Public Safety Committee on Jan. 30th, 2019

Not to speak on behalf of the Information Commissioner, but I think from our perspective we're looking to get that information much earlier in the process than when you know the magnitude of a breach. We're hoping that it will be when the very first indication of a cyber-compromise happens, when you see that very first spear-phishing email, that very first attempt to compromise your system and that very first attempt to use credentials. It should never be used again.

We can work with the companies. We're hoping to get information—and we are getting it—earlier in the cycle, what they call the exploitation cycle, so that we can take action and help others take action before it hits them. If you put your emphasis on what we call exfiltration of data, well, you're too late. It has already happened.

We're trying to get proactive and take action earlier. I would rather have a company call us a hundred times with 99 false positives—I'm not sure Eric and his team would like me to do that—than not call that one time when it was true and we could have taken action and helped to warn the rest of the sector about a potential breach.

That's something we're trying to incent. We're trying to work with them on that.

That's excellent. I commend it, but the reality is that we keep hearing.... For instance, on Equifax, I've read that the breach happened because of poor cyber-hygiene practices. We've heard from our previous witness that the regulations and standards that companies are applying are really outdated, and that there's really no motivation for them to be updating those standards regularly so that they're up to date on the current threats they might be facing.

How do we incentivize these companies to take those types of measures if we don't have penalties and regulations in place?

I think the policy and regulatory approach is something that is probably best left in your hands. For us, the basics do matter, though, and organizations do need to do them. I think the issue now is working with them, and we're trying to get the technology companies to actually improve things.

The problem is that you have to get secure by configuration. It might not have been deliberate that the vulnerability was there and they weren't doing the basics. It might have been a simple mistake by a system administrator, but it shouldn't be that easy to undermine your security because a sysadmin typed in the wrong command. There's just something fundamentally wrong.

For computer scientists and engineers, it's the equivalent of designing a bridge: If we forgot to put in one rivet, the bridge would collapse. That's not how engineers design bridges. The industry needs to figure out how to make this so that the technology isn't in such a fragile state from a cybersecurity perspective.

Those are some key things we need to do, but whether regulation is the right approach is, I think, best left in your hands. As a public servant, I will faithfully implement the directions we're given.

We're trying our best to learn in terms of what our recommendations are going to be coming out of this study. Some witnesses paint a very scary picture when they come before the committee, and others, like you, a more hopeful one.

What sectors do you see as the most vulnerable, as sectors that we should be looking at?

The financial sector, for example, makes significant investments. They have excellent capabilities in terms of fraud detection, etc. In fact, it's one of the areas where we're hoping to learn from them in terms of how they use what I'll call artificial intelligence, machine learning to detect things like fraud, and to leverage their expertise as they leverage some of ours in cyber-defence.

When you look at it, you see it's sectors that don't see themselves as big IT users until you go one step in. So we're making sure that we're working with all 10 critical infrastructure sectors. There's a technology and cybersecurity element to all of those.

Thanks for the question. I think I actually said that, although I also said that being turned off makes it the most secure network.

I think there are a few elements to that.

The password is something that has changed quite a bit. We are relooking at our password advice for that exact reason. More than changing passwords, we also encourage people to look at a second factor of authentication, so a little token that generates a random number. For some people, sometimes it's a message that says “Type in this code” when they're logging into a new device, etc. Turning on a second factor is actually a key cybersecurity element. For those of you with Twitter or Facebook or any social media accounts, you should all be using your second factor of authentication to log in, and we should be applying that to all of the systems in government.

Periodic password advice is something that made a lot of sense when you had only two passwords and two systems to log into, or one. I lost count at 90 of the number of passwords I have in my personal, private and professional life. I stopped counting. We are looking at how to balance security and convenience. Also, people tend to use easy passwords when there are so many. It's something that has to be looked at.

In your statement, when you were first talking about the cyber-threats most likely to affect Canadians and Canadian businesses, you mentioned education. Could you quickly tell me about some of the things you're doing to educate Canadians? I'm learning so much here in the last few days that I didn't know before, and I wonder how much Canadians actually know about their vulnerability with the Internet.

The first was putting out the national cyber-threat assessment, trying to give something that gives the basics, and it came with a cyber-primer, explaining what these technical terms were and hopefully in plain language. We tried very hard.

How did you get that to them?

It's on the web. We tweeted it out and we published it. I did a lot of media. It's strange to be in a media role as a public servant. It's a little surreal. We're trying to get that information out in different ways. I would love to see every member of Parliament being able to communicate this back out. We're trying to get some simple tools that everybody can get.

Thank you. I did that. I sent it out.

Why didn't you ever look at the newspapers versus the Internet to educate people?

It's a matter of where we're allowed to advertise and how we do it, but we'll take that as part of our communication strategy. We're always looking for ways to improve our reach.

You do most of it through the computer system, though.

We do. We tend to go digital; it's our go-to.

Am I running out of time?

Are there any laws in place in Canada for Canadian companies providing security measures, whether it's alarm systems in your home or stuff like that, to be honest with the consumer?

I'm going to give you a prime example. I have a very major security company that has my place all wired up. They came to me last fall and said, “Mr. Eglinski, we can make your place much safer by installing three cameras. There would be no portion of your property where anybody could move around or get into your house without us.” It sounded pretty good. I said, how much? It was a fair amount of dollars, but I said okay. But then I checked with my service provider, and he said the system wasn't big enough for it yet. They were telling me that they were providing me with all these credentials and all this equipment, but my service wasn't there.

Is there a requirement and law in Canada to be honest with the consumer?

I don't know the answer to that question.

I had one more, but I'll let it go.