Public Safety Committee on Jan. 30th, 2019

Okay.

So you're saying we definitely have the capacity to do that.

We have the capacity to do that; it's just a question of.... That's why I say that some regulation and tax incentives and whatnot can help in that regard.

I've read some comments about our investment in AI and Canada becoming an AI superpower. This government has definitely taken a few measures in terms of investing more money. Minister Bains has made several announcements in the last several months when it comes to supporting AI technology and different companies. Can you elaborate a little bit on the previous comments you made?

AI is not this sort of fantastic, magical hat we pull a rabbit out of and whatnot. I mean, AI is just math. It's just fancy, sophisticated math and its applications. While the government has invested significantly in various applications of that, the irony is that the government has not made an investment in the cybersecurity side of those applications.

We're generating lots of highly qualified personnel—“HQP”, as we call them in academia—but we have a massive disconnect between the cybersecurity side of generating the people who are in demand and our ability to have programs that will generate those in universities. We're doing lots of great, fun research, but it's not directed at generating cybersecurity talent.

I would bring up Australia again. They have nine different centres now that deal with cybersecurity. In Canada we really have none. We run our Smart Cybersecurity Network, SERENE-RISC, which we stood up with a colleague at the University of Montreal, but that's about it. I think we need to do a lot more. We can buy all the technology we want and we can make all the investments we want, but if our adversaries are simply going to steal all of our R and D investments, at billions of dollars a year, what's the point of putting money into R and D? And why, as a foreign company, would you invest in R and D in Canada, or in our AI investments, if you knew that we couldn't keep secure the intellectual property generated?

Okay.

We had a witness just at the last meeting. Public Safety is working on creating a cybersecurity centre and also, within Defence, Minister Sajjan launched, last October I believe, the Canadian Centre for Cyber Security. I was wondering if I could get some of your views on that, Mr. Kabilan. I believe that's something you said you have also taken much interest in.

Certainly. The cybersecurity centre I believe you're alluding to is what's going to be spun out of CSE eventually, and I think you have Scott Jones coming in after this to talk about it. When I've discussed this with the government, I've talked about the analogy with what the U.K. has done with the National Cyber Security Centre. I see, certainly from the submissions and from the various discussions that have been had around this new centre in Canada, that it's trying to mirror a lot of what the National Cyber Security Centre does in the U.K.

Just to give you some context, I mentioned earlier that education and information are two big key elements when it comes to cybersecurity. That's what the NCSC in the U.K. does very, very well. It helps to bridge that disconnect between the public and the private sector in terms of getting information across, but it also does it in a way that's accessible to anyone. It gives advice to you personally; it gives advice to small and medium enterprises, and it goes all the way to the high end. My understanding is that this new centre in Canada is going to mirror some of that functionality. If it can, particularly in that education and information sharing piece, then it will be an incredibly valuable tool in terms of helping us build our capacity and our resilience to cybersecurity threats.

However, the challenge is with what Dr. Leuprecht brought up just now, which is the idea of skills. In the U.K., the NCSC actually runs competitions as well. It gets, for example, young women to come and code, and that actually helps to bridge the gender gap. What I haven't seen clearly is some of these elements to address the questions that Dr. Leuprecht brought up about not only sharing information but also using that as a platform to build the required skills to continue to support the development of cybersecurity in Canada. It will be interesting to see how that develops.

Do I have any more time?

In terms of skills development, we heard this in the last meeting as well, and for some of these jobs, government prefers to hire trained Canadians because of the security that's required. How do we go about doing this with our academic partners in order to create more centres, like those Australia has, and follow in the footsteps of the U.K., which you speak highly of as well? How do we establish that without government doing it all?

There are a couple of different challenges there, but I think the first issue is—and I think Dr. Leuprecht would be able to answer this more fully as well—making sure there's a chain that works all the way from education to the job at the end. We actually have some very good examples here in Canada, in fact one here in Ottawa, which is Algonquin College. They actually produce some great cybersecurity graduates. They have a program, and a big chunk of them get hired by CGI directly.

We're actually producing the skills and getting them hired. It's about getting that pipeline aligned.

The centre is a collaborative effort between the United Kingdom Government Communications Headquarters, or GCHQ, and Huawei. Its purpose is to strengthen links with Huawei and give the GCHQ the opportunity to verify the security of that enterprise's equipment. Despite that collaboration effort, a public report, which I can send to the committee, still came to the conclusion that Huawei products are suspect.

In the interest of clarity, I will answer in English.

I think there are a couple of key risks. One is the pyramidal structures of the switches within the Internet. The higher up you are in that pyramid, the more traffic you can extract from the Internet. Currently, our adversaries have to try to get very high up in the Internet to extract as much traffic as they can. In the absence of that, they will reroute traffic. If the technology is embedded throughout the entire Internet, you don't have to make an effort to get at those switches anymore. You can just extract the entire traffic from the infrastructure as is.

The other problem is that even though we might test the technology,

—and this technology seems entirely safe to us—but we have to be able to update it. That is the problem.

There's always the ability for the manufacturer or an adversarial government to reach into that technology and, in the update process, install vulnerabilities in the technology. As for anything in life, it's an insurance policy that we take out.

Look at the November release by the joint congressional commission for the common defence, co-chaired by Ambassador Edelman. In its report, which you can download from the United States Institute of Peace, the commission concludes that if the U.S. today got into a war with Russia, China, or both, the U.S. would likely lose. Why? Because the war would start with a massive attack on the vulnerabilities within the critical infrastructure of, let's say broadly, the national grid; I don't mean just electricity. As a result, it would create such vulnerability, chaos and instabilities within the country that the U.S. would not have an opportunity to respond. It sure was a wake-up call in the United States. Countries such as China reserve the privilege of a first strike when it comes to cyberspace. This is part of the Chinese doctrine.

How much vulnerability and risk are we willing to expose ourselves to as a country? If we find ourselves in that situation, then it's a little late to go back.

It has been hotly debated whether or not it could. The EU had a session on this in 2017. The answer was, “We don't know.”