Public Safety Committee on Feb. 6th, 2019

Yes, absolutely.

When it comes to cybersecurity, it does help to look at the data centre and the cloud environment first. There's a tendency to think about the end result, like IP theft or data destruction or data manipulation, any one of which could make for a sci-fi movie and keep all of us up at night.

If, however, you start with the data centre itself and say, “How am I securing how servers interact from the interior? How am I preventing intruders from moving laterally throughout an environment?”, you're actually covering all those bases. Yes, that's what my company does, but the reason I joined Illumio was that, having worked in the Pentagon and having looked at the range of disruptions that could happen, whether to a weapon's platform or to the financial sector or to the economy, I would say you really want to start in the worst-case place. If an intruder breaks into a data centre and can move around unencumbered, everything is on the table. So yes to standards. Actually the French government has been very forward-leaning in that regard for security data centres, and other countries have as well. If you start there, then everything else, even an intrusion into an IoT in someone's home, will ultimately connect back to a server, and so that could be prevented.

I share your concern, and I agree with you. Oftentimes I feel that even companies in the financial sector that have fairly sophisticated security organizations internal to themselves don't see the threats coming. They know that threats in general are coming, but to your point, the particular reasons they suffer a breach or are targeted for attack often have nothing to do with that institution. Perhaps the foreign threat is doing it to get back at the Canadian government for some action they took. Just as commonly these days it's for economic competitiveness reasons. Those Canadian financial institutions may not be harming anyone else, but there may be another bank in another country or another investor that wants to out-compete those Canadian institutions. If they can't do it fairly in the open market, maybe they can get help from a cyber-threat group, for example.

Unfortunately, Canada's financial institutions are targeted not necessarily because they're doing anything, other than for cybercrime, obviously—that's where the money is—but when it's a nation-state doing it, it's often for economic competitiveness. They want to either learn from or out-compete those institutions when making foreign investments. It could be for political retribution, even for something that happens in a different country.

The flip side of being in a strong alliance is that if a hacker finds a vulnerability in a Canadian financial institution, they could use that to propagate a political message against another member of NATO, for example. It could have nothing to do with that institution at all. That's why it's so important to have the close ties between Canada's security services, which are going to have better insight into those motivations, and the private sector.

I think it helps to start by thinking like an adversary, right? Whether you're a government or an organization that is thinking about threats overall, you need to go through: What is an adversary? How are they going to try to hold me at risk? What are they going to try to do to me? What am I willing to lose? Once you have a sense of what your core interests are, what you're willing to lose and what you need to protect, then you can start building a strategy for investment. That doesn't quite get you there to answer your question, however.

In the United States, we passed an executive order about cybersecurity that called out something called the section 9 list. The Department of Homeland Security conducted an assessment of all the companies and organizations in the country that were most cyber-vulnerable, and the impact of which, if disrupted, would cause the most significant damage. That analysis led to a list, which is classified. It's not a very large number of companies; you could probably guess a number of them right off the bat. That also helped the government focus on its collaboration with those key companies. That way, you can say that we're going to ensure the cyber-defences of these companies are going to be hardened.

That does not mean that those are the only companies the country would focus on. The military, for example, has to look at the adversaries, Russia, Iran and North Korea in particular, and ask: What are they investing in? What are they going to go after? What are they going to try to do? You have to try to blunt and block them if they do something quite significant.

That also doesn't quite get us there, and this is where regulation has to come in. If you've hardened the most valuable companies in a country, if the military is watching the most valuable adversaries, it's the Internet. It's massive. Someone is going to try to hack somewhere else and they're always going to look for the weakest underbelly—wherever they can go.

A great example here is Iran in 2012. The United States was prepared for Iran to do all sorts of things during the nuclear negotiations. What Iran did, which we were able to prognosticate that they would do, was to go after the infrastructure in the Persian Gulf of Saudi Aramco. They hacked Saudi Aramco, as has been publicly reported. That's where regulation absolutely has to come in and say that there have to be breach management requirements; there have to be penalties if companies don't meet these breach management requirements, and companies have to be able to meet certain resiliency investments to defend against breach.

The good news in cybersecurity is that we can control our own terrain. What that means is.... If you think like an adversary and you think about what the adversary is going to try to do.... They have their terrain where they're launching attacks from the offence. It's not the duty of the private sector to be concerned with that; it's the duty of governments. As an organization, whether you're a government organization or otherwise, you can reorder and configure your terrain to harden yourself quite significantly against an attack. This means you set up your perimeter defence. You have your firewalls. You're encrypting your email. You have multi-factor authentication for your users and you invest in this microsegmentation capability. That way, if someone breaks past your defences, they're going to be stopped in their tracks inside your data centre or your cloud.

