Public Safety Committee on Feb. 6th, 2019

Yes, from Washington.

One cold capital to another.

Thank you, Mr. Chair. I appreciate the opportunity to share FireEye's perspective with you on threats to the Canadian financial services sector and to provide an overview of how we as a company and the private sector in general work in partnership with the government to help defend that sector.

As the Chair said, my name is Christopher Porter. I'm the chief intelligence strategist for cybersecurity company FireEye. We have more than 4,000 customers in 67 countries. My testimony today will reflect the lessons we learned from responding to incidents around the world, but also intelligence we gather on threats that are specific to Canada.

In addition to working at FireEye, I am also a non-resident senior fellow at the Atlantic Council and until 2016 I served for nearly nine years at the U.S. Central Intelligence Agency, which included an assignment as the cyber-threat intelligence briefer to the White House National Security Council staff, several years in counterterrorism operations and brief war zone service.

In addition to the 300-plus security professionals responding to computer intrusions worldwide, FireEye also has over 200 cyber-threat analysts on staff in 18 different countries. They speak over 30 languages. They help us predict and better understand the adversary, often by considering the political and cultural environment of the threat actor. We were born as a technology company, but we have these capabilities, as well. We have an enormous catalogue of threat intelligence and it continues to grow every day alongside the continually increasing attacks on organizations around the world.

We also have deep ties to Canada. FireEye appliances defend Government of Canada email inboxes every day, and we work closely with Canada's public safety institutions to keep Canadians safe by defending their networks and also by supporting investigations.

For today's discussions I will focus not only on the cyber-threats that Canada's banks, investment firms and government financial regulators face today but also the threats that they are likely to face in the near future. We live in a time of rapid change in how cyber operations are deployed, especially by nation-states. What were once spying tools used to carefully, quietly and illicitly acquire information are increasingly in the hands of military officers poised to go on the offensive and do serious damage and disruption.

This is especially true in Canada, which is often one of the first nations targeted for new types of cyber operations. Canada is a country with a high per capita GDP which makes it an attractive target for financially motivated criminal activity. It is a world leader in high-tech development, including in some niche areas of military applicable dual-use technology, so it's going to be a perennial target for foreign intelligence services. As a member of NATO with a large diplomatic and investment presence worldwide, Canada is a natural target for politically motivated retaliation from a number of actors worldwide.

Companies and individuals in Canada are also targeted by a spectrum of threat activity that ranges from deliberate, sophisticated criminal intrusions to commodity malware that spreads worldwide and only incidentally affects Canadians.

For example, in February 2017, multiple major Canadian financial institutions were exposed to risk of state-sponsored cyber-theft from North Korea. At that time, the Polish financial supervision authority took its systems offline after discovering malicious code had been placed on its web server and it was being used to redirect select targets to malicious downloads that gained control of their computer. Notably, those attackers used a white list of IP addresses to designate which individuals would receive the designated payload and multiple Canadian financial institutions appeared prominently on the targeted list. Even though the threat was in Poland, it still came home here in Canada.

Commodity campaigns, such as ransomware, crypto jacking and especially credential theft malware constitute a significant threat to Canadians. Card-related fraud is a serious concern. FireEye routinely uncovers major underground fora that sell thousands of stolen credit cards at a time, sometimes from major financial institutions, but just as often targeting customer accounts at smaller banks and credit unions.

Canada is also often one of the first targets for new malware campaigns. A Canadian bank was one of the first five financial institutions worldwide to be targeted by TrickBot malware and since then we've observed additional financial institutions added to TrickBot's configuration files that have a presence in or are based in Canada. Notably, Canadian URLs appeared in all TrickBot campaign IDs and several of those organizations were either credit unions or smaller banks. In August 2017 we also observed a PandaBot configuration file that revealed targeting specifically of 15 major Canadian financial institutions.

At least a half dozen organized crime groups also conduct financial crime operations targeting companies and people in Canada, and their sophistication is on par with what previously we would have said was reserved only for nation-states. One group in particular, which FireEye calls Fin10, has been focused specifically on Canada since 2013, carrying out numerous intrusions against gambling and mining organizations, exfiltrating business data and extorting victims.

With ongoing intrusion operations, active underground threat activity, substantial targeting by commodity malware campaigns and homegrown threat actors, Canada will likely continue to face a complex and challenging criminal threat landscape in the short- to medium-term future.

