Public Safety Committee on Jan. 30th, 2019

Good afternoon.

Thank you very much for the invitation to speak to you today. The topic you've asked me to cover is the issue of cybersecurity, and in particular how it applies to the financial sector.

I think it would be useful to start with a very quick bit of background information when it comes to cybersecurity, in terms of why the financial sector is of interest, who the actors might be who might be interested in attacking, compromising or otherwise getting into the financial system, and some of the challenges that go with trying to protect the financial system and why.

I did provide my speaking notes beforehand, and the cover is just some very, very big numbers. Essentially, we're talking about the rate of breaches per day. It's in the hundreds, if not more, and it just keeps going up. People are very interested in attacking organizations from a cyber or Internet perspective because it's easy. You can be anywhere in the world to do it. In particular, when we think about those who might be interested in the financial sector, I would bucket them into four categories.

The first category is very easy: people who like the challenge. I sometimes refer to them as thrill-seekers. Financial institutions represent probably the toughest nut to crack when it comes to cybersecurity, so the kudos that goes with successfully breaching systems is very high in the hacker community. In many cases, this sort of action may be harmless and may be more reputational, such as changing the graphical interface on a web page, but nevertheless it's a group with interests in the financial sector.

Second are the hacktivists, those who have a social or political cause and see the financial sector or some of those it supports as being part of the challenge they face. Hacking helps them to further their cause or further their message. Again, I think it's very straightforward. Everyone has heard of Anonymous, though they're not very anonymous anymore.

Third are the criminals. Again, this is very straightforward in some ways. In the financial system, there's a direct monetary return that can be gained by criminals, but it's not just the direct monetary interest that criminals have, and I think this is very important to emphasize. You could hack into a system and try to siphon out money, but it's not just money that's in the system—it's information. It's personal information and information about the dealings of companies, all of which can be monetized in other ways. When we think about criminals, it's not just about direct monetization off the attack; it's also about the indirect benefits they can gain.

Finally—and I think this is where some of the biggest challenges are coming from—there is the issue of nation-states. You might ask the question, why would another state be interested in our financial system? If you think about it for a moment, in terms of the challenges we face in today's world, economic competition is as stiff as it ever was, and understanding the financial system, because everything flows through it at one point or another, gives you a very strong indication of not only how the country is doing, but also potentially how some of the corporations within the country are doing.

When it comes to having the upper hand in the economic challenge sphere—I shouldn't say “warfare”—from nation to nation, understanding the financials of a nation becomes very useful. If you think about that further and you're talking about nation state-sponsored takeovers, that information becomes even more useful. Ultimately, if you think about modern warfare and modern threats, think about the financial system this way. At the end of the day, our financial systems are literally based on confidence. Anyone who is able to infiltrate that and affect that confidence will affect our markets.

We've seen time and time again how markets change just on the basis of what people think is going to happen. For those nation-states, in terms of a leg-up, in terms of a new hybrid warfare option, that becomes a target of tremendous interest, because the consequences can be quite significant if you manage to undermine confidence in the financial system.

If we take a look at those four actors and then look across the financial system, I think there are five key challenges we have to think about.

The first is—I think this has been mentioned time and time again—that we think about the threats we face in terms of regulation and legislation. We think that if we put in the right rules and the right standards, we'll be able to stop bad things from happening.

I don't know how many of you have the 60-day or 90-day password rule change. Just to let you know, that was invented in the days when it took between 60 and 90 days to compromise your account from when someone had your password, but this is an ISO standard, and in many cases it's a requirement for companies.

First and foremost, standards are actually struggling to keep up. By the time a standard comes into place, we've gone well beyond it. I think the first big challenge we face, particularly in the financial sector, which is heavily regulated, is that if we just depend on standards and regulation, which cannot keep up with the threat, for me they're just the table stakes to get into the game. It has to go far beyond that.

The second issue, which is certainly as pertinent in the financial sector but it cuts across everything in cybersecurity, is the issue of information sharing. If I'm company A and somebody has tried to attack me by going after a very specific piece of software and no one knows, it's a zero-day vulnerability. No one yet knows this vulnerability exists, but the rest of the financial sector, maybe 70% of it, depends on the same software. Do you know what? It's embarrassing to admit that I've been hacked, so I'm not going to tell anyone. That's the typical story we hear about cybersecurity. The information about what's happened is rarely, if ever, shared or made available. Now, this is not about embarrassing anyone. This can be made available anonymously. Some nations like Australia, for instance, are pushing for more and more disclosure when it comes to breaches or attacks. Having that intelligence and information shared actually has a crucial role to play in cybersecurity, and it's something we have not gotten right yet.

The third challenge is that whenever I say “cybersecurity”, someone brings up a smart phone and says, “Yes, it's about securing this.” Cybersecurity is not just a technology problem. In fact, if you look at the latest breach statistics from the Australian privacy commissioner and work it out in terms of the different categories they use, over 60% of it comes through humans, either malicious or non-malicious, making mistakes or being socially engineered. That's 60% or more. This is not just a technology problem; it is very much a human problem.

I would say this to you as well: If I wanted to hack your bank, I wouldn't hack your bank; I would hack you. It's far easier to engineer a person than it is to get through the protections that a financial institution or a large organization might have.

The fourth thing, which is kind of an extension of that first piece about technology, is users. I think there was a news story a few weeks ago about a user being compromised because they were taken in by a scam and they were actually paying out large amounts of money. Unfortunately, that security, as one expert once described to me, is like armoured vehicles with armed officers taking money between two cardboard boxes, and it's the cardboard box at the end that we worry about, because the user at the end may not be as well defended, or may not understand things as well as the bank or the financial institution or the provider of the services might.

