Public Safety Committee on Jan. 30th, 2019

Yes.

With OSFI's role in the regulatory space.... We certainly work with them, but one of the key things for us is that in the cyber centre, by not having a regulatory function, we can be turned to earlier. We obviously support a broader government, so we do work with OSFI. We try to work together when there's an incident.

Certainly, especially in the financial sector, one of the key things is that it's all about confidence. We want to make sure that whatever's happening we can maintain consumer confidence. We can do our part, but we don't speak on behalf of the government for monetary or financial policy.

How do we coordinate? We do have partners with them. They would be brought in as one of the major stakeholders if there was an incident in the financial sector, into some of the incident management things that Eric mentioned.

We're hoping that they will call us. We've made our information available, but right now they don't have any mandatory reason to report to us.

As far as I know, there would be no mandatory reporting for anything that's outside of that regulated space. We do get a number of reports from businesses that are looking for help.

One of the things we mentioned is the cyber-threat assessment, but we've also been working closely with businesses about the supply chain and how they're applying security constraints throughout their supply chain.

For a lot of the bigger incidents, it tends to be a breach as you've outsourced further things. Usually, it's not the first degree of outsourcing; it's when you get to the second. It's about making sure that you're building in security requirements and that they cascade, but also that companies are aware that outsourcing a function doesn't mean outsourcing the accountability for the information. That's something that I know a number of companies are concentrating on, but we also highlight it in the national cyber-threat assessment, for exactly that reason.

The approach for 5G is under review right now in terms of the approach for Canada. I'm very confident of the relationship we've built with Canada's telecommunications providers and the work we've done to increase the cybersecurity elements regardless of the network. The collaboration we have in terms of how we respond to incidents is something we'll need to continue, no matter what. We need to continue to build multiple layers of security, regardless of where the technology comes from.

In my job, I actually trust nothing. I assume that there are vulnerabilities in every single piece of product we have, so how can we layer more and more protections on? That includes when the data gets to the cardboard box. That shouldn't be a cardboard box; your data should be encrypted at its destination, and it should be protected. It's not about protecting the castle walls; it's about making sure you have the vaults of the really sensitive information properly protected.

Information security is evolving, as well, in terms of how we can protect that, how we can keep information protected and encrypted. Also, we have to start thinking about whether we need that information and for how long. Maybe it's not necessary to keep it that long.

It is the layered approach, and it still needs to continue.

On the 5G question, that's something that's being studied right now, and there will be specific recommendations coming out of that.