Public Safety Committee on Feb. 4th, 2019

Thank you.

I saw the transition and the preparation during the Cold War period. What I mean by that is that during the seventies and eighties, computer systems in the armed forces throughout the world were susceptible to that kind of threat. Data processing rooms were built to withstand any EMPs. As time progressed and by the end of the Cold War, it was considered too costly to proceed that way, so we went on—and by “we” I mean different companies—to buy commercially available off-the-shelf computers. This is how we became vulnerable today.

Unless you have a duly prepared room to withstand any EMPs, any system is vulnerable. The telco infrastructure is vulnerable; any cars on the road that are highly electronically enabled are vulnerable.

To that extent, Mr. Motz, we are, I'm sorry to say, doomed, if one gets out and is blasted 400 kilometres above North America. North America itself will be down and we'll be living back in the way of life of 100 years ago, getting heat from wood stoves and communicating using the smoke from their fires.

Oh, oh!

I'm not sure I'm following your question, sir.

Currently, we have agencies such as CSE and the cybersecurity centre that are beginning initiatives to foster and enable some hackfest festivals throughout the country, or conferences to that effect.

As an example, I was at the hackfest festival in Quebec City in November, which for the last 10 years has been fostered by CSE. They have a preview of what's going on with the latest and greatest hackers who are around to do the hacks through whatever technological means they have at the time. It's a pool of resources they can go to to get the best from the latest and greatest they can find. There is “Atlantic con” or Atlseccon, and there is another security conference in B.C., and others across the country. In this way, the agencies are active in figuring out what's happening on a real-time basis.

I believe that with CCC's being what it is today—I mean, it's alive—it will become more invested. That, for me, would be one positive point: having a government agency always be present in letting the community know that people are....

Minister Gould just disclosed at that hackfest festival in Quebec City that Canada wanted to have more hackers present to help the Government of Canada fend off any bad influences in the next election. That was a first. Everybody was stunned by the announcement. This was a positive point, by which the government was letting the community know that they wanted everybody to pitch in and do the best we can not to have a situation like what happened in the States.

Before I founded HackerOne, I used to be a penetration tester. One of the reasons we started the company to begin with was that we believed we needed a scalable model that would apply to every organization on this planet, and that would also be affordable for everybody on this planet. As you pointed out, penetration testing, our consultancy, has been very expensive.

We believe that the more the company has to protect, the more they need security. Because of that, everybody on this planet should be able start their own vulnerability disclosure program. At HackerOne we have offerings that are free for open-sourced and community organizations. We have help or products available for people to establish that process for their organization, even without any incentives on the platform itself. By that, we believe we will enable every organization on this planet to improve their defences against a data breach.

I can share some thoughts.

The problem we've seen with small organizations is that it is always a trade-off of risks. There are checklists available, or policy documentation, around what to do as a small organization. Unfortunately, it is up to the organization to implement some of those best practices that have been established. We've seen organizations, especially smaller organizations, treat those more seriously, especially as they become, as you said, more data-intensive.

However, we have not been able to establish a checklist based on the vulnerability data that we've seen on a platform level yet, but we do expect that will happen in the next couple of years.

We would be happy to work with third parties to establish that. I don't have a more concrete answer for you right now.

Yes, sir.

Some of this documentation exists already, from the NISC in the U.S., which I can say has been projected internationally and is a good way for any business to start. That documentation has been formatted for very large enterprises as well as for SMBs.

Definitely, if an SMB is serious about protecting its data, it will go through that. However, my coming from that background of SMBs, I know that they don't have time to do that. What will be needed is really something that is a one-click-stop shop. They would just have to pay for the bare minimum and have a list of whatever mandatory verification that would be done and could be satisfactory to them. But what would that satisfaction be? Would it be for the payment card industry? Would it be satisfactory for privacy issues, and so on? There's no clear guidance by which the owner of whatever coffee shop can verify, is my business satisfactorily safe in itself and for customers, and so on, and do I offer Internet access to the customers? If so, how do I do it?

I go so many times on the road, and a bad habit of mine is to verify the security in these coffee shops. Most of the time, you find you have access to the cash register as well as the operation in the back hard drive that has all the backups in it, and access to the Internet. That's the kind of purview. These SMB owners just want to make it work, because they have so little room, and cash, to get resources.

I'll start with the first question. As you saw, there are so many statistics out there to say there's a lack of cyber-expertise. As testimony to that, my calendar shows that I have a reduced number of opportunities to teach and train people in it. One reason is that the costs have been going up for a few years, but another is that the people are not committing to do that job. It's a very demanding job. You have to know a lot. You have to know so many operating systems from however long in the past, and also to be able to adapt to the newest, latest and greatest ones that are coming around.

That said, we do have universities with good programs in place to train those people. I just finished doing a microprogram in cybersecurity at the master's level with the University of Sherbrooke. We had 15 people in the class. It was an awesome program, but we had only 15 people. I would have liked to have 115, because those people were really eager. They wanted to enhance their knowledge—they're professionals in the trade—but it was one of the rare occasions they had to do so.

Back in the old days, in 2003, I was with the University of Winnipeg, and that was when the first certificate came out. But the adoption is not present. It's not as forthcoming as in many countries, where they have this in their school systems.

This is one of the problems we haven't figured out yet—“we” meaning the world. We are seeing that there is going to be a bigger problem in that if an organization does ship firmware that contains security vulnerabilities, at some point it might not matter, because the companies will be getting away with it.

With some of the recent changes that we are seeing, there are more consequences for an organization that is neglecting security, and I think that's a good thing. Consumers demand higher standards, especially when they buy certain products. I also believe that with some of the regulations being changed, where the government can demand that organizations comply with certain standards, it's going to be very important for us to make sure that organizations do not have a chance to ship firmware that has not been tested. That, I hope, will in effect mean that we're avoiding a race to the bottom.