Evidence of meeting #147 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vulnerabilities.
A video is available from Parliament.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you, Mr. Chair.
I want to thank our guests for being here. However, I would like to take a little time to deal with the current situation in the Standing Committee on Citizenship and Immigration. My colleague has just submitted a motion. So I would like…
4:20 p.m.
Liberal
The Chair Liberal John McKay
Excuse me a second, Mr. Paul-Hus. Can this be done at the end of the meeting?
4:20 p.m.
Conservative
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I will read my motion quickly and the committee can decide.
4:20 p.m.
Liberal
The Chair Liberal John McKay
Okay. Personally I'd prefer it to be done at the end of the meeting, but if you insist on going forward, I have to take it out of your time, which is regrettable because I love Mr. Motz's questions. Okay.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
That is what I would have preferred too, but I may not be available at 4:30 p.m. So I will continue, Mr. Chair. I apologize.
I will read my motion for the benefit of my colleagues:
That, pursuant to Standing Orders 108(1)(a) and 108(2), the Committee meet jointly with the Standing Committee on Citizenship and Immigration to study whether gaps in the process of the security screening for persons entering Canada have arisen over the last three years, both at official points of entry and between points of entry, to identify the causes and impacts of these gaps, and propose potential solutions; that departmental officials and Ministers from both Immigration, Refugees, and Citizenship, and Public Safety and Emergency Preparedness be present for at least one meeting; that officials and elected representatives from the United States federal Congress and Senate be invited to attend; that these meetings be held before Friday, March 1, 2019; that the Committee report its findings to the House; and that pursuant to Standing Order 109, the government table a comprehensive response thereto.
4:20 p.m.
Liberal
The Chair Liberal John McKay
Okay.
This motion has proper notice. It's properly before the committee. I would prefer that it be done at another time, but it is what it is, and I'm assuming somebody wants to speak to it.
Ms. Damoff. Again, I apologize to the witnesses.
4:20 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Thank you, Chair. I too apologize to the witnesses for taking up their time.
I'm disappointed, but I guess I shouldn't be surprised by this motion. It's typical of what the Harper-Scheer Conservative style of politics has become. They want Canadians to be afraid, and once again are choosing to scapegoat newcomers.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Mr. Chair, I would like to comment.
4:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I simply submitted a motion according to the rules of the House of Commons. It is not appropriate for my colleague to start playing politics at this table.
4:20 p.m.
Liberal
The Chair Liberal John McKay
If we could minimize the partisanship on a partisan motion, the chair would be much happier.
Ms. Damoff, if you could speak to the motion, please.
4:20 p.m.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
The fact is, Chair, that Canadians can and should feel safe and secure knowing that we have a secure border and a strong screening system. Their safety has not been, and never will be, compromised. We will not be supporting this motion.
4:20 p.m.
Liberal
The Chair Liberal John McKay
Is there further debate? Seeing none, I'll call the vote.
(Motion negatived)
Mr. Motz, you have two minutes left.
4:20 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
My first question is for HackerOne. You've basically dominated the American ethical hacker business. Do you have suggestions for best practices here in this country and how we might be able to establish that sort of reputation with the private side of ethical hacking here?
4:20 p.m.
Founder, HackerOne
We believe that hacker-powered security is the key to empowering the world to build a safer Internet. Leveraging the hacker community is one of the components of a mature security organization. HackerOne leverages data to help organizations build a mature security organization and to prioritize what to work on. We encourage everybody to at least establish a vulnerability disclosure policy in order to work with the hacker community to uncover the unknown unknowns—the security vulnerabilities—in their systems.
4:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you for that.
In my limited time, I want to ask Mr. Waterhouse about an electromagnetic pulse attack in Canada and the impact it would have on financial institutions. Can you talk about that for us and explain the vulnerabilities we have there?
4:25 p.m.
Former Information Systems Security Officer, Department of National Defence, As an Individual
Certainly, Mr. Motz. It's a known fact that throughout the world, we have nation-states that are actively developing such a weapon.
An EMP—an electromagnetic pulse weapon—will completely fry any electronic components, if not the electrical grid. We would go back to, let's say, how we lived in our society 100 years ago. We have had a few examples in the past. We had the Carrington event in the 1800s. We had Hydro-Québec, which was subjected to a natural EMP from the sun in 1989 that rendered the provincial power grid offline for more than eight hours.
We see ongoing developments, especially in the United States. They're forthcoming in saying that they want to have these kinds of weapons because they're not conventional kinetic weapons that can kill people. They would just neutralize the electrical environment. That said, if there's no electricity around, people will go crazy. I was witness to some of that furor with the ice storm in 1998, when for 22 or more days, nobody had access to power and to their money and so on.
Therefore, it is a direct threat to our way of life that few organizations have mitigations against, or preparation to that effect.
4:25 p.m.
Liberal
February 4th, 2019 / 4:25 p.m.
Ruby Sahota Brampton North, Lib.
Thank you.
My questions could really go to anybody.
First and foremost, I'm really fascinated by this whole bug bounty scenario. I know it's been brought up before that you're encouraging it in your testimony that organizations use this, and perhaps governments as well. I think it's been known that the Canadian government does not use bug bounties, but we do have Canadian companies that do. Shopify is one that I have read about, and there are various companies that have been using them.
I was just wondering if you could explain to me a little bit more about the trust factor, and how a company is encouraging a bounty to be put out, which means more and more hackers, whether they are good or doing the right thing, to expose their vulnerabilities to protect themselves and the information of people. How can you be sure of that? How can you verify that? When you hire an employee, you do background checks and you trust that employee because of the rapport you've built with them. These are unknown people who would be going into your systems and perhaps learning information they may have. Even HackerOne, how do you ensure that those who are hacking on your behalf are giving you all of the information they've learned, and not using it for any other cause?
4:25 p.m.
Founder, HackerOne
I can take it. Thank you for that question.
We believe there's strength in numbers, meaning there are more people on this planet who want to do good. Obviously, there are always going to be people who will have bad intentions, but HackerOne does not enable these criminals to do their work through HackerOne. If they have bad intentions, they can do that work already. The thing we're opening up here is for people who actually have good intentions to use HackerOne in order to do research for some of the reasons that my colleague Debbie mentioned earlier.
4:25 p.m.
Brampton North, Lib.
I understand that. Of course, people could go ahead and pursue and get that information themselves, but through this scenario, you're essentially encouraging them to, right? You're encouraging them to go into the database of a given organization. How do you ensure the people who are working for HackerOne are credible, reliable people?
4:30 p.m.
Founder, HackerOne
Everybody who signs up for HackerOne has to provide information. As an example, we have to collect tax information to be able to pay them. Some of our customers require background checks of these people. Similar to the U.S. DOD, we conduct these background checks all around the world to ensure the identity of people before they are even given access to certain systems. At the end of the day, most of the systems that are part of the organizations are publicly facing, which means that everybody on the Internet can already attack them.
To go back to the point that I made earlier, that if there's one person who wants to do bad, there are multiple orders of magnitudes of people who want to do good. If we give them them the same incentives as criminals have to find those vulnerabilities, we believe that even if somebody outside of HackerOne finds that vulnerability and doesn't disclose it, there are enough people to find the exact same vulnerability and report it to the vendor directly.
4:30 p.m.
Brampton North, Lib.
You had talked a little bit about encouraging a law to be created that allows for people to legally be able to do this. I guess that's because you feel there are some who are discouraged by the old laws that are in place. Could you explain that a little bit more to me? What would that law look like and how would it be upheld?