The submission is more than 10 minutes, so I'll just highlight a few points. I tried to make sure I circulated it beforehand so we can go into some of the other issues.
As always, it will be my pleasure to answer your questions in both official languages, but I will be making my presentation in English.
There are five different elements that I was asked to comment on in regard to the range of cyber-threats that are facing the financial sector.
Here particularly, I highlight the ones that derive from the Internet more generally, including online banking, financial transfers and whatnot, and also the threats in particular to the SWIFT network: the vulnerability of the Internet as a whole, all the electronic transfers, and then the vulnerability of banks in particular to detect money laundering—know your customer—and the large-scale financial money-laundering issues that we have. I list some of those here in my brief. There are also the dangers that emanate from the SWIFT network, with Canada obviously being tied into the SWIFT network.
There are some recommendations here supporting the cybersecurity needs particularly of small and medium-sized financial institutions, something that I think is often overlooked as we focus only on the large entities.
Also, Canada must develop a policy response for rebuilding the financial system's technological infrastructure in the case of a major failure. I think we have not quite figured out the relationship between government and private industry if the entire system did go down and we actually needed government intervention and the expertise of some of our colleagues around town in order to bring the entire system back up.
We need the ability to publish warnings of retaliatory attacks and to pursue hackers in all available avenues under domestic and international law, all of which I think we can be much more aggressive at.
Second, I'll comment briefly on the sector-specific vulnerabilities and mitigation efforts.
The banking sector in particular is vulnerable to insiders. This applies not only to physical insider threats, but also to people who provide insider threats inside the organization with regard to moving and laundering money. It's estimated that about $2.5 trillion is laundered around the world each year, much of this electronically, including—as you know from our own case in Vancouver in recent days—a substantial amount through our own country.
Banks need to take responsibility for the consumer losses, as they do, but they have significant incentives not to do as much as they can. In the trade-off between convenience and security, they'll always go with convenience, because that's what the customers want, and we're not convinced that banks are being forced by government to pay sufficient attention to that trade-off. When banks are robbed in a cyber-attack, they have currently no incentive to disclose it, which means that everyone else is vulnerable to the same sort of attack. There are also reputational risks.
With regard to recommendations, they include developing a policy framework to mitigate consumer losses from risky behaviour, both at the institutional level and at the individual level; supporting the nascent cybersecurity industry in Canada, where I think there's a lot more that government can and should be doing; developing policies to incentivize data analysis of bank data for cybersecurity purposes; and encouraging more government collaboration among law enforcement, FINTRAC and financial institutions, including bestowing an enforcement capacity on FINTRAC.
Third, there are infrastructure interdependencies. These arise through the fact that the Internet does not respect boundaries, so information held by businesses such as banks is particularly vulnerable to data outages, data breaches and interruptions to communications in other countries, which are either accidental or deliberate. The SWIFT network, for instance, has had multi-hour outages. Financial institutions are motivated to keep data about customers and transactions in national repositories, and it's difficult to ensure this with the way the infrastructure is currently set up. Because of how distributed the infrastructure is, Canadian data are vulnerable to data breaches in jurisdictions outside of Canada, where regulations are weaker.
Bank infrastructure of communication systems.... The nature of the current system, with considerable extension such as 5G, means that vulnerabilities can only be hardened but not avoided. The recommendation here is that Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives to require critical data to be retained only in Canadian jurisdictions; set clear standards and expectations for the resilience of Canadian communication infrastructure; monitor that resilience; and impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments without which they would be left vulnerable.
Fourth is the role of communications service providers in threat detection and threat mitigation. This is where telecoms play a particularly important role. I cite here also the example of the deep packet inspection that CSE, for instance, uses to protect government infrastructure. Two issues prevent this from being fully exploited. First, the level of detection is so expensive that there's little incentive for telecom providers to get into that business. Second, telecom providers consider that amelioration, once detected, legally problematic. One of the interesting curiosities is that telecom providers in Australia have been much more willing to be proactive, even though their legislative regime is almost the same as Canada's. These widely different outcomes between Canada and Australia, I think, warrant further examination to see what can be learned in order to achieve the outcomes that Australia, under the same legal regime, is achieving.
