Evidence of meeting #149 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
3:55 p.m.
Prof. Jill Slay
So I'm going to try—
3:55 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
I'm going to cut you off because there's less than a minute left and I do want to hear from Professor Shavitt.
Is it fair to say, then, that there's a public common good being created in Australia, which is helpful in opening market access?
3:55 p.m.
Prof. Jill Slay
Yes.
3:55 p.m.
Liberal
3:55 p.m.
Liberal
3:55 p.m.
Liberal
The Chair Liberal John McKay
It was seven minutes.
Mr. Motz, go ahead for seven minutes, please.
Again, I apologize to colleagues for being a bit ruthless here because we are going to be under some time pressures because of voting.
3:55 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
Professors, thank you both for being here.
My colleague Ms. Damoff talked about the rerouting of Internet traffic. The angle I want to ask about is whether in both of your countries you have seen cyber-defence actions that could deter actors like China from actually rerouting the Internet.
3:55 p.m.
Prof. Yuval Shavitt
It's hard to deter, because attribution is a big problem in the cybersecurity world. You can do attacks with little or no risk of being detected. Even if it is detected, you can always claim that there has been some configuration error or mishap, etc. It's very hard to show that there's really malicious motivation behind what is happening. You can see a hijack attack, which can also be a configuration error. To distinguish this, you really need to put somebody in a room and force him to tell you what the truth is.
In Israel we have a national defence program through which we monitor the routes towards critical infrastructure in Israel.
3:55 p.m.
Conservative
3:55 p.m.
Prof. Jill Slay
I can't comment on that. I only know what's in the public domain.
3:55 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
When we talk about rerouting—and we've talked about China rerouting and, Dr. Shavitt, you certainly have mentioned that other countries also reroute traffic—can either one of you speak to the kind of information that has been taken by these countries? What are they after?
We had testimony here before from an academic who considered the attempt to gain access. They steal government information, industrial intellectual property, and potentially secrets from government. This is a study mostly about the financial sector, so when you're seeing this rerouting, from your research, what sort of information are they rerouting, or what are they after?
3:55 p.m.
Prof. Yuval Shavitt
I'm an engineer, so when I catch a hijack, that's enough for me. I don't know what they're going to take. They take everything, basically, and they decide what they keep and what they don't.
We have to understand that it's not only about information. Rerouting is also done for inserting Trojans, for trying to penetrate a network. It's not only about information. When we talk about information, we see, for example, lots of financial institution attacks. Many universities are attacked. Obviously, people are looking for data in government installations and government agencies.
3:55 p.m.
Prof. Jill Slay
In Australia, I don't always know the nature of the attack, but some of the major ones I can think of include the Bureau of Meteorology, where we announced that it was the Chinese who sat in there for at least six months, and the Australian National University, along with probably many other universities. ANU, for instance, has strong links to defence. We know there was a major breach there. We suspect that most of our public universities are vulnerable. I can think of a start-up dealing with telecoms and satellites in Adelaide where the IP was stolen almost after the start-up. They hid in the system for months and months stealing IP.
For many of us who have clearances and who work with government, when we're at work we almost need to live in an environment in which we presume we have already been breached. We go to great lengths to hide our IP—I do, as do others like me—if we are in that public university environment.
4 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
That leads me to another thought.
Both Israel and Australia are considered to be some of the world leaders when it comes to cybersecurity and being on the front end of dealing with that, and also when it comes to some of the financial security issues we've been talking about. Why is that? What are you doing differently in your countries that we as a committee can recommend that this country do to shore up when it comes to cybersecurity breaches and to improve financial security issues with respect to the Canadian public?
4 p.m.
Prof. Yuval Shavitt
I think one of the reasons we are good at this is really the size. Israel is small enough to be better managed. There's also very close collaboration between academia, government and industry. People actually move around among the three disciplines. You can have an academic who will take a government role. You can have somebody from industry who will go to the government and then back to industry. The ecosystem is tighter. It's dynamic.
We also have quite strong awareness among the general public. There's better awareness than in the rest of the world. To be secure, we have a program that starts teaching kids as young as primary school about cybersecurity. They're told not to put their name or address on Facebook and things like this. We build it up at all levels. We have a cyber-authority that is managing all this and diverting all this. It seems to work.
4 p.m.
Prof. Jill Slay
I think in Australia we emulate the Israelis. The Israelis are our model for good practice, and perhaps the Singaporeans are as well. I think we have good relationships with Canadians. There are lots of things I think you do very well too. But I think part of the Australian culture is this tendency towards mateship. Professors, people in government, people in the army, people in those areas in the banks—we all know each other, so whereas we might have formal sharing mechanisms, we will also have greatly informal sharing mechanisms.
Take someone like me. I've trained thousands in PICTL and trained thousands of people. Most of those people go on to get mid-career senior jobs in Australia. That builds a huge, comfortable network of sharing of research ideas and commercialization. I think it's part of the Australian psyche, actually, more than anything else, but there's no reason why it can't be the Canadian psyche too.
4 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Motz.
Being married to an Australian, I've always been curious about the Australian psyche.
4 p.m.
Voices
Oh, oh!
February 20th, 2019 / 4 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Chair, and thanks to both of you for being here.
Professor Shavitt, I want to start with you.
In looking at where Internet traffic goes, there are a few pieces that I wanted to look at.
The first is regarding which jurisdiction applies to the protection of data that's being routed lawfully to a different area, whether that's because of how a company operates or a free trade agreement. One example that comes to mind that I know of, being from the Montreal area, is that with the abundance of hydroelectricity we have in Quebec, a number of these companies—Amazon, Google, etc.—are storing servers there because the cost of energy is low.
Not to get too far away from my questions, but I was reading something interesting the other day, which is that streaming music, depending on the jurisdiction, has a larger impact on greenhouse gas emissions than people might realize. There are a lot of interesting things happening with regard to where servers are located.
My question for you is in that vein. Is there any concern that data, through the legal mechanisms that exist, might be going through areas that people aren't necessarily aware of and causing risks for privacy and other things? One example that comes to mind as well is that we all use credit cards. Many of these companies aren't Canadian, so the information is being stored elsewhere. Is that a concern you have? How does that play into some of the research you've done?
4:05 p.m.
Prof. Yuval Shavitt
Yes, this is the primary concern of this research. We see routing that is diverted, either maliciously or accidentally, to locations where you don't want it to go.
By the way, it also hurts performance, so you don't get the network to be as fast as it could be. I can tell you, for example, that we've seen routes from Tokyo to Seoul rerouted non-maliciously through the U.S. and then, after a week, through London. This makes the connection time 10 times slower, and this is a non-malicious diversion.
You see things like this happening all the time. The real problem is how do you distinguish between bad engineering, configuration errors and attacks.
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Here's my question for you. As an engineer, you might not be able to answer it, and I say that with all due respect, of course. I'm just wondering about this. Is there a concern that for me as a Canadian, say, if my data ends up on a U.S. server, and even if the United States is an ally, a democracy, ultimately I don't benefit from the same constitutional and legal protections for my privacy and how that data is treated? Is there a concern about that as well?
You've said that ultimately we obviously look towards non-democracies as more malicious actors, but at the end of the day, everyone is engaged in the same activity, and the individual might be the one paying the price. Is that a concern or is that perhaps beyond what you've done in terms of your research?
4:05 p.m.
Prof. Yuval Shavitt
Concern is really subjective. Each one is concerned about other things, and when you build such a system, you need to build it in a way such that you can tune it to the concern of individuals.