The cyber espionage threat to Canada is moderate, but could be on the rise. We have observed 10 separate cyber espionage groups from China, Russia and Iran targeting Canada in recent years. Organizations in the government, defence, high-tech, non-profit, transportation, energy, telecommunications, education, and media sectors, among others, have all been impacted, much like they have been in many western countries.

Many Chinese cyber-threat groups have renewed their attention to the theft of military applicable technologies since mid-2017 and are likely to intensify those efforts as trade-related conflicts with Canada and its allies emerge. This greatly increases the risk to Canadian commercial firms in all industries, but especially those that develop cutting-edge technologies or that directly compete with Chinese companies internationally.

Aside from intellectual property theft, Chinese-origin operations continue to heavily target competitive business intelligence from Canadian companies, especially those making foreign direct investments globally.

Looking forward, I am gravely concerned about the militarization of cyber operations. As NATO members continue to share capability in training, the major cyber powers outside the alliance are likely to do the same. This proliferation of cutting-edge offensive cyber power, combined with an increasing willingness to use it, with minimal blowback and spiralling distrust, has set the stage for more disruptive and destabilizing cyber events possibly in the near future.

In the past, some countries would have responded to western sanctions with increases in denial of service attacks on finance sector websites, but in the future, they may just as well respond with destructive attacks that are aimed at permanently disabling financial services or altering data in ways that undermine trust in the global financial system. For example, they could delay or impair the trustworthy settlement of collateralized government debt.

For countries sufficiently sanctioned, and therefore increasingly outside the financial system anyway, there is little incentive not to do so during a confrontation. Efforts to undermine foreign governments may increasingly be met with disruptive cyber campaigns, such as those that target elections infrastructure and individual candidates, where Canada is especially vulnerable.

I urge the Government of Canada to work with its allies in the United States and Europe to find peaceful, diplomatic arrangements with potential rivals and adversaries in cyberspace. Attribution, while difficult, has not proven to be the barrier that many predicted to enforcing such diplomatic arrangements, and many of Canada's likely antagonists share similar concerns about cyber-threats to their own financial sector, government stability and a desire to protect their people.

Diplomatic agreements that focus on ensuring the sovereignty of signatories and that avoid destabilizing operations while protecting human dignity can be reached. They can be enforced, and they would be mutually beneficial. But they may require the west to curtail some of its own cyber activities. While not sufficient on their own to protect Canadians, diplomatic agreements restricting certain classes of cyber operations will prove necessary alongside private sector technology and services to protect Canadian citizens and businesses in the long term.

Thank you, Mr. Chair, for the opportunity to participate in today's discussions. I look forward to answering any questions you may have.

Mr. Chairman and Vice-Chairman, thank you for the invitation to testify before your committee today. It is an honour to represent my company, Illumio, and to offer my thinking about the future of cybersecurity and national security policy planning.

I'm the head of cybersecurity strategy at Illumio, which provides microsegmentation capabilities for cyber-resilience, and the former head of cyber-strategy in the Pentagon, where I was speech writer to the deputy secretary of defense during the Obama administration.

If I may first beg your indulgence, I'd like to open my statement by honouring the memory of a great Canadian national security leader with whom I worked in the Obama administration and who died last year. We worked on cybersecurity together. I'd like to inform you about him briefly and register his name into the Canadian record.

Shawn Brimley's life has been celebrated across his adoptive home in the United States, including through a letter from former president Barack Obama and moving eulogies in our national press, but for his family and for our two countries, I'd like to enter this statement into the permanent record of the House of Commons.

Shawn Brimley was born in Mississauga, Ontario, served in the Canadian army and was educated at Queen's University. He later settled in Washington, D.C. with his wife, Marjorie Clark Brimley, and achieved more in his 40 years than most do in a lifetime of service. He went from serving in the Pentagon to the White House to running one of Washington's premier think tanks, the Center for a New American Security. He wrote the 2010 Quadrennial Defense Review, helped shape the U.S. pivot to Asia, ran crisis response and strategic planning initiatives out of the White House and was a leading thinker behind the third offset strategy for long-term U.S. defence innovation.

A loving husband and father, a great friend and a mentor, Shawn Brimley made all of us safer and more secure. For that, this House and this country, as well as mine, can be proud.

