Public Safety Committee on Feb. 6th, 2019

The interesting thing about cyberspace, unlike any other domain, is that the brains are really the weapon, to a large degree. It's the person and what they know and what they're capable of doing. The intention matters a lot.

I think red teaming and penetration testing—my preferred term is “penetration testing”—are absolutely vital for the development of your security strategy. If you've implemented the best capabilities in the world, if you have the new new security stack, if you've spent and been very smart about it, you always want to have someone who's trying to break in to your network, constantly testing it, looking for vulnerabilities, and thinking like an adversary trying to find their way in.

I won't weigh in on specific recommendations for legislation. It's very complicated, and there is international legislation under way through the Wassenaar agreements and the Wassenaar accords, which you—

—Wassenaar? My spelling of German and Dutch words is not great, but I can find that out for you.

The proliferation of malware and penetration testing capabilities globally is a concern, because you never know what somebody's going to try to do once they have that kind of knowledge, or if they have malware that allows them to break in.

The State of Pennsylvania has a law regulating who gets to use malware and for what purpose. I'd certainly think that over time we're going to see an increase in regulation around penetration testing and even ownership of malware for that reason. It's very complicated to verify why and how somebody has malware on their computer. It could be because it was infected, or it could be because they're going to get up to something. Proving it is really a question of the intention of the person who has it. It's complicated.

I want to emphasize my colleague's point that it's helpful to tolerate some risk, particularly at the university level and younger, in terms of allowing people to explore computer security—professional researchers as well—without criminalizing their activity, if there's no malicious intent and if there's not deliberate harm. I think there are a number of regulations under way and laws being passed, in the States and elsewhere, in a good faith attempt to improve cybersecurity but which have the effect of stifling original research.

I obviously can't comment competently on Canadian law, but I urge you to avoid the impulse to criminalize what is essentially math and logic put into electronic form. Don't criminalize that thought process, because the same sort of creative people who are exploring those possibilities are the ones who you hope to employ one day to defend your country as well. There's nothing you can do that would hurt a relationship with the security community more quickly than to criminalize their work, or put a presumption of guilt into what may just be good-natured intellectual curiosity.

The first resource that I would point you towards is a map that was just produced by NIST. I guess it's the National Institute for Cybersecurity Education in the U.S. that actually maps out population density and the number of users. It's a good resource to look at how we're meeting the workforce challenge.

I would say master's level education and university level education to appropriate technical specifications like Security Plus or CISSP.... These are certifications to get people trained to do certain kinds of core cybersecurity functions. The degree to which community colleges or whatever the appropriate name is in Canada—you'll forgive me—the associate degree.... The sorts of institutions that can train people in cybersecurity tasks are incredibly helpful, and the degree to which the federal government can offer either some kind of incentive for universities to initiate those kinds of training programs we found to be very helpful.

It also helps if you have state universities that are clustered around industries that need to transition. For us, the manufacturing sector and large parts of the U.S. economy have gone through a massive transition. There are states like Michigan, for example, where Michigan State University should be investing in cybersecurity training for a lot of the auto industry. The auto industry itself is transitioning into cybersecurity. Finding these corollaries around clusters where you can then make investments in university training is very helpful.

The last thing I would say is about the evolution of the cyber mission force, which is our military force. It was initiated in 2012, and it achieved full operational capacity in 2018. These are the individuals who are sort of high end. There are 6,200, and the investment in this force is a major deterrent effort on behalf of the government. These hackers exist within the military—and they are hackers. It did take them five years to get fully trained, though, to get the whole group fully trained, because you had to move people through schoolhouses, and that takes time and effort.

There is a little bit of patience, and that's what ultimately leads me to say: Focus on securing your most important applications first.

I'd like a few comments, if I may, Mr. Chair.

Thank you, Mr. Chair. I hope you'll give me that leeway too.

Oh, come on, look at my face.

Thank you, gentlemen, for coming today. It's been very interesting listening to you, and it's actually been a little scary listening to you.

I noticed during your presentation, Mr. Reiber, that you talked about four billion people coming online over the last 35 years. I think you mentioned somewhere—or I've heard it—that over the next five years, we're going to see another 25% coming on, especially with China and India progressing the way they are.

Yes.

Of course, cyber-threats are going to increase with that number of people coming online. I know here in Canada, we're not going to see that kind of growth, of course, but it would be proportional, I imagine. The fact that we know China is one of our primary adversaries in cyberspace is very concerning to me, and I think it's concerning to everybody here on this committee.

What are the top four things you would recommend that we could do as a country to protect us in the best way in the future?

I wrote down two. I'll try to come up with three and four. It's a great question.

The first thing is to protect critical infrastructure and identify the companies and organizations that matter most for the overall health of the economy and the nation's safety. If a country has not embarked on the process of identifying those corporations and entities within the economy, then it's almost like by analogy, from where we come from within Illumio, that you haven't identified your crown jewel applications.

We're looking internally within the organization to say: What applications matter most? That's the second thing. The first is to identify the most important organizations within the country. Then those organizations themselves need to invest in the whole stack of security for the perimeter and their interior, and they need to identify their core missions and figure out how their most important data relates to their core missions. That's an analytic process that involves the security team, the infrastructure team, multiple components across the organization.

That's four things. The first is critical infrastructure, identifying within the country. The second is identifying your core assets within the organization itself. The third is thinking about your mission and being prepared to operate without access to data. That's very important. If you think to yourself, if you lost your data today, what would you not be able to do and what do you absolutely have to be able to do?

The fourth thing is what I talked about from a deterrent standpoint. Countries have to think about how to deter nation-states from coming after them. If you assume you're going to be breached, the best thing to do is to prevent someone from trying to breach you in the first place. If they do breach you, you need to be ready and you need to be secure beyond breach. But to do deterrence is really very impressive. Ultimately, as the Internet expands, it's not just the next billion users in the next five years in China and India alone—because we will add a billion just between those two countries—it's all the connected devices that are going to be spun out from all those users as well. So we're not just going to see an expansion of humans, but an expansion of all the technologies that every human is touching.

I have a few brief suggestions, if I may.

Yes.

I have a somewhat different outlook in this from my colleague.

In no particular order, things that could be tried that would improve Canada's cybersecurity is to put a greater emphasis on diplomacy. The solution to every conflict in cyberspace doesn't have to be the threat of military retaliation or sanctions or indictments. I have not seen any evidence that any of them have worked so far. If we're going to say those kinds of activities successfully deter, we're doing those same activities year after year, but then cyber-threats continue year after year, so where's the relationship? I'm much more of an optimist on diplomacy than I think many others are. If you call a hundred experts, I might be the only one, so it's not fifty-fifty for sure.

The second thing—and back to your question—make sure when you're recruiting people for government service that you're not just looking at the same candidates, that you're open to a diverse candidate pool, both personally, but also in their professional backgrounds. Cyber is a part of everyday life, so it's not just going to be technical people you need to recruit. It's going to be people with all kinds of backgrounds: economists and political scientists and so forth.

Finally, just to emphasize something I said earlier, I think it's a mistake for countries to rely too much on a list of who we are and are not going to defend. To me that's a counter-insurgency problem.

Can I just cut you off for just a really quick question?