Public Safety Committee on Jan. 30th, 2019

The submission is more than 10 minutes, so I'll just highlight a few points. I tried to make sure I circulated it beforehand so we can go into some of the other issues.

As always, it will be my pleasure to answer your questions in both official languages, but I will be making my presentation in English.

There are five different elements that I was asked to comment on in regard to the range of cyber-threats that are facing the financial sector.

Here particularly, I highlight the ones that derive from the Internet more generally, including online banking, financial transfers and whatnot, and also the threats in particular to the SWIFT network: the vulnerability of the Internet as a whole, all the electronic transfers, and then the vulnerability of banks in particular to detect money laundering—know your customer—and the large-scale financial money-laundering issues that we have. I list some of those here in my brief. There are also the dangers that emanate from the SWIFT network, with Canada obviously being tied into the SWIFT network.

There are some recommendations here supporting the cybersecurity needs particularly of small and medium-sized financial institutions, something that I think is often overlooked as we focus only on the large entities.

Also, Canada must develop a policy response for rebuilding the financial system's technological infrastructure in the case of a major failure. I think we have not quite figured out the relationship between government and private industry if the entire system did go down and we actually needed government intervention and the expertise of some of our colleagues around town in order to bring the entire system back up.

We need the ability to publish warnings of retaliatory attacks and to pursue hackers in all available avenues under domestic and international law, all of which I think we can be much more aggressive at.

Second, I'll comment briefly on the sector-specific vulnerabilities and mitigation efforts.

The banking sector in particular is vulnerable to insiders. This applies not only to physical insider threats, but also to people who provide insider threats inside the organization with regard to moving and laundering money. It's estimated that about $2.5 trillion is laundered around the world each year, much of this electronically, including—as you know from our own case in Vancouver in recent days—a substantial amount through our own country.

Banks need to take responsibility for the consumer losses, as they do, but they have significant incentives not to do as much as they can. In the trade-off between convenience and security, they'll always go with convenience, because that's what the customers want, and we're not convinced that banks are being forced by government to pay sufficient attention to that trade-off. When banks are robbed in a cyber-attack, they have currently no incentive to disclose it, which means that everyone else is vulnerable to the same sort of attack. There are also reputational risks.

With regard to recommendations, they include developing a policy framework to mitigate consumer losses from risky behaviour, both at the institutional level and at the individual level; supporting the nascent cybersecurity industry in Canada, where I think there's a lot more that government can and should be doing; developing policies to incentivize data analysis of bank data for cybersecurity purposes; and encouraging more government collaboration among law enforcement, FINTRAC and financial institutions, including bestowing an enforcement capacity on FINTRAC.

Third, there are infrastructure interdependencies. These arise through the fact that the Internet does not respect boundaries, so information held by businesses such as banks is particularly vulnerable to data outages, data breaches and interruptions to communications in other countries, which are either accidental or deliberate. The SWIFT network, for instance, has had multi-hour outages. Financial institutions are motivated to keep data about customers and transactions in national repositories, and it's difficult to ensure this with the way the infrastructure is currently set up. Because of how distributed the infrastructure is, Canadian data are vulnerable to data breaches in jurisdictions outside of Canada, where regulations are weaker.

Bank infrastructure of communication systems.... The nature of the current system, with considerable extension such as 5G, means that vulnerabilities can only be hardened but not avoided. The recommendation here is that Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives to require critical data to be retained only in Canadian jurisdictions; set clear standards and expectations for the resilience of Canadian communication infrastructure; monitor that resilience; and impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments without which they would be left vulnerable.

Fourth is the role of communications service providers in threat detection and threat mitigation. This is where telecoms play a particularly important role. I cite here also the example of the deep packet inspection that CSE, for instance, uses to protect government infrastructure. Two issues prevent this from being fully exploited. First, the level of detection is so expensive that there's little incentive for telecom providers to get into that business. Second, telecom providers consider that amelioration, once detected, legally problematic. One of the interesting curiosities is that telecom providers in Australia have been much more willing to be proactive, even though their legislative regime is almost the same as Canada's. These widely different outcomes between Canada and Australia, I think, warrant further examination to see what can be learned in order to achieve the outcomes that Australia, under the same legal regime, is achieving.

The recommendation is that government should clarify the opportunities and obligations of telecom providers with respect to detecting and ameliorating communications that have the potential to do harm. Government should devote more resources to cybersecurity research. We already have a number of world-class capacities, including in quantum computing and cryptography, but there's much more need. The demand for highly skilled personnel vastly outstrips the supply. Unlike Australia, there is no strategy in this country on how to generate those human resources in terms of highly qualified personnel.