As he testified before the U.S. Congress in 2015, it is an honour to testify in front of this House today, especially on an issue that he and I started working on nine years ago.

In the years since I first entered the Pentagon, the cyber-threats have become a top-tier challenge to international security. Three trends make it so: the vulnerability of the networks and data of cyberspace; the overarching digital transformation of society; and, a lack of sufficient investment by organizations in the people, processes and technologies required to deter, defend against and recover from cyber-attacks. Governments and organizations have taken steps to improve their cybersecurity posture by building teams, developing options and adopting technologies, but progress has been too slow to keep pace with the threat.

Nation-states and non-state attackers steal, destroy and manipulate data in and through cyberspace. Adversaries flourish in what could be called the “grey space” below the level of outright conflict, and they appear undeterred in pursuing their goals in that way. To name just a few, consider China's continuing campaign to steal U.S. intellectual property, including the data of the joint strike fighter; North Korea's 2015 theft of $81 million from the Bangladesh central bank and the U.S. Federal Reserve; China's theft of 21.5 million personnel records from the U.S. Office of Personnel Management; and, Russia's disruptive attacks on the Ukrainian electric grid in 2015 and 2016.

Nation-states present the greatest threat because they have the resources to put hackers on salary. These people can go to the gym; they can work diligently over time to try to penetrate a target. In recent years, they have shifted their focus from theft and destruction to the data manipulation of political and media targets.

The Russian attack on the 2016 U.S. presidential election is the most notable example. As you're familiar with, on the express direction of Russian President Vladimir Putin, Russian military intelligence hacked into the networks of U.S. political organizations and political leaders and exploited vulnerabilities in social media business practices to spread propaganda and foment mistrust in the American population.

The Russian operation hit at three parts of the American “centre of gravity” during a period of acute political transition: the American people, the political leadership and the key technology companies. Other countries have since taken similar steps, including China's reported penetration of Cambodia's electoral system in 2018, which affords it the opportunity to manipulate the outcome of those elections.

Why is this problem so severe right now? There are three points, I would say. The first is increased urbanization. The second is the proliferation of dual-use technologies. The third is the interconnected nature of the world economy. This means that smaller groups of individuals can have an impact significantly disproportionate to their size. This is the high-consequence risk nature of modernity, which is what Anthony Giddens called it.

Examples include the 9/11 attacks by al Qaeda, the actions of the subprime lenders and their impact on the mortgage market and, most recently, Russia's cyberspace operation against the U.S. election. Just like the September 11 attacks when 19 men slipped past the security establishment and turned airplanes into missiles, a small group of Russian operatives found a seam in American security to conduct a high-risk asymmetric attack.

The Internet grew from zero to just under four billion users in the 35-plus years since its founding and access increased without a commensurate understanding of risk. Whether from the vulnerabilities of code or the impact of social media on political identity formation, network status and cloud environments are vulnerable to breach, and society is vulnerable to manipulation.

As a matter of priority, countries should focus on deterring nation-state attacks. Deterrence is a function of perception, and it works by convincing a potential adversary that the costs of conducting an attack will outweigh the benefit. Effective deterrence requires the ability to impose costs on an attacker through sanctions or military means; defensive tools to repel an incoming attack, like firewalls; and, in the event that a hacker gets through the perimeter defence, resiliency capabilities to limit impact, like microsegmentation.

Two propositions arise from recent history to inform your inquiry. First, adversaries have escalated in cyberspace, despite the U.S. government's efforts at deterrence. The United States and other countries must therefore take a more aggressive stance to deter aggression. In 2018, the U.S. government embraced this position, notably through the defense department's doctrine of defending forward in cyberspace.

As my colleague pointed out, adversaries have escalated, and the United States chose to indict or sanction as punitive measures. These actions, while reasonable, did not set a precedent or effectively deter escalation. For example, even after sanctioning Russia for its actions in the 2016 election, Russia reportedly continued to implant malware on the U.S. electric grid through 2018.

What does it mean to defend forward in cyberspace? If it has indications and warning of an impending attack, the United States must be able to push back against an adversary. This means penetrating the cyberspace infrastructure to conduct counter-offence hacking to blunt an incoming attack. Nation-states have the right to defend themselves in cyberspace, just as they do in other domains. To maintain peace and stability however, any operation must be conducted under the law of armed conflict.

