Public Safety Committee on Feb. 20th, 2019

Thank you very much.

I have just developed a paper that looks at some of the key cybersecurity challenges. I have extended my thinking beyond the technical to those that I think are important for both of our governments.

I've explained to you that I think there is a need for a clear understanding of cyber threat. The diagram I have provided explains to you through a little flower picture that there are different vectors of attack, so cybersecurity and cyber threat is not the traditional understanding of technology, of computer network security, but it also covers issues such as law and policy and administration. Therefore, when we are looking holistically at cybersecurity, we must get all those elements aligned.

One of the issues I focused on in Australia for many years is seeing cybersecurity as part of national security. Very often, those of us who are considered experts have come from technical backgrounds where we have been applauded and awarded funds for particular niche pieces of technical research, but there has been a reluctance for academics to see their work as part of national security. Somewhere within the policy mechanism of government, of prime ministers' departments and those departments that deal with the more secret issues around cybersecurity, there has to be an alignment of the agendas of the computer scientist and that of the national security agencies.

The other issue I've raised with you, which obviously I've been working on in Australia for a couple of years, is that as there is more of a focus and more of a need to deal with cybersecurity as part of national security, it's really important for us as countries and as allies to define what a cybersecurity practitioner is. We need to be able to answer the question: Who is an expert in this field?

We, in Australia, have done some work on that over the last couple of years actually to develop a national standard, professional standards in cybersecurity, so that we can answer the question: Who is a cybersecurity professional and who is a cybersecurity technician? This makes workplace issues, HR issues and government employment issues much easier, because our discipline has grown in some ways as an art rather than a science.

I've indicated the type of work we've done in developing national professional standards.

The last point I was making was essentially, in all of our countries, we're going to have a limited amount of money for research, for training, for alignment of cybersecurity with national security. We each have cohorts of researchers who are able to do really good research in areas such as artificial intelligence, machine learning for cybersecurity and IoT security, but very often I find as an academic that the research and teaching agenda is not aligned with the national security agenda.

I can do wonderful publishable work, but in a constrained environment. It's sometimes very unclear from government what they might do with the outcomes of my research. It's very important from a policy point of view to align research funding policies and education policies with the national security policies, the national security environment, so that we actually fund work that is important to the country.

I'll stop there.

Thank you.

I'm a professor at Tel Aviv University. I'm also a member of the Blavatnik Interdisciplinary Cyber Research Center. In this aspect, I fully agree with Professor Slay that cybersecurity is not only about technology, but it is also an interdisciplinary problem.

There are other aspects, such as the legal and social aspects, etc., and at the centre, we do this. We do interdisciplinary research. I'm also the CTO of a company called BGProtect, which is related to what I'm going to talk about.

I've studied Internet routing for over two decades. About 15 years ago, I started an academic project called DIMES, in which, using volunteers, we followed Internet routing around the world. At the peak of the project, we had 1,500 software agents running on volunteer machines in more than 40 nations around the world, so we got a very good picture of how Internet world routing behaves.

About four years ago, we took all this expertise and started BGProtect, which is a company that wants to help government and international institutions strengthen their security by monitoring the routing towards their networks in terms of what they had a fear of. Internet routing is a distributed protocol called BGP, and it is used to tell everybody where to find the servers or the clients on the Internet. However, when it was designed several decades ago, the Internet was very small and based on a lot of trust. Nobody was thinking about security.

About 10 years ago, a new type of attack came into the world: the IP hijack attack. Basically what you do in this attack is take the traffic between two end points and force it to go through your own network. By doing this, you form what is called a man-in-the-middle attack. These attacks are really.... These are large-scale attacks and are able to do a lot of things. Of course, if you get all the traffic passing through you, you can do espionage, or you can do what we call downgrade attacks and be able to insert Trojans into networks. You can penetrate networks. There are many types of attacks. This is why it is so dangerous. We have seen these attacks increasing in number throughout the years, especially in recent years.

We are here to look at these attacks. As a university professor, I'm doing research on this and have published a paper about this. Also, I do it as a company.

Now, when we look at these attempts, we see that these are not simple ones. They cannot be done by script kiddies. We're talking about government agencies and large criminal organizations doing these attacks, and we have to understand that this is not a dichotomy. There are governments using non-governmental bodies, and sometimes even criminal bodies, to do jobs that they want to distance themselves from. Think about the financial sector. It is especially targeted both by governments and of course by criminal organizations.