My biggest nightmare was when my father got an eBay account and a PayPal account. Not everyone is familiar with the digital world, and therefore there can be attacks against them, and while you and I may look at those and laugh and say we know they are scams, not everyone will. So the user at the end of the chain is another piece that we need to think of.

Going back to the comment I made about confidence, it may not be a financial institution's fault, but if enough of those users, particularly as people age, start suffering these attacks, think about what that does for confidence. They tell their friends; their friends tell their friends, and that spreads. There's a problem with the system, but it's not the system; it's the user, at the end of the day.

The last piece, which I think is a very big challenge and certainly it's pertinent in today's headlines, is the issue of supply chains. This might sound a little odd in cybersecurity, but think about it this way. We buy equipment; we buy bits and pieces from all over the world, and we integrate those into our systems. If we look at the earpieces we're using today to the translation systems, to the audio systems, there will probably be anywhere between three and 20 countries involved in constructing all of those. There's a direct supply chain, but it's not even in the equipment we're using directly. For those of you who remember the infamous Target breach, it was the HVAC system that they went after. They went after the HVAC company, and through that breached the system, and from there got into Target.

Supply chains have become very complex. They involve not just the bits and pieces we buy, but also the organizations that provide services to us. Again, I wouldn't attack your company; I would attack whoever services your company. When we think about cybersecurity, all of these elements add up to a very dangerous picture, which is, what does that do to confidence? If enough of these incidents keep happening, will they affect confidence, which is ultimately what underpins our financial system? That's why cybersecurity in the financial sector is a major concern and continues to be a major concern today.

First and foremost, to the assertion that good cybersecurity equals good business and good opportunities for Canada, I would wholeheartedly agree. In an era when data has become so important, and the ability to operate on a virtual basis has become the core or fundamental for almost every organization today, it has become almost an infrastructure requirement to have good, concrete systems that are safe and secure.

To the question around where Canada is now, that's actually very difficult to judge. I would go back to my previous statement about information sharing. There are some overt pieces where I think we may not be doing as well. One key overt piece is the issue around information sharing on cybersecurity breaches. We don't have a requirement to do that. There have been attempts in the private sector to try to remedy that—the Canadian Cyber Threat Exchange is an example, and I believe you'll hear from Scott Jones later on—but I don't think we do very well on that.

In terms of actually acting, one of the things we need to look at is how we get that information back out. If you've been breached, or if you suffer from an issue, it's not to embarrass you or cause problems from a shareholder perspective; it's just so that intelligence can go back into the community and say, “Here's the vulnerability. Here's something to do about it.” While it's hard to judge where we are, we certainly don't have something robust in place that makes us share that information and ensures that all organizations can get access to that type of basic information.

Certainly embarrassment is one, but it can have financial repercussions as well. Those can be direct—i.e., fines for loss of personal data—and also indirect, such as from the reputational damage that goes with it. You can also have, of course, direct impacts on shareholders, for example on share price. There's a whole range of impacts that go with it.

When I was in my previous role, we did a piece around information and intelligence sharing. There's another little piece in here that I don't think we've addressed but that may help—namely, the misperceptions between the public and the private sector around what can and cannot be shared and around what will and will not be protected. For example, as a private company, if I were to share some of this information with the Government of Canada, technically that would be privileged. That should be protected from being disclosed under ATIP. Again, it's private information and it has commercial implications. That's not always well understood: where that information resides and how it's protected.

On the flip side to this, some reports have looked at the challenge within government of understanding what they can share back the other way. The constant riposte we get from the private sector around clearances is “I may have a secret clearance, but I can't have a secret conversation or secret data actually shared with me.” There's still the caveat that regardless of whether you have that clearance or not, the information flow is still very much dependent on relationships that you might have and not so much on whether or not you have the clearance to have it.

I don't have any in-depth research on this, but certainly from the little bits that my team has looked at in the past, it's not so much the cost that would be the first thing I would address, though that is an issue. For some things, such as making sure you have up-to-date systems, etc., there is a cost involved, but a lot of it is down to education. How do I actually protect my systems? What is actually necessary, and how do I quantify the risk that my company faces? Is the risk I face because I have a food truck and I take credit cards? Is that the same as the risk I might face if I ran a small boutique store and I was taking personal information because I wanted to create a loyalty scheme? Are the risks the same? Is the data going to be looked at in the same way in terms of actors who might be interested in attacking my organization?

I think the bigger challenge is not so much the cost; it's a more fundamental issue. It's around education and it's around getting small businesses to understand where their risks are and what simple steps they can take to actually deal with them.

Certainly the public-private partnership route is, I think, one that needs to be explored, because no one sector, on its own, has all the answers.

Again, organizations like the Canadian Cyber Threat Exchange have attempted to do this. They have brought government in, and they've tried to work with the private sector. But it's bringing the two together.

There are some capabilities in government organizations like the Communications Security Establishment. They have some fantastic capabilities and knowledge, but equally—and you mentioned this—these large financial institutions are investing in cybersecurity, so they do have knowledge and they do have capabilities of their own. If those can be brought together, the sum of the whole will be much greater than the individuals acting on their own.

I'm not 100% familiar with the Norway model, but if you're talking about a central hub where everything comes in and everything is scrubbed or protected, on the one hand, you have a great advantage in making sure you have central control over everything. The flip side to it is that if that hub goes down, everything goes down.

The Internet of things is a rather interesting phenomenon. Just to go back a little bit, what's happened here is that it has become cheaper and cheaper to basically put a microchip into things—

We all make do with the resources we have, right?