The need for a more forceful deterrence posture is the first takeaway from the last 10 years of cybersecurity policy development in the United States. The second is the need to assume breach and plan for adversaries to penetrate your internal defences and gain access to your most vulnerable data.

What does it mean to assume breach? Most organizations focus on the perimeter defence, and they lack an internal security system to prevent servers from communicating with one another once an attacker has broken in. Once an attacker has penetrated a network, they can spend up to an average of six months inside a data centre or cloud environment, moving around unencumbered, implanting malware for whatever purpose they choose. An organization's crown jewel applications, like its key databases, are open game in that instance.

In the Chinese attack on OPM, for example, no rules existed to govern how applications and servers would interact internally. Thus, when the Chinese made their way inside, they could easily make their way to the database that held 21.5 million records.

Microsegmentation prevents breaches from spreading. At its most basic level, it puts walls around vital applications to segment them away from the rest of the cloud environment and data centres. An intruder may be able to get three servers, but not 3,000. In this way it's a deep foundation for cyber resilience and the last line of defence. For critical infrastructure sectors like the financial sector, if you have this kind of capability installed, it provides an element of resilience not just for the sector itself, but for the nation as a whole.

It is not a question of if but when a breach will occur. Countries need to proactively defend themselves against aggressors to achieve deterrence, but they also need to assume breach and implement defence in-depth strategies to withstand cyber-attacks. Leadership enables success against all parts of the cybersecurity project.

In his seminal essay, “The Challenge of Change”, historian Arthur M. Schlesinger said, “Science and technology revolutionize our lives, but memory, tradition and myth frame our response”. That is true. Our ability to manage technological change depends ultimately on the success of the leader and his or her ability to tell a story to make change. We have a crop of strong security leaders who have come up in Canada and the United States in the last 10 years. Technology's momentum and evolution may never end, but good leaders help society adapt and manage change, from the rise of aviation to the dawn of the nuclear age. Cybersecurity is simply the latest chapter in our story.

Ultimately, leadership is underpinned by analysis, and that's what makes this committee's work so important.

Thank you for having me. I welcome your questions.

Just to be clear, it's not that Canada per se is especially vulnerable. I guess I meant more that it's an especially important vulnerability for Canada. Obviously, the use of paper ballots takes away a lot of the concerns that we have in the States. Nonetheless, I think this is a high priority for a number of aggressors that would target Canada, both internal political activists and also China, Russia and others that might seek to influence the process.

Much like the financial sector, elections are processes that are high-trust events. We benefit tremendously from living in free and democratic societies and also from being able to conduct trade and transfer money worldwide. The flip side of that is even a small problem, or even the perception of a problem—maybe not even a real breach—does outsized damage to both elections and the finance sector.

Yes.

I'm not familiar enough with that system to comment on it specifically. Those types of arrangements in general, where you have a data broker that acts as a public trust or an industry-wide trust generally have the effect of improving cybersecurity day to day, but also of making the system more brittle. One compromise becomes a massive compromise.

I don't know enough to comment on that situation specifically, though.

I'd be lying if I said I was.

Sure. There are a number of different ways to try to spur investment across the country. The regulatory environment has matured significantly in recent years for this purpose really. Cybersecurity is a bit like life insurance. You need some kind of nudge. In life insurance it's usually the birth of a child. In the case of expenditures, however, I think you need an outside nudge.

On GDPR, Colorado and California state laws, the new law that you passed...but also in New York's financial services sector in New York state, they passed a new law that really pushes down a requirement for breach management. This means that companies have to be compliant, and this will affect how companies drive behaviour within the market and how they end up spending money.

Services aren't that expensive. It's really not a question of expense. It's a question really, as I said earlier, of leadership.

I like to talk about the new security stack and the old security stack when it comes to bundling cybersecurity investments. In the past you had the old security stack, things like encryption, intrusion detection systems and firewalls. Now we have this new capability called microsegmentation which provides this deep resilience for data centres.

I would recommend for any organization that's looking to make investments in cybersecurity that they think about this new security stack to cover both the perimeter and the interior.

Service expenditures have really decreased in recent years as the market has evolved, but I would point you toward those regulations as good steps—

Oftentimes if you have your IT budget as 10% of your total expenditure, which, in the Pentagon's case is like $40 billion, then your cybersecurity investment should be about 10% of that, which is really about as much as we spend for U.S. Cyber Command.