What can be done? One thing, of course, is to monitor your traffic to make sure that your flows of information won't go where they shouldn't go. This is obvious. This is something that we do at the company.

Another thing you need to do—and this is what we do also in Israel—is to set up CERTs. CERTs are what the Americans call fusion centres. They are organizations where, for governance in financial sectors, banks can share, in various levels of anonymity, data about attacks they are witnessing. This data can be distributed again—there are several levels of distribution—to other financial organizations, so that when there is an attack, such as a new virus, a new hijack attack or any other attack, data can be quickly shared with all the participants of the CERT in order to let them prepare for an attack that is going to come. This is very important. We do it in Israel. We have a national CERT and now we've also set up sectorial CERTs.

Finally, I cannot ignore the debate in Canada, in the U.K. and in the rest of the western world about equipment manufacturers. We know from the Snowden report that many American companies were collaborating with the U.S. government to get information from flows that they had.

There's no reason to believe that this is limited only to the U.S., and I would dare to say that in non-democratic countries it's probably happening even more often.

Now, when you have equipment, this equipment can be designed with vectors, with mechanisms, to sometimes divert traffic against what seems to be happening according to the routing protocol, so you have to monitor this type of equipment especially. We're talking about all sorts of telecommunications equipment, but especially routers. To do this, it's not enough to just look at the routing protocol, because here the diversion is done not through the routing protocol, but through the hardware itself. You need to do active monitoring.

This is something that we are doing. We've seen an increase in such attacks in the last two years. It's important not to limit ourselves to BGP but to also look at the actual data plane and where the packets are actually going, especially if you don't trust your equipment manufacturer.

There is a problem with regulation in the U.S. and I think also in Canada. If I, as an Israeli, were to try to buy a telephone company in Canada, I'm sure that I would not be able to do it, but if I would like to buy a telecommunications supplier, an ISP, I can do it. For some reason, data communication was ignored, because traditionally it was used by hippies. Now, it's really a critical infrastructure, and regulations need to be changed in terms of who can own this type of infrastructure in your own nation.

In general, many Internet companies, many ISPs, are spread out worldwide. You have Russian companies here and you have Canadian...well, maybe not Canadian, but you have American companies in Russia. You have Telia, which is a Swedish company, all over the world. It's okay.

There's one country—China—that doesn't allow foreign players to establish communications in its own land, so I don't understand why Canada and the U.S. allow the Chinese to have a communication infrastructure presence in the U.S. and Canada that actually helps them to do these kinds of attacks.

I think Israel is almost like China in this respect. I don't think that a non-Israeli entity is going to have telecommunication infrastructure within the country.

I don't follow the law that closely—

—but the real thing here is about symmetry. This is why we single out China, not because they are the bad guys and not because they're doing it more than other countries are, but because there's a lack of symmetry here. If they don't allow democratic countries to have equipment or POPs in their country, why should they be allowed to have their POPs in our nation?

Do you want me to answer?

Can I just go back to the previous question? Australia has just brought in legislation to control foreign ownership of all critical infrastructure and to regulate on even, for instance, universities and their foreign partnerships. It has become a huge issue, and it would be worth you having a look at the current situation in Australia, given that we're both part of the Five Eyes.

We are not quite the same as Israel, but we've actually tried to fix the problems we believe we've caused ourselves by not being aware of the danger of foreign ownership.

If you have a look at that with small to medium enterprises—

Yes, I think it does. We had a government cybersecurity initiative in 2016, and there was already a big focus on the big end of town. With new Labor Party policy and a general election coming up, there is more of an emphasis on the cybersecurity needs of small businesses. With the skill shortage in the market, the expensive salaries of cybersecurity practitioners, and the fact that, I think, Australia is about 60% to 70% small to medium-sized enterprises, those small to medium-sized enterprises suffer because they usually get general IT or ICT as a service. In many cases there's a lack of understanding of even the need for cybersecurity as a service.

But if you look at it the other way round, from a financial point of view, there has been a huge investment in Australia with government Department of Industry cyber growth centres, cyber growth sorts of nodes in a network, which in part has been to boost the national cybersecurity posture by producing incentives to get the small players in the market. You will have a lot of very small players, say in Canberra, where people who have retired from government service and who have cybersecurity skills are setting up small businesses and developing niche products, niche hardware and niche software. There's a lot of government incentive to actually produce more of that.

It has actually been very successful, but there has been a large amount of federal government funding to make that happen.