Thank you to the committee for the invitation to share insights on some of the problematics perceived by fellow citizens with their access and/or security of their earnings or savings versus computer technologies.
First, I will give you a brief introduction of where I come from. After serving with the Canadian Armed Forces and DND for 23 years, I was privileged to be among the first cyber-soldiers in the country to manage networked information systems, from a LAN size of about 250 users to a MAN size of about 5,000 users on multi-sites at a base level in its early stages of integration. This was in order to provide the right information to the command structure in what was previously a paper-based process, from normal day-to-day office tasks to the academic activities I was doing at CMR Saint-Jean as well as in operations. More recently, my job has been educating and training professionals and the public on how to apply best practices in information technology and to explain, in plain language—as we will do today—what is happening in the cyber space that affects everyone and everything on almost a daily basis with the news media. I shall present these insights to you now.
The situation is that it is a quarter past midnight.
This is the 21st century, as you all know. We are more connected than ever and our lives are more and more automated. In large part, the country's economy depends on the use of technology, by small and medium-sized companies and by big business. Even government services have turned a technological corner. The reality, however, is catching up with us more and more.
The few examples listed in the document I submitted to the committee demonstrate that the problems will continue as time goes on, but they are still of concern now. For example, the smartest programmers and IT experts are designing improper configurations in order to give themselves an unfair advantage in their stock market transactions.
Anyone who takes the time to learn about using, or even hacking, technology can find on the Internet techniques to find loopholes and to get around security, The latest techniques can be used to exploit the flaws, most of the time in order to get one's hands on information that will lead to financial gain.
In recent years, especially in 2017 and 2018, we have heard that ransomware is pervasive and virulent. It can attack not only individuals, but also any organization at all without exception. This type of scam still affects us because people are poorly informed and unable to identify the threats. The wrongdoers, moreover, have refined their methods, so that it is more and more difficult to identify the malware in a real email message.
Today, financial institutions are asking, not to say demanding, that their clients conduct their financial transactions only from their personal computers, their mobile phones, or by some other connected means. They expect everyone, employees and customers alike, to know how to work Windows 10, or the most recent version of Microsoft Office.
People do not have the training or the knowledge to use the basic tools used in those transactions. Most of the time, the transactions are conducted when security measures are not the best and the connectivity is dubious. Public Wi-Fi connections in hotels or Internet cafés are not secure at all. Cell phones, while they are hacked into less, are just as lacking in security.
The delay in deploying the promised high-speed connectivity to our regions reinforces the cynicism that come from the lack of access to a speed decent enough to allow financial transactions. The cynicism come from the fact that businesses and residence in Port-au-Prince, Haiti, have or, in the coming years will have, access to fibreoptics, well before those only 50 kilometres from Montreal.
What should we do, or what can be done? Well, I say take the lead and lead by example. It was with much enthusiasm that I heard about the set-up of the Canadian Centre for Cyber Security last October. This distinction of “cyber” as a separate component of “security” needed to be on its own to underline its importance. Too often I have encountered in large enterprises, as well as SMBs, “computer security” being considered as under the responsibility of the first appointed volunteer in the room. It's a necessary evil to many, but by having the federal government proceeding this way, few reasons can be found by any enterprises to set aside matters of cybersecurity and, hence, put the matters front and centre.
The CCC's recent changes in resources devoted to cybersecurity were long overdue. Canada used to be the nation of telecommunications firsts. Now we are dragging behind the rest of the world; we are trying to keep up with a technological wave of innovations. We used to have the best telecommunications equipment maker in the world called Nortel. It was taken away from us. Canada was one of the first nations to stand up as a leader in quantum security for computer networks. Most of that research was taken from us recently.
Strengthening the government's information systems has helped greatly to ensure their availability. Everyone can consult their information at any given time. As you have come to know, the prime target in computer exploitation is the weakest link, which to this day is the human component, particularly for the average citizen, whether at home or on the road.
The emphasis is on having a strong economy while using IT. This can be achieved by using information technology and by taking a live rather than a computer-based approach to educating those who use that technology. That means pretty much everyone nowadays. This approach reassures and gives the citizen or user immediate feedback.
Every day, Mr. and Mrs. Everyone are using incomplete software and hardware brought to this market without any guarantees that it will work—or that it won't fail. When cars are sold in this country, they come with all sorts of seals of approval, and Transport Canada oversees their safety. You can buy a set of Christmas lights anywhere in the country and they will come with a seal of approval from the CSA. Industry Canada oversees their application and safety. Who applies the same controls and validation to computer code or electronic hardware?
These devices on which we depend each day—also known as IoTs—are roaming freely all around us, without any form of safety certification. Insulin pumps are an example. Although the importation and sale of such devices seems to be regulated by Health Canada, who oversees the code used by these devices to keep people alive? Are they doing the right thing? Are pacemakers in the same situation? I believe they are.
Who certifies the computer code for ATMs to ensure that Canadian citizens have access to their money when needed, or smart dolls? We hear that they are being sold in North America even though they have been declared illegal spying devices in Germany due to privacy issues with kids. Who is supposed to protect our children's privacy from these immoral devices, if not the Privacy Commissioner?
Hardware and software code should be overseen by an independent government agency like CSA, as an example. Ideally, this agency would have a say about what's distributed for life-critical devices and would impose stiff penalties for non-conforming products—or simply ban them from the market.
In that matter, we are now confronted with a new dynamic in today's economy, the use of biometrics to do business. In July last year, the Chinook Centre in Calgary was caught embedding facial recognition cameras in the mall's interactive panels. It was documenting the clientele without their knowledge, with no warning whatsoever.
Complaints were made to the privacy commissioners of Canada and Alberta. To this date, none of the reports from these investigations, started in August 2018, have been published. I just came from the Promenades Gatineau, where I documented the presence of these panels, though not from the same company. They embed cameras on the panels without warning people they are being documented at that place.
We are now confronted with a similar situation at Place Laurier, where four stores are openly using facial recognition with the goal of documenting clients' feedback through their biometric characteristics. This kind of tracking is already happening with cellphones, of course, and the fidélité cards that consumers use in stores.
It would certainly be beneficial to everyone if the OPC were to grant authorizations, after a proper accreditation process, to organizations and businesses for the use of biometric technology. This would minimize the cost overruns of inquiries and also reassure citizens that the government has their backs with respect to privacy matters.
Is it too late? No, I believe that there is still time to do things right.
As for any tool, we must take the time to read the manual before we use it. Who among you has used or read the manual for Windows 10, Windows 7 or Windows XP? My feeling is that none of you did. They are very large documents. People are afraid of them and run a mile. At that point, third-party assistance becomes necessary. The human beings using the machines still need other human beings to train and guide them.
Your enlightened study of this issue will certainly be appreciated and will allow for improvements to what is not working well. That will create the impetus we need for the various participants to contribute to a better economy and it will help us once more to become the leaders that, fundamentally, we are.
I am now available to answer questions in both official languages.