Public Safety Committee on Feb. 6th, 2019

What we're not as good at in the west is death by a thousand cuts, so actors that destroy 1,000 small businesses won't get the President's or the Prime Minister's attention, but one big compromise will. I think that's a policy failure that should be addressed. In Canada, I would recommend that you, even though it's very difficult, at least say it's a priority for you to defend everyone, not just the biggest businesses and not just these siloed industries. It may be a very large Herculean task, but it would be nice to see that at least as a stated priority to start working towards.

For some reason the translation didn't come through, so I'm relying on my high-school French, which is not terrible. I'll try to answer.

Your question is, it seems to me, within the evolution among CIA and DHS and the military, how much do they collaborate for common defence, and could they help Canada? Is that part of the question?

Sure. That's what I thought. Yes.

Under article 5 of NATO, for everyone who is a member of NATO, there is a resolution that says a cyber-attack, if it triggers a certain point, would require a common defence.

One interesting thing about cyber-attacks so far is that they haven't crossed a threshold that has immediately made a clear statement for a warranted military response in a way that would necessarily be required. I would say the Russian attack on the 2016 presidential election, looked at historically, certainly qualifies as an instance when a counter-offence action by the military would have been warranted. I think that others in the Obama administration have said the same thing. The difficulty in that particular instance is that the decision calculus is complicated, and I won't go into that because that's not really the nature of the question.

Sure.

I think this is an evolution we've gone through. Really since 2014, there's been a significant push to build connective tissue between the private sector and the government. Certainly, I think it's immensely valuable. We had a ramp in terms of defence innovation fellows—the U.S. Digital Service and the Defense Digital Service, those two components—that brought people in from the outside. It was tremendously helpful.

I recommend to every country that's dealing with cybersecurity issues to find a way to build connective tissue to allow tech entrepreneurs to work in the government, and likewise to have people from the national government to work in technology, for certain.

It's interesting in cyber work because 95% of the attacks that are happening are on private sector networks against private sector victims. Often, in the United States and elsewhere, the first to know about it might be the private sector. Governments can have more powerful responses and their investigations can go more in depth. The private sector doesn't replace government work, public sector work. It's complementary.

It's important to know, for example, that at FireEye some of our core teams that are discovering crimeware are based out of Canada. Even though we're proudly a U.S.-founded company, we're an international company in terms of our workforce. That's rapid information sharing across borders, which also is sometimes difficult for governments to do.

To answer your question, yes, I do think that Canada and the U.S., as the closest of allies, would come to each other's aid in principle under appropriate circumstances. I would defer to my colleague on what those are, but at a working level, absolutely, Canadian and U.S. researchers work together every day and exchange information on threats. I think you'll find that not just in times of crisis, but every day.

Yes. I think there's obviously a deep level of co-operation between the intelligence services and the security services for incident response. I know there's a trilateral commission among the U.S., Mexico and Canada where that co-operation happens. It obviously happens between the two allies themselves.

For FireEye as a company, it's not an issue that we follow. We're looking at software threats, not the sort of hardware threats that are alleged.

I absolutely understand in principle why, particularly for government networks, you would want all your telecommunications equipment made by your own country or by a close ally. I think in principle it makes sense, but I don't know anything non-public, other than what I read in the newspapers, on the Huawei issue.

I wouldn't comment specifically on Huawei. I would say that we've been dealing with issues of supply chain risk since...gosh, I wouldn't want to say how far back in history. Certainly since the dawn of the crypto-analytic platform in signals intelligence, supply chain problems have been paramount.

There's a diminishing marginal rate of production if you decide you're going to try to pursue every single chip in the universe to make yourself secure. For certain elements of, say, a national security community or the public safety community, I think it's perfectly reasonable to say, “We are going to now manufacture a certain number of chips on our own”. But the cost is quite significant, and it alters how people do things economically. I don't think you could possibly do so in any kind of global way across sectors for an entire economy. You could probably do it for a number of subsectors.

I think you'll find that, at least within the information security community, a large majority of the biggest companies work together on standards and exchange information, even with peer competitors, for example, collecting threat intelligence. We often co-operate behind the scenes in the public good by exchanging information.

Standards setting is generally great for existing enterprises. I don't share your concern. I understand where it would be that way in theory or principle, but I haven't seen that when I've worked in the private sector. I have people I consider good friends and colleagues in many different companies. You compete for individual contracts, but overall, that doesn't hold back standards setting.

For example, I would point to the tech accord community that Microsoft leads. A lot of that public policy work looks at what sort of standards we as a community can have and how we can work together for the public good. That's still competing for individual contracts, and still keeping competitive business secrets to ourselves—you're right—but how can we work together, as well, to make sure those services do get delivered?

The example I always give is that, at least in the the old west, banks were relatively undefended from physical threat. As governments have played a larger role, and as physical security markets have matured and there have been more standards and regulation, those physical security companies make more money than ever. That sort of regulation didn't hurt their ability to either provide services or be successful as businesses.

I concur with my colleague's statement that the standards community has done a good job of rising up in this way. I think the NIST cybersecurity standard that was passed after the initial effort to pass cybersecurity legislation in 2011 and 2012 was a very positive outcome from an earlier effort to try to come up with a mandate or a set of standards. I would refer you to the NIST standard.

I would also say that to prevent a focus on one technology, or one part of the problem against another, the information sharing and analysis organizations that have cropped up within the different centres have facilitated sector-specific development of cybersecurity requirements. The financial service sector in the United States is, in this way, the most mature of the bunch. The FSISAC, Financial Services Information Sharing and Analysis Center, is a good resource for understanding how the sector meets its own interests when it comes to cybersecurity.