Evidence of meeting #146 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Satyamoorthy Kabilan  Vice-President, Policy, Public Policy Forum
Christian Leuprecht  Professor, Department of Political Science, Royal Military College of Canada, As an Individual
Ruby Sahota  Brampton North, Lib.
Scott Jones  Head, Canadian Centre for Cyber Security, Communications Security Establishment
Eric Belzile  Director General, Incident Management and Threat Mitigation, Canadian Centre for Cyber Security, Communications Security Establishment
Jim Eglinski  Yellowhead, CPC

5:10 p.m.

Brampton North, Lib.

Ruby Sahota

We've been talking quite a bit about companies and individuals not wanting to report, for different reasons. Companies want to seem like trusted institutions or organizations, and individuals feel ashamed. Maybe that's similar in both cases.

Last November, the government created a mandatory requirement for federal organizations that are subject to PIPEDA. This requires them to notify the Privacy Commissioner, individuals who may be affected and third parties or government departments that may be able to help in the situation. I think a test is required to really assess whether the breach is harmful enough that they would be required to report it. There are fines of up to $100,000.

Do you think this step, this measure that was taken, would now help get the information out there to people in the right amount of time? How do you view this?

5:10 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

Not to speak on behalf of the Information Commissioner, but I think from our perspective we're looking to get that information much earlier in the process than when you know the magnitude of a breach. We're hoping that it will be when the very first indication of a cyber-compromise happens, when you see that very first spear-phishing email, that very first attempt to compromise your system and that very first attempt to use credentials. It should never be used again.

We can work with the companies. We're hoping to get information—and we are getting it—earlier in the cycle, what they call the exploitation cycle, so that we can take action and help others take action before it hits them. If you put your emphasis on what we call exfiltration of data, well, you're too late. It has already happened.

We're trying to get proactive and take action earlier. I would rather have a company call us a hundred times with 99 false positives—I'm not sure Eric and his team would like me to do that—than not call that one time when it was true and we could have taken action and helped to warn the rest of the sector about a potential breach.

That's something we're trying to incent. We're trying to work with them on that.

5:15 p.m.

Brampton North, Lib.

Ruby Sahota

That's excellent. I commend it, but the reality is that we keep hearing.... For instance, on Equifax, I've read that the breach happened because of poor cyber-hygiene practices. We've heard from our previous witness that the regulations and standards that companies are applying are really outdated, and that there's really no motivation for them to be updating those standards regularly so that they're up to date on the current threats they might be facing.

How do we incentivize these companies to take those types of measures if we don't have penalties and regulations in place?

5:15 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

I think the policy and regulatory approach is something that is probably best left in your hands. For us, the basics do matter, though, and organizations do need to do them. I think the issue now is working with them, and we're trying to get the technology companies to actually improve things.

The problem is that you have to get secure by configuration. It might not have been deliberate that the vulnerability was there and they weren't doing the basics. It might have been a simple mistake by a system administrator, but it shouldn't be that easy to undermine your security because a sysadmin typed in the wrong command. There's just something fundamentally wrong.

For computer scientists and engineers, it's the equivalent of designing a bridge: If we forgot to put in one rivet, the bridge would collapse. That's not how engineers design bridges. The industry needs to figure out how to make this so that the technology isn't in such a fragile state from a cybersecurity perspective.

Those are some key things we need to do, but whether regulation is the right approach is, I think, best left in your hands. As a public servant, I will faithfully implement the directions we're given.

5:15 p.m.

Brampton North, Lib.

Ruby Sahota

We're trying our best to learn in terms of what our recommendations are going to be coming out of this study. Some witnesses paint a very scary picture when they come before the committee, and others, like you, a more hopeful one.

What sectors do you see as the most vulnerable, as sectors that we should be looking at?

5:15 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

The financial sector, for example, makes significant investments. They have excellent capabilities in terms of fraud detection, etc. In fact, it's one of the areas where we're hoping to learn from them in terms of how they use what I'll call artificial intelligence, machine learning to detect things like fraud, and to leverage their expertise as they leverage some of ours in cyber-defence.

When you look at it, you see it's sectors that don't see themselves as big IT users until you go one step in. So we're making sure that we're working with all 10 critical infrastructure sectors. There's a technology and cybersecurity element to all of those.

5:15 p.m.

Liberal

The Chair Liberal John McKay

We'll have to leave it there. We're a little past time.

