Public Safety Committee on Feb. 4th, 2019

There is a concern, and I think that the United States as well as the U.K. have adapted standards in the area of IoT, like a list. The U.K. has a standard of 10 things that it recommends in the IoT area, and vulnerability disclosure policies are number two.

In the U.S., the FTC, the Federal Trade Commission, has taken a very active stance in requiring certain things it sees in the development of this area, as well as the FDA with medical devices. The FDA issued a medical device safety action plan last year requiring a bunch of things, even the development life cycle or the launching of a medical device.

I think the unifying theme across all of these laws and standards is that, because everything is interoperable and connected, everyone has to be doing the same thing. I think that's the purpose of all of these policies and standards, unifying standards like NIST, in these different areas.

We're kind of doomed, as you put it, because there are so many devices that have literally been swamping or invading the market without any such verification that they are....

I mean, these thinks put into the hands of people in the sense that they will facilitate their lives and enhance their environment. They're selling, let's take the example of a $250 thermostat that will document your way of life nowadays, and they give that information to the company that is now Google, who owns these devices. So yes, you'll be able to remotely activate your heating in your house when you come home and program it, while at the same time it will document when you're there and when you're not.

That, for me, is something that should have been taken into consideration before authorizing these kinds of devices in the market. Most people don't even realize that this kind of device is documenting their lives as they go on. Even for the other devices that we find in cars, as an example—more and more you'll have devices running the cars—they will also be hackable at the same time, because there will still be software that's incomplete.

Oh, oh!

I am familiar with the situation. There are two problems with blockchain technology that I would like to point out.

The first is that current computers are simply not fast enough, so even if we wanted to crack some of the encryptions that are being used in blockchain technology, we simply don't have the computing power to do so. It will take many years for computing power to catch up on that.

The second problem is that I think, especially with blockchain technology, because it technology is so new, consumers have put a lot of trust in these organizations that are worth hundreds of millions of dollars, but they have no idea what kind of defences have been put in place, or if too many defences have been put in place, in which case they rely on a single person.

In a way, the technologies are great and I think that experimenting with them is the right way to explore what their applications are. However, I am not of the belief that financial implementation that has taken place to date—like Bitcoin and some of the other cryptocurrencies—is the right application of the blockchain itself.

The technology itself is very powerful and should and can be used to solve some of the problems we've seen, similar to the case in which a single person has the responsibility for $250 million of other people's money and assets.

Yes. That should never be the case.

One of the fortunate and unfortunate effects of blockchain or cryptocurrencies is that there exists only one copy of one particular block or a coin, depending on the cryptocurrency, which means that if an organization like this does not have access to what they call “wallets” anymore, the money is essentially lost and there is no way to mathematically retrieve those wallets, let alone access them.

That is a great question.

This is why I believe hacker-powered security is so powerful. If there are a lot of people who have the same incentives, we believe that there are always more people who will be able to find the same vulnerability. If one of those people, whether they're a criminal or not, decides not to disclose that security vulnerability, they run the risk of other people identifying the exact same vulnerability and disclosing it to the organization.

We've never set out to compete against the black market where, essentially, zero-day vulnerabilities have been traded, either with governments or private organizations. The bug bounty programs have definitely created a reverse incentive for these black hat hackers to go after these vulnerabilities, because the prices are essentially going up simply because the chances of people with good intentions finding the same vulnerability are skyrocketing today.

If I understand your question correctly. Mr. Picard, you are asking me whether or not the government could use the services of recognized hackers.

The contracts that Public Services and Procurement Canada enter into have to be properly done. They have to contain a section on security. A security check has to be done. If an individual, or group of individuals, works on the government's information systems, they have to have received the appropriate legal authorization to be able to do the work.

Do you want an answer from a personal perspective, or from a company perspective?