is my daily business—could make a mistake. You have to hope for education but rely on further measures that are kind of layered in a security approach, because relying on a person—and certainly, punishing a person—is the wrong approach for this. It is very easy to make a mistake, to click too quickly, etc., and some of them are incredibly well structured.

I think there are a few. Typically, we would call that the “insider threat” side of things, where somebody who's going....

There are a few ways to do this. Number one is actually the credentials that we talked about earlier—making sure that people can do only the things that are absolutely necessary as part of their jobs, from the IT perspective.

The second one is having a program to look for these types of activities, things that start to spike. If we're a business, we tend to look at fraud detection as something that's being done to us from the outside. Sometimes fraud comes from the inside as well. There are internal losses and things like that, so it's about using some of those tools on the inside.

The third is one of the things with insider threat—and there are colleagues in the government who are probably better positioned to talk about this. It is the care of employees, so that if they get into situations where they turn to crime, there is a better outlet for them. Part of that is how to give them another outlet when something's going badly.

Certainly, from the intelligence side of things, from the CSE internal side, we've spent a lot of time on our internal security program to help our employees so that they don't ever get into situations like that, to manage the insider threat. It's always something you have to be vigilant against, and it is something that is typically overlooked. We don't like to treat our employees like they're criminals.

Right now we're not finding difficulty with the private sector in terms of engagement. They are very willing to come to the table, partner with us, report incidents, work together collaboratively when they see something, or when we see something. I think Canadian industry very much wants to be part of the solution, but to your point earlier, it is expensive. You do have to spend money. If you're running closer to the margins, then cybersecurity is about how to work together to build it in.

We're not seeing an unwillingness for Canadian industry to invest. Sometimes there is a capacity, and certainly not all organizations have a cybersecurity organization that is capable of actually dealing with this, but then you turn to outside providers or places where it's already baked in.

If you look from the policing perspective, certainly our goal is to try to get people to go to the police when they are victims of these types of scams, so the police can take action. I think that's one of the first things, to encourage people that the police aren't going to come and seize their computer, to get them to report so they can take action.

The second piece, though, is the education piece. That's the part we would be the lead on, to try to help Canadians understand what these threats could look like so they can be vigilant against them. The fact that the constituent actually challenged back and said, wait a minute, this is a scam and I'm going to call the police.... Then they went back, but they knew to challenge that it was a scam and not fall for it. That's an excellent thing.

My dad hangs up the phone. He made me promise not to reference him in this, but my dad just hangs up the phone because he knows it's a scam and doesn't believe anything anymore. I am worried about the day when somebody legitimate calls now, but the fact is that he knows to do this.

I think one of the key things is how we can make Canadians aware so that, number one, it's not such a stigma that you're a victim. It tends to be a more vulnerable part of the population that falls for these types of scams. Number two is that they report it. Number three, here are some simple things people can do. Number four, how can we work with industry to make us all a little more resilient and have some national level of defence? If you don't get that spam email because Canadian companies have blocked it, that means you can't click it.

How can we start to work on some of those types of outcomes about leveraging industry, and leveraging the fact that we have a commercial sector that actually wants to protect its customers as well?

We're talking partnerships right now. We take a partnership approach.

We tend to approach it from the point of view that we never trust the thing below what we're working on. For example, if Eric and I are communicating, sending emails back and forth, we always look and say that we can't trust the network, because the way the Internet works, that communication could be routed all the way around the world and go through every single country, so we use encryption. That's how we would protect the communication.

We always look at how to layer in protections, assuming that something else is not secure. The more you look at that and the more protections you layer in—more things like encryption, security, account management credentials—the more security you get.

At one point, though, you can only do so much before you make it so unusable that users either switch, or they go around your security. That's one of the things the industry has to balance, but I think one of the key things is that the entire industry needs to improve its security. You should not have to know how to secure the basic things that are going into your home. You shouldn't have to investigate how to enable security. It should come and help you do that from the very beginning. The second you turn that device on, it should help you use it in a secure way. “Secure by default” is the term we use.

Oh, oh!