Evidence of meeting #148 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
4:45 p.m.
Liberal
The Chair Liberal John McKay
Excuse me.
I see that the lights are flashing. That means we have about a half an hour.
I'll go to Mr. Dubé. I'd like to ask a few questions.
My suggestion, colleagues, is to run to 5:10 p.m. Both of our witnesses have come from a long way to talk to us, and there may be follow-up questions.
Is that acceptable to colleagues?
4:45 p.m.
Some hon. members
Agreed.
4:45 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you.
Just really quick, since I have my generous three minutes....
You mentioned securing data centres as a way to deal with—I always hate saying the Internet of things; I feel like I'm in a Mary Poppins movie when I do—the Internet of things. Securing data centres, does that also deal with data manipulation? You've talked a lot about that as well, and I think especially in the context of a study on the financial system, that could be an issue as well.
4:50 p.m.
Head, Cybersecurity Strategy, Illumio
Yes. It very much deals with data manipulation in that, in order for you to alter.... Let's say you're trying to redirect a ship, as the Russians did in the Baltic Sea, reportedly. They spoofed GPS and redirected some ships in the Baltic Sea. That's just been reported. Or take the case of electoral rolls where you're altering who's on the roll and who isn't. In order to do that, you need to make your way onto a server, because applications don't just exist in the ether. I mean that in the least patronizing way possible as I say that.
Applications and servers are really, in many ways, one and the same. Anytime you log into a cloud-based application and enter your data, it's touching a server somewhere in the world. If you've secured a data centre from the inside, you're preventing an intruder from being able to move laterally and implant whatever malware for whatever purpose they choose, whether it's manipulation, theft or destruction.
4:50 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
You'll have to forgive my layperson knowledge on this. This study makes us all feel like Luddites. I just want to make sure I'm understanding correctly.
If someone's not updating their firmware, or whatever, the data centre being secure is enough, even in the event that you have the worst security imaginable on your device. I just find it hard to square that circle. I don't know if I'm understanding it correctly.
4:50 p.m.
Chief Intelligence Strategist, FireEye, Inc.
I find that hard as well, because I think part of the issue is that many of the most advanced groups use legitimate credentials. If you're the president of the bank, they trick you into getting your credentials, and there is no strictly malicious behaviour; they're just abusing your credentials.
For the finance sector, the question is, if that were to be discovered one day, how far back could you roll that—a day, a week, a month? Could you fix the accounts if they were off? I think manipulation is not so much a criminal issue as it is a potential vulnerability for the finance sector that could pose a systemic risk. To me, it's the number one systemic risk that data would be manipulated at a major bank, and then you wait a month, you wait a year, and you announce to the public that you had this person's credentials, and you changed two or three accounts. It doesn't really matter. Everybody who thinks their bank charged too high of a fee at one time or another is going to be challenging everything that's ever happened on their account.
I think it's a real risk, and most organizations, either by virtue of their size—they're so big and they have so much data, or they're so small they can't invest in doing it—don't know what normal behaviour is on their network. It's very hard to roll back after the fact, if you don't have adequate backups, and it's a real risk for the finance sector in particular.
4:50 p.m.
Head, Cybersecurity Strategy, Illumio
Thank you, Mr. Chair. I'll try to be as brief as possible.
I'm not trying to argue that if you secure your data centre in the interior that you're set and you can go home and sleep. That's not what I'm saying. There has to be a security stack of investments.
In the case of an advanced adversary, who knows that if they penetrate the secretary of defense, or the president or the CEO of an organization, that person has to have very clear...for any individual there has to be some security capability that secures the user at the perimeter—multifactor authentication, firewalls, all of that.
The argument I was making is that if they break past multifactor authentication or encryption, and they make their way in, if they find a low-value server, then if you have invested to secure the interior of your data centre, you're going to be able to limit damage quite significantly compared to if you haven't. If you haven't done it, forget it. They're going to be able to own any application in your enterprise. If you have done it, you might lose x and y data, you might lose x and y servers, but you'd be able to manage that cost, unless it's the president or the secretary of defense, or whoever it is who's been hacked. If it's a lower-level person, the damage will be less.
4:50 p.m.
Liberal
The Chair Liberal John McKay
That was a generous three minutes.
Mr. Reiber, as I listened to your presentation, you were essentially saying that there are various layers of protection and that you then have this microsegmentation program so that instead of 3,000 access points, you only have three access points.
In the context of the oncoming 5G network, does that model of security protection still prevail?
4:50 p.m.
Head, Cybersecurity Strategy, Illumio
I haven't thought through how 5G would impact our capability overall, nor do I know enough about 5G to really want to advise you on it.
If I were to make an assumption and set my own fictional narrative, I would say that 5G is going to speed up our ability to transmit data. That should not impact the propositions that I'm making. I would say that they still stand, meaning that if it's simply the speed through which data is being moved, then if you've set rules and policy for how your applications and servers interact.... These are a little bit different. They are two different beasts, and they shouldn't negatively impact one another.
If I were to think about a capability that would disrupt the future of computing overall, leaving aside microsegmentation, I think quantum computing would be the main thing I would be looking into for something that would totally alter the nature of cybersecurity. Even then, I don't think the security stacks would be totally disrupted.
4:55 p.m.
Liberal
The Chair Liberal John McKay
Thank you.