Finally, there are issues relating to entities participating in the Canadian economy and telecommunications infrastructure that may be subject to extraterritorial direction from foreign governments. Two parts of the information infrastructure contain inherent unfixable vulnerabilities—the network switches that form the backbone of the Internet and the consumer devices themselves. The network switches necessarily see all the traffic that they direct. If this traffic is not encrypted or is weakly encrypted, such switches may be able to detect everything that passes through them. Even if the traffic is strongly encrypted, the patterns of communication cannot be hidden from the switch. This traffic analysis is revealing. Switches can also control how they manage communication by delaying it, by cutting it off completely, or by diverting traffic.

The hardware and software of a switch can be analyzed for built-in vulnerabilities that might have been inserted. However, it needs to be possible to update the software in a switch from time to time, so each switch possesses a mechanism to “call home” and allow it to check and to get updates from remote locations. Policing this update mechanism is extremely difficult. The routing technique of the Internet uses tables that tell each switch which outgoing link to use to reach each eventual destination. These tables themselves are a vulnerability. There were several recent incidents where large amounts of traffic were misdirected through the territory of a particular state. Such consumer devices as cellphones have an inherent vulnerability, because they must see key process and display information, even if the data is encrypted for the rest of its existence. The manufacturers of such devices are in a position to see all of the input and output even if the storage of the device and all of its communications are encrypted. Such devices are routinely used for banking transactions and capture financial details. Transactions can, in principle, be captured.

Here are the recommendations. First, the government should ban such telecommunications providers as Huawei from participating in the development of 5G network infrastructure. In our view—I stress here that I wrote this brief with a colleague in computer science and a colleague in law—the government should ban Huawei from participating in the development of Canada's 5G mobile infrastructure. As a result of a recent change in a Chinese law, China can request any domestic company, including Huawei, to assist it to support national interests, including intelligence interests.

A related concern is that China and its industries are suspected to engage in industrial espionage on a large scale as an inexpensive means of R and D transfer. Moreover, Huawei and the ruling Communist Party appear interwoven in many important fashions, including via state subsidies of reportedly $10 billion in a single year. The systematic theft of IP, along with the massive state subsidies, made it impossible for such competitors as Nortel Networks to compete, and ultimately helped precipitate the demise of Canada's premier high-tech company. Since communications are a critical infrastructure, the government should be excluding wholesale any foreign entity with suspected ties to any country where strong evidence exists of significant prior IP theft or intelligence gathering.

For the sake of Canadian security, Canadian industry and Canadian research, Canada has a strategic interest in supporting our allies and banning foreign entities that they find undermine their national security interests. In doing so, the Canadian government would join not only its Five Eyes partners, including the United States, Australia and New Zealand, but a growing list of other allies that have already taken the step to ban—or are actively looking at ways of excluding—Huawei from their 5G and communication networks, including Japan, South Korea, Germany, France, the Czech Republic and Poland.

Furthermore, the evaluation board of the Huawei Cyber Security Evaluation Centre, set up jointly between the entity in question and GCHQ in the U.K., has become even less certain about this entity and its product security implications, with U.K. and French telcos actively replacing that equipment in their critical communications infrastructure.

In this matter, Canada appears increasingly out of step with key allies, and dithering carries reputational risks for Canada's perceived reliability as an ally, as well as for Canada's integration into the North American and allied communication infrastructure. Canada already opted to exclude this foreign manufacturer from critical infrastructure years ago. It should do likewise for the national grid.

Going back to what I mentioned about the Internet of things, the way this has developed is that it's become cheaper and cheaper to literally build and place a tiny little computer into anything. That means you can have a smart fridge, which I don't want, because my wife will know how much beer I'm drinking.

Oh, oh!

However, what happens with this is that it is about low cost, and security comes at a cost. If you're trying to make something as cheaply as possible, that's the first thing that tends to drop off your list.

These things are pervasive. You can get them anywhere and everywhere. Now, if you think about it, when you aggregate a bunch of very small computers, they can't do much on their own, but they have no security. You can take them over very easily, and also, because they are doing things such as monitoring your home, they'll know when you're in and when you're out. If they're on a camera, they might know what you're typing in as your password. Add that to the fact that if you pool all of them together, these little computers suddenly become a gigantic supercomputer.

I believe that in the fall of 2016 there was an outage across the east coast that affected some of the major social media companies such as Twitter and some other major websites. It was essentially a large-scale denial of service attack. What one organization had done was to look at all of these poorly secured devices, pull them all together as a gigantic hammer, and literally hit what was essentially a major address provider in the Internet. That caused one of the largest outages ever, and to this day I think it's still the largest denial of service attack we've ever seen.

With cheap devices, therefore, security is compromised, but this is everywhere. It's in everything. When roped together, it can be pretty impressive and dangerous.

