Public Safety Committee on Feb. 6th, 2019

Both your organizations are private organizations supplying security. Are the bad guys equal? I'm saying you're the good guys. Have we got the bad guy organizations out there available to clientele?

Certainly, yes. You can hire services very similar to how you can buy anything else online. That's how those markets are designed, particularly for criminals.

Thank you for allowing me that question.

Oh, oh!

Can I just assure you that I like diplomacy, in case anyone is wondering.

Most of the large social media companies make significant investments, particularly now, in security and are doing their best, I think, to root those out. I can't speak on their behalf, but many of them do make significant investments. It's just also an enormous task for even a very large private sector company to combat sophisticated foreign military government operations. I think it's asking a lot of anybody's security team to do that on their own.

I would just re-emphasize that for Canada's purposes, a lot of the vulnerability is going to be not just in physical infrastructure. Big databases and physical things are certainly vulnerable as well, but individual candidates and campaigns and the parties themselves are also prime targets for adversaries who want to interfere in your elections.

If they were being targeted on social media or for disinformation campaigns, I don't know if they would have the same level of resources and wherewithal that the infrastructure behind voting would have to support them.

So make sure that individual candidates, campaigns, and the parties are also supported with some of the same cyber-threat intelligence that's provided for the voting mechanisms and infrastructure. I think that's very important. Certainly since 2016, we've seen that most of the threats have been social media-generated threats but they've been at individual campaigns, not necessarily at what's being defended, which is government-run infrastructure.

That's still a vulnerability not just in Canada but throughout the west.

Yes.

Social media companies have certainly invested quite significantly since 2016. One of the things you can read about in their open public communications is the degree to which they've built partnerships with the government. For Canada, I think that for any infrastructure in your country that could be manipulated, that ultimately becomes a very important step for tech companies to take.

If there isn't already an information sharing infrastructure or public-private co-operation mechanism that exists in advance of that election, I would say that we have something called the enduring security framework in the United States, which brings together key IT companies and infrastructure owners and operators with the intelligence community and the national security community to share threat information and design solutions. That's a bit of a longer-term thing, but that's one recommendation.

The second thing I would say is that, at least within our environment, within the United States for our elections systems, election registration is handled by different departments in each state. In those instances where they have not yet done so, organizations need to secure their data centres to prevent people from manipulating the electoral rolls and the registration rolls.

By analogy for Canada, figuring out who manages voter registration and where they store that data and on what server ultimately will help you to make the right investments for manipulating the actual outcome of the election.

I would say that another thing is informing the public very much about what could happen. I think the Department of Justice in the United States was very good at this. Harvard also had a non-profit program that educated secretariats of state across the country in crisis management. You can find that campaign on Harvard's website. It's the defending digital democracy project.

When did that happen?

That was over the last two years.

There are good materials there for how to train election officials to do crisis response and crisis management.

Was that a result of what happened in the 2016 American elections?

It was a direct result of what happened in the 2016 election.

A number of the individuals who run that program—and this is just one among many—have emerged from the administration. They were taking the lessons that they had learned.

I would say that the social media component is obviously quite significant, and the Canadian population needs to be educated about potential risks, and that is certainly a part of it.

With regard to the social media companies themselves, you should engage them to work with them so they can put forward messages on their own platforms in advance to inform their Canadian users about what they're doing to prevent election interference. I believe they're probably already doing that, but that would be another step you could take.

The last thing I'll say, and I know you're out of time.... I'm overly verbal.

The next step is who's going to be manipulated next? Elections were one thing, right?

The thing that I'm most concerned about is census data. Within the United States we have our census coming up, I think, in 2022 or 2025—I can't remember. Imagine if somebody could break into the research institutions and manipulate demographic data to portray the United States as accelerating one demographic shift or another. That would alter how people perceive our society overall.

Yes.

So, the next step is research institutions that have yet to invest, that do a lot of really valuable research for a country's overall identity. If I were an adversary, that's exactly where I'd be going, and I hope they're not listening.

Oh boy.

Yes.