If you've done all that and you've invested in cyber-insurance, you're going to have taken some very strong steps. You would assume, then, talking to a bank or a major institution, that they would have done this. The number of times when I give an address to a cybersecurity community and I say to raise their hands and tell me how many of them use multi-factor authentication, it's less than 20% almost every time. When I ask how many of them encrypt their emails, the numbers are also very low. This does get to the sort of nudging and regulatory demand.

I think, though, that if we take these steps, we can put ourselves at a significant advantage against those who would try to intrude against us. You can block 95% of the intrusions that would happen, or you can prevent the damage from 95% of the intrusions that would happen. There does ultimately have to be a partnership with the government in order to impose sanctions, or punitive measures, in the cases where you may not be able to do so as an organization.

Yes, absolutely. Thank you for the question, Mr. Chair.

The good news and bad news is that because cyber-policy is still so nascent, and your allies are still grasping at something that will actually work, Canada has a de facto opportunity to be a leader in this field by finding a solution that works. I think that's absolutely achievable.

I'll start by reorienting the question just a little bit. Within the NATO alliance there's a general attitude that governments will learn secret things and they will take some action to defend mostly their own networks, and then maybe companies and individuals as well. Maybe occasionally they will declassify that and share that with companies. That process is typically very slow and very long term. In the private sector, if we don't turn around actionable threat intelligence in 48 hours, we really have let our clients down. I think governments typically operate on timelines of several months. In some cases this is for good reason. I'm not going to pretend like there aren't good reasons for doing that. There often are.

I would encourage you to think that everything I just said about cyber-intelligence sharing was once true of counterterrorism, for example, until...threats to aviation and with 9/11. There was a much greater emphasis on pushing that information out to local governments, to individual actors and to companies in the U.S., and much greater information sharing and declassification.

I think we need the same thing in cyber-threat intelligence, where the allies are willing to tolerate more risk and push that defensive information out to the private sector more rapidly. It's unrealistic to think that a small business, for example—large enterprises, maybe—would be able to keep up with changes in major threats in a competent way. Between the large private sector cybersecurity companies and better information sharing from the government to those key partners, I think that would go a long way. You would have to tolerate some risk, of course.

The current situation where governments tend to view themselves as the central repository for information and will collect everything and then tell you what to do about it is just not how things work in cyberspace. Governments are still the largest actors, but they're not the only ones.

Sir, I wish I were an expert on that question, but I'm going to have to pass.

Having read your new 2018 cyber-strategy, I think it does provide a good platform on which to build for the nation overall, but I'm not so familiar with Canadian law.

No.

No, not at all.

It really depends on what you're trying to achieve. I would defer to my team for specific pricing models.

It's really done on a case-by-case basis. I would recommend organizations to start.... One thing we discovered in our businesses is that most organizations may have some sense of what their crown jewel applications are, what their most valuable applications are within their universe. For example, as I mentioned once before, if you're the Office of Personnel Management, a database that stores all the data for all the personnel would be a key application.

Once you've identified your most important applications, you want to map out your data centre, all your applications, and workloads, which are not quite applications, but they provide the connective tissue within your data centre for your applications and servers. You want to map them out. Most organizations haven't done that. If you think about maps as a key element of geostrategy, in order to control your terrain you have to have this map of your interior. That then shows you how all the applications interact.

If Chris is in the marketing department and I'm the guy who handles the key servers for whatever my organization is, a payment system or otherwise, and he gets hacked through an email, there's no reason why his server should ever be interacting with mine. He's not concerned. He's not an engineer. I'm the engineer. In that way, you draw a map of how your applications work and then you set rules for how they interact with one another.

The degree to which an organization wants to set rules for specific crown jewel applications across their enterprise affects the pricing model to some degree. That's why I'm not going to offer you a specific cost. If you want to map your enterprise and begin to set rules internally, that's when you really harden your interior. One of the benefits of setting rules is it provides alarms. If somebody breaks into one server and you know that server shouldn't be interacting.... Again, if he's hacked in the marketing department and I'm an engineer, we know these servers shouldn't be interacting. If you see an intruder doing it, it will set off an alarm so then the security operations team can know somebody's inside.