Mr. Porter, you're obviously familiar with article 5 in NATO's treaty. These cyber-attacks can happen in microseconds. You may be at war and not even know that you're at war.
Do you think that the architecture as described in NATO, which is a treaty that's somewhere in the order of 50 years old, is adequate for responses on cyber-attacks? It's already happened. The example would be Estonia. Do you think that treaty needs to be seriously revamped?
4:55 p.m.
Chief Intelligence Strategist, FireEye, Inc.
Mr. Chair, I think the mechanisms in the treaty allow for appropriate joint policy responses by the NATO members. I think a bigger issue is who is going to call for such a response and under what circumstances. I think, at least in the States, you're always waiting for a cyber Pearl Harbor, a major destructive event. It's much more akin to cyber trench warfare, only the people in the trenches are private citizens and companies, not soldiers or government actors.
What do you do with that? I think that's the problem the alliance has right now. It's not the legal mechanisms for invoking joint defence. That's being worked through and I think in a true emergency case would be invoked correctly anyway. Again, I think the bigger issue is that you could die a death by a thousand cuts, and no one would ever think it was worth raising as an article 5 issue.
A second much more tactical kind of issue to consider is that the U.S. and Canada both have significant cybersecurity intelligence capabilities in the private sector and in the government, but not all of the NATO allies do. If there were a major cyber-incident and you wanted to invoke article 5, how would we convince the other NATO members that anything had happened or that we had correctly attributed the event?
We might be highly confident in the U.S. and Canada in our joint analytic work on that issue. Many countries don't have enough people on the other side of the table to receive it, interpret it and take a political action.
Do they have the kind of experts that we do? I think that's an issue. How do you share that capability to understand and interpret the attribution of major cyber-attacks? Those are the two issues to me.
4:55 p.m.
Liberal
The Chair Liberal John McKay
Okay.
Finally, the U.S. Congress has basically reacted to the Huawei issue by absorbing the idea that a cyber-attack by China would be so fast and so devastating that it would be, if you will, over before it began.
Is that your view as well?
4:55 p.m.
Chief Intelligence Strategist, FireEye, Inc.
Mr. Chair, I think that if you were constrained to only conduct such a conflict by cyber means, that might be a reasonable interpretation. However, while there are significant risks, responses to cyber-attacks obviously don't have to be limited to that domain. I would defer to my colleague on how that would play out in the real world. I don't necessarily share that defeatist view, no, because of the other more conventional options that the United States would have in order to respond.
4:55 p.m.
Head, Cybersecurity Strategy, Illumio
Sure.
I also don't endorse the view that China would simply win a cyberwar, instantly. I think that, certainly, multiple countries have developed the capability to conduct destructive attacks on critical infrastructure, globally.
Of Russia, China, Iran and North Korea, the one that I'm by far the most worried about is Russia. The reason is that they've implanted malware across elements of the U.S. electric grid, and it wasn't clear why.
I don't think, if any one of these adversaries initiated a conflict in cyberspace, that it would terminate in a manner favourable to their terms so quickly, because we've invested in the cyber mission force. That's a large capability of 6,200 elite trained hackers and operators who are watching those countries quite closely.
If you go through an escalation ladder and consider China and Russia in particular, China even more so, they're deeply intertwined with our economy. They know that any element of escalation in cyberspace that goes beyond a certain level is going to begin to have significant economic consequences for them, if it leads to any kind of military confrontation.
I recently wrote a piece about why I think China is the greatest long-term threat in cyberspace. Really, it's because of their advanced weapons development in other domains, like railguns. It's for that reason that the U.S. invested in the third offset strategy that Shawn Brimley led. If we look over the 20-year span of what could happen between these two countries, we'd see an element of keeping parity in terms of technological development.
To my colleague's point, this is an outcome that you want to obviously avoid. It's not something that's in either country's long-term interest. It's in both of our interests, from the United States' and China's standpoint—also for Canada, I imagine—to maintain productive, peaceful relations that over time will lead to the economic flourishing of everybody in the Pacific and beyond. That ultimately comes down to issues of diplomacy and speaking to them about what escalation means and what it doesn't.
In our back pocket, however, we do have to preserve these technological options for the potential for conflict, unfortunately.
5 p.m.
Liberal
5 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Yes, Mr. Chair. Thank you very much. I'll be brief.
I just wanted to get you on the record. This is the public safety committee. Going back to business to business and potentially even large business to small business cybercrime, could you talk a bit about the basic law enforcement model?
First of all, start with the lack of reporting. I think you've addressed that in part through your point that we need to look at bridge management requirements as a way to encourage companies to, first of all, report cybercrime incidents. Second is the collection of evidence. Third is prosecutions. Are there prosecutions under way that stay within the North American context? I think it's terribly difficult if we have foreign actors or foreign-based companies.
What about the basic law enforcement model and its application to cybercrime in 2019? Have you any thoughts on that?
5 p.m.
Head, Cybersecurity Strategy, Illumio
I'll be very brief on this.
The FBI plays a very important role in prosecuting cybercrimes within the United States and, from the national security division, for actors from the outside that conduct attacks against the U.S. As far as I know, it's the only agency within the national security community that has the authority to conduct cyberspace operations to shut down a server inside the U.S.
We do have a tradition of gathering evidence within the Department of Justice. The FBI and the Department of Justice work very closely together. I wish I could refer you to a case to give you a good example right now, but I can certainly find more to send to you. But this is—