The challenge with these interventions is that they don't meet the threshold of force, so we don't have an international regime under which we could ultimately classify what this constitutes. It's clearly an exploitation of our network, and it hearkens back to the problem with the vulnerabilities of the network. This is rerouting of traffic by effectively recoding DNS servers. It shows the vulnerability within the network as a whole.

The network works on switches. There are only a certain number of top-level switches. Each of the telecom providers has a very small number of these top-level switches. The closer you can get to these top-level switches, the more you're able to capture traffic or to reroute traffic. Currently, what our adversaries have to do is to try to get as high as possible into these switches, including physically co-locating their own servers on the same premises as some of the large telecom companies.

We would hope that telecom companies would be watching out for that, but we don't actually know whether they're making sure that, for instance, adversaries aren't renting the floor space below or above to hook into those switches physically.

Currently, the problem is that you actually have to capture the traffic by having a server that captures traffic in and out, or you have to reroute using the DNS servers. You can do that only for a certain period of time, because eventually people will catch on, so you do this strategically when you're trying to capture particular communications.

The problem now is that if you have an adversary entity's technology in the system itself, they no longer have to get to the top-level switches, because everywhere in the system you now have a vulnerability. As opposed to rerouting traffic, they can now capture all the traffic they want.

There are two vulnerabilities here, and I actually think we're much closer to cyberwar than people think, precisely because of these vulnerabilities. One is that our adversaries overestimate their capacities in this space. As a result of overestimating their ability, because they're being told by their signals intelligence agencies and whatnot that they can do this, they underestimate the response. So the uncertainties include, for instance, how the other side might respond and the targeting of these, if you want to call it that. These information weapons can easily get out of hand and get into other types of systems.

We, as a result, have difficulty gauging at which point a cyber-attack might either trigger a conventional response or have a cascading effect that would have conventional implications for us here in Canada, at which point we might, for instance, decide that this warrants a conventional response.

I have a whole separate paper on this, which I'm happy to share with the committee, but I actually think the uncertainty in this space is deeply troubling because it creates all sorts of potential for misperceptions and escalations, which we have no international framework to handle.

This is classically what we call “end point security”. Literally, it's the end point of the Internet.

Let's just step away from the question of who provides this, just for a moment. Whatever is on that end point, if it isn't secure, no matter how good your network is, you've just created a major vulnerability. If you go back to the analogy I gave earlier about transfer of money—armoured cars and armed guards between two cardboard boxes—that's what you get. You might have secured the chain where the information sits, but the problem is the vulnerability at either end.

Regardless of who provides it—and there are providers from all over the world who fall into this category—when we look at the Internet of things more broadly, because security is an afterthought and it's expensive, it doesn't get incorporated. What you've described is exactly correct. No matter how secure the network is, that immediately creates a vulnerability, and that can allow someone to penetrate the system and get into your home network, for example.

The classic story that a friend of mine who used to work for the U.S. government used to tell me was that he always waited for someone to buy that wireless printer, because it was great. You didn't have to connect to it—this was 20 years ago, when these things first came out—but it immediately broadcast a signal that allowed you to penetrate the system and get in. His job was protecting the U.S. government from these threats, but that was his description.

Exactly.

It's a fair assessment, particularly if price becomes the only discriminator, but we've seen industries or marketplaces where we've actually managed to address some of these problems.

Think about car theft. As you can tell from the accent, I'm British. In the U.K., one of the ways in which we dealt with this was that the government put up a table of the cars that are stolen most often. That changed things immediately. It didn't matter if the car was cheap or not; that meant your insurance would go up and you were more likely to lose the vehicle. It was able to provide that ranking.

Even if we're in a race to the bottom—and it isn't about providing the expense—sometimes just the information can change behaviour and change consumer choice. Yes, there's a price component in this, but it needn't be the only determinant of whether or not you get good security.

I think there are four categories that we need to think of. It hearkens back to your earlier question. I think the lowest level is the propaganda level, which is equivalent to graffiti on the wall, taking down a website, or something like that. Then you have subversion, sabotage, and attack. Attack is really the only time when it might need a threshold of force.

I think these four different levels, the three below attack.... As a government and as a state, we haven't really thought about the implications with regard to how we might retaliate, who gets to retaliate, and who gets to decide when, where, and under what conditions. Who's involved in that retaliation? Do we allow a private sector to retaliate? Is it solely a state responsibility? And we can clearly define, or fairly clearly define, the boundaries between the propaganda, the subversion, and the sabotage piece.

Thank you.

My first question is for you, Mr. Leuprecht. You advocate for a sovereign data location strategy. That would require critical data to all be located and stored in Canada. Can you define what “critical data” is and how that would work?