Mr. Eglinski, you have five minutes, please.

5:15 p.m.

Jim Eglinski Yellowhead, CPC

Thank you.

I'd like to thank you both for coming today. You said that the only secure network is one with no users. Many, if not most, breaches of government networks begin with some type of phishing scam or other attempts for bad actors to gain access to legitimate credentials. The National Institute of Standards and Technology has recommended that it's no longer advisable for network passwords to be periodically reset, yet many government department IT shops still have standard 90-day reset functions in place.

Would a simple solution like this not be a good way for us to start protecting government cybersecurity?

5:15 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

Thanks for the question. I think I actually said that, although I also said that being turned off makes it the most secure network.

I think there are a few elements to that.

The password is something that has changed quite a bit. We are relooking at our password advice for that exact reason. More than changing passwords, we also encourage people to look at a second factor of authentication, so a little token that generates a random number. For some people, sometimes it's a message that says “Type in this code” when they're logging into a new device, etc. Turning on a second factor is actually a key cybersecurity element. For those of you with Twitter or Facebook or any social media accounts, you should all be using your second factor of authentication to log in, and we should be applying that to all of the systems in government.

Periodic password advice is something that made a lot of sense when you had only two passwords and two systems to log into, or one. I lost count at 90 of the number of passwords I have in my personal, private and professional life. I stopped counting. We are looking at how to balance security and convenience. Also, people tend to use easy passwords when there are so many. It's something that has to be looked at.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

In your statement, when you were first talking about the cyber-threats most likely to affect Canadians and Canadian businesses, you mentioned education. Could you quickly tell me about some of the things you're doing to educate Canadians? I'm learning so much here in the last few days that I didn't know before, and I wonder how much Canadians actually know about their vulnerability with the Internet.

5:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

The first was putting out the national cyber-threat assessment, trying to give something that gives the basics, and it came with a cyber-primer, explaining what these technical terms were and hopefully in plain language. We tried very hard.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

How did you get that to them?

5:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

It's on the web. We tweeted it out and we published it. I did a lot of media. It's strange to be in a media role as a public servant. It's a little surreal. We're trying to get that information out in different ways. I would love to see every member of Parliament being able to communicate this back out. We're trying to get some simple tools that everybody can get.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

Thank you. I did that. I sent it out.

Why didn't you ever look at the newspapers versus the Internet to educate people?

5:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

It's a matter of where we're allowed to advertise and how we do it, but we'll take that as part of our communication strategy. We're always looking for ways to improve our reach.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

You do most of it through the computer system, though.

5:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

We do. We tend to go digital; it's our go-to.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

Am I running out of time?

5:20 p.m.

Liberal

The Chair Liberal John McKay

You have a minute and a bit.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

Are there any laws in place in Canada for Canadian companies providing security measures, whether it's alarm systems in your home or stuff like that, to be honest with the consumer?

I'm going to give you a prime example. I have a very major security company that has my place all wired up. They came to me last fall and said, “Mr. Eglinski, we can make your place much safer by installing three cameras. There would be no portion of your property where anybody could move around or get into your house without us.” It sounded pretty good. I said, how much? It was a fair amount of dollars, but I said okay. But then I checked with my service provider, and he said the system wasn't big enough for it yet. They were telling me that they were providing me with all these credentials and all this equipment, but my service wasn't there.

Is there a requirement and law in Canada to be honest with the consumer?

5:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

I don't know the answer to that question.

5:20 p.m.

Liberal

The Chair Liberal John McKay

I think you're pretty well done.

5:20 p.m.

Yellowhead, CPC

Jim Eglinski

I had one more, but I'll let it go.

5:20 p.m.

Liberal

The Chair Liberal John McKay

Thank you.

Ms. Dabrusin, you have five minutes, please.

January 30th, 2019 / 5:20 p.m.

Liberal

Julie Dabrusin Liberal Toronto—Danforth, ON

Thank you.

I was actually quite taken with the testimony given by Mr. Kabilan in the first one, particularly the 60% number. I know you've had some questions about that, but I think he talked about the secured armoured truck travelling between two cardboard boxes. A lot of what we're talking about can be focusing on that armoured car, and it's important, but if we don't secure the cardboard boxes, we have a real issue.

I appreciate that you used the example of your father hanging up on people, but the example was given about the U.K. cybersecurity centre and what they do for education. I was wondering how much you are planning on following that type of a model. What do you see that works from that model, and what would be different?