Public Safety Committee on Feb. 6th, 2019

Yes, definitely.

Since the Computer Fraud and Abuse Act.... I want to say it was in the 1980s but I'm probably wrong about that. Don't ever do math in public, or cite dates that you don't know about.

Since the Computer Fraud and Abuse Act, when people inside the U.S. were doing hacking against targets....

A good example is the Dyn case, if you're familiar with the attack. It was so significant that it slowed down Netflix and Twitter, these vital organizations. Everyone was wringing their hands. The Director of National Intelligence went on the record saying this was such a bad threat. It was three people in the United States, who I think are now doing community service, helping the government deal with cyber-attacks.

This was led by an enterprising FBI agent out of Anchorage, Alaska. The way the FBI works, different offices around the country have the ability to do these investigations. They did all of their forensics and figured out who it was.

Yes, certainly the RCMP has significant technical capabilities to investigate those crimes on its own. FireEye supports a variety of investigations in Canada at a technical level.

I can't speak to Canada, per se, but in the States it's very important that victimized companies feel comfortable sharing information, that they're either indemnified or that it won't be held against them. That's vital, if you want that threat information, particularly if you think that, whatever case it is, it's not just a criminal issue but could be a national security issue. You want to be clear in law that it's okay to share breached information without that being held against the company, individually.

I think a number of nations have passed stringent regulations to help protect critical infrastructure. The French example for ANSSI, and the directives that have been developed, I think are a very good example. My sense is that they have greater amounts of control over their critical infrastructure from a mandate standpoint than the United States.

Our example, as I mentioned earlier, stems from the section 9 list. We went through and asked what the most important critical infrastructure in the U.S. is from a protection standpoint.

We do not yet have a national data and privacy protection law in the United States. For breach management, we have our states, and each state has a different role. California and Colorado have passed this more aggressive version. GDPR is very aggressive from that standpoint. It mandates a very short period of time to prove that you have a breach under control and levies a penalty if you haven't.

I think the French example, GDPR, and the California and Colorado state regulations are the most progressive and have fairly strong teeth. That doesn't mean they've won friends. A lot of sectors feel now that they have to have a compliance officer to handle all of these requirements, and it can be a lot of work. I think the nature of cyberspace says, “Look. That's too bad; you're just going to have to do it.”

The interesting thing about the financial sector is that it has been under attack probably since it moved over to the Internet. There are a number of major breaches that have caught the attention of the national security community as well as the banking sector, and it has led the banking sector to invest quite a lot in cybersecurity capabilities. It's for that reason that they're so far ahead.

I may have already commented on this, but they're much further advanced than a lot of the other sectors in the U.S. You could opine that part of the reason is that they're able to attract the best talent to their workforce. They're able to pay good salaries to attract people who want to work hard.

My general belief, and this is putting on my historian's hat and looking at all of these sectors, the cyber mission force and the evolution of cybersecurity strategy.... When I first started working on this in 2010—I mentioned the time of Shawn Brimley—you couldn't attract people to work in the cyber-policy office in the Pentagon. It was a bunch of nerds; everybody thought they were just computer geeks.

Now it's a problem that affects all of us. My view is that we now attract such talented people across sectors that we're going to be able to solve this problem. I really think we're going to be able to solve it and people will be able to implement good technologies. The banking sector will have led the way, and someday somebody will write a history of the banking sector where people on the inside talk about what it was actually like.

If I had my druthers, I wouldn't have a television.

Oh, oh!

Yes, seconded.

If I may, I would like to answer his question as well.

The U.S. finance sector is well defended, but it's not just about making an investment of money and technology; it's also about how empowered the people are. If the security operations centre at a major financial institution in Canada, for example, discovers a problem, are they empowered to go down and stop trading? It could be millions of dollars to stop trading in order to remediate a problem. Two companies in the same sector across the street from each other spending the same amount of money on security can have very different outcomes depending on how empowered the people are to affect particularly trading operations.

I would add, as an aside, that bigger than the finance sector but still a systemic threat to Canada's economy, most publicly traded companies that I talk to wish they could invest more in cybersecurity. They don't feel they can justify it, because in the short term it hurts their bottom line. It's viewed as a cost centre. That's an area where regulation helps, because absent that regulation or industry standards, there's a first mover disadvantage: investing in cybersecurity hurts your perceived return.

Those are two things to consider that disincentivize proper cybersecurity.

Thank you, Mr. Chair.

Thank you, Mr. Chair.