The recommendation is that government should clarify the opportunities and obligations of telecom providers with respect to detecting and ameliorating communications that have the potential to do harm. Government should devote more resources to cybersecurity research. We already have a number of world-class capacities, including in quantum computing and cryptography, but there's much more need. The demand for highly skilled personnel vastly outstrips the supply. Unlike Australia, there is no strategy in this country on how to generate those human resources in terms of highly qualified personnel.
Finally, there are issues relating to entities participating in the Canadian economy and telecommunications infrastructure that may be subject to extraterritorial direction from foreign governments. Two parts of the information infrastructure contain inherent unfixable vulnerabilities—the network switches that form the backbone of the Internet and the consumer devices themselves. The network switches necessarily see all the traffic that they direct. If this traffic is not encrypted or is weakly encrypted, such switches may be able to detect everything that passes through them. Even if the traffic is strongly encrypted, the patterns of communication cannot be hidden from the switch. This traffic analysis is revealing. Switches can also control how they manage communication by delaying it, by cutting it off completely, or by diverting traffic.
The hardware and software of a switch can be analyzed for built-in vulnerabilities that might have been inserted. However, it needs to be possible to update the software in a switch from time to time, so each switch possesses a mechanism to “call home” and allow it to check and to get updates from remote locations. Policing this update mechanism is extremely difficult. The routing technique of the Internet uses tables that tell each switch which outgoing link to use to reach each eventual destination. These tables themselves are a vulnerability. There were several recent incidents where large amounts of traffic were misdirected through the territory of a particular state. Such consumer devices as cellphones have an inherent vulnerability, because they must see key process and display information, even if the data is encrypted for the rest of its existence. The manufacturers of such devices are in a position to see all of the input and output even if the storage of the device and all of its communications are encrypted. Such devices are routinely used for banking transactions and capture financial details. Transactions can, in principle, be captured.
Here are the recommendations. First, the government should ban such telecommunications providers as Huawei from participating in the development of 5G network infrastructure. In our view—I stress here that I wrote this brief with a colleague in computer science and a colleague in law—the government should ban Huawei from participating in the development of Canada's 5G mobile infrastructure. As a result of a recent change in a Chinese law, China can request any domestic company, including Huawei, to assist it to support national interests, including intelligence interests.
A related concern is that China and its industries are suspected to engage in industrial espionage on a large scale as an inexpensive means of R and D transfer. Moreover, Huawei and the ruling Communist Party appear interwoven in many important fashions, including via state subsidies of reportedly $10 billion in a single year. The systematic theft of IP, along with the massive state subsidies, made it impossible for such competitors as Nortel Networks to compete, and ultimately helped precipitate the demise of Canada's premier high-tech company. Since communications are a critical infrastructure, the government should be excluding wholesale any foreign entity with suspected ties to any country where strong evidence exists of significant prior IP theft or intelligence gathering.
For the sake of Canadian security, Canadian industry and Canadian research, Canada has a strategic interest in supporting our allies and banning foreign entities that they find undermine their national security interests. In doing so, the Canadian government would join not only its Five Eyes partners, including the United States, Australia and New Zealand, but a growing list of other allies that have already taken the step to ban—or are actively looking at ways of excluding—Huawei from their 5G and communication networks, including Japan, South Korea, Germany, France, the Czech Republic and Poland.
Furthermore, the evaluation board of the Huawei Cyber Security Evaluation Centre, set up jointly between the entity in question and GCHQ in the U.K., has become even less certain about this entity and its product security implications, with U.K. and French telcos actively replacing that equipment in their critical communications infrastructure.
In this matter, Canada appears increasingly out of step with key allies, and dithering carries reputational risks for Canada's perceived reliability as an ally, as well as for Canada's integration into the North American and allied communication infrastructure. Canada already opted to exclude this foreign manufacturer from critical infrastructure years ago. It should do likewise for the national grid.