Public Safety Committee on Feb. 20th, 2019

I'll start with you, Mr. Shavitt.

I read your report the other day, the one that you did in 2018. You co-authored a paper entitled “China's Maxim—Leave No Access Point Unexploited”. It was very good. I actually understood quite a bit of it after I read it three times.

Oh, oh!

It was a very comprehensive report. I believe that in the fifth or sixth paragraph you talked about a great concern, which is that all countries need to get together and address these issues.

Have you seen a response from different countries since you published that paper?

I would rather not comment on this matter.

You would rather not comment? Okay. I'm going to move away from that, then.

You talked about monitoring flow, which you do in your home country. One of the most important things, of course, is to activate monitored data plates, to know what kind of equipment is there. I'm kind of curious with regard to this monitoring.

You're keeping an eye on what is being routed and where. By the time you find out that someone is undergoing unusual routing changes, has that data already been lost? Is there a way for you to stop it before it gets that far? You did talk about technology and the cost of investing in protection, so I wonder if you could give us a little on that.

There are ways to actually prevent hijacks in some cases. In other cases, you just need to detect and mitigate. Let's suppose that somebody is setting up an espionage campaign against you. Would you rather have this campaign last for 25 minutes or 25 days? If you can stop it after a few minutes, or after half an hour, say, it's much better than letting them eavesdrop on you for weeks. We've seen attacks that have lasted for weeks and even longer.

Some types of attacks are very short. By the time you detect and try to mitigate, it's already lost. Many of the attacks, especially the ones that are sponsored by government agencies, can last many weeks.

Okay.

You mentioned something earlier. Our whole study is dealing with cybersecurity in the financial sector, but we kind of wander off because cybersecurity is such a big thing. You mentioned that in your country, financial institutions have been hit pretty hard.

No, I didn't say this. I said that overall, from what we see globally, financial institutions have been hit pretty hard.

Okay. Have you seen that in your own country?

We've seen some attacks on financial institutions in our country, yes.

Okay. Thank you.

Dr. Slay, I was looking at your Twitter account, just getting to know you a bit better. Prior to March 2018 you used to concentrate all your focus on Russia as the bad guy, and then you kind of changed your train of thought to China.

Could you relate why your interests went in a different direction and to a different country?

If I'm open with you, I lived in Hong Kong for 10 years. I speak fluent Chinese but I also have clearance. Also, I'm very, very careful about what I put on Twitter, so you're just going to see the fact that I've been selective.

I have gotten to the stage where I am very frustrated with the way that, as a professor, I'm constantly targeted by the Chinese. I have attribution. My stuff's been stolen. They've planted Ph.D. students on me. Therefore, I've decided to be more vocal about it. That's what you're seeing.

For me, the problem as I've become more well known is that I'm much more likely to be targeted. I fear that all professors in our field, whichever country they're in—and I wouldn't think that Canada is exempt—will be targeted by, particularly, China because they're really on the hunt for IP, and they have been for many years.

Can you tell me what your concerns are with the Huawei 5G products in your country, and why you think it was a good idea to ban them?

I think there are two ways with Huawei. Some things I can't comment about because, as I've just told you, I have a clearance. By reputation, Huawei is a company that has constantly stolen IP. If you have a look at the best-known case, of the Cisco routers, from, I think, 2012, there's a sense of business ethics.

Also, the other, more logical one is that if you buy their equipment, there is the potential for them to need to have access to the equipment for maintenance. If they choose to do espionage, then they can actually insert malware in your equipment. It could be hardware or it could be software, but we're very vulnerable.

Yes. We're putting huge amounts of money and effort into this. Through the Australian Cyber Security Growth Network, through the growth centres, we now have systems. We've emulated the Americans in many ways, so we have the equivalent of its CyberPatriot school kid Capture the Flag. We're trying to insert cybersecurity into the curriculum for everybody from grade 7 to grade 9. We're trying to insert cybersecurity awareness into the curriculum at TAFE colleges, which are community colleges or technical colleges, into every kind of diploma. That should be happening quite soon. This is national funding doing this.

From the Australian Computer Society's point of view, we have a national curriculum in ICT, so we're trying to actually develop national curriculum in cross-disciplinary cybersecurity so that we focus not just on IT issues but also on law, ethics, criminology and psychology, in a three-year degree. My university has one, and quite a few have that kind of curriculum. Government has stated that it's a cross-disciplinary issue, so therefore the whole education system has to recognize that as well.

We are doing similar things to what there is in Australia. We have a curriculum for young children. You can do matriculation at the end of high school in cyber. It used to be computer science. Now you can choose either computer science or cyber. At university we also now have a specific program for cybersecurity.

One thing we have that probably Australia and Canada don't is the military as a huge facilitator. Every year, hundreds of thousands of young Israelis are drafted to the intelligence forces and other units where they are trained. They actually do lots of high-level cybersecurity work in a very compressed environment. This gives us a big edge.

First of all, it is legal. Many companies have bounties. If you report a problem, you can get a cash prize, and it can be as high as $100,000 if it's something really.... This is happening around the world. It's limitless. If Cisco or some other company has a problem, they don't care if the solution comes from Belgium or from Canada.

In addition, at least in Israel, we have a volunteer Red Team. These are cyber experts who devote a day a month or a few days a month to test, with permission. They do pen testing on critical infrastructure. It can be a hospital, a water installation, etc. At the end, they give a report saying, “These are the problems you have.” I think this is really valuable. When you have permission, there is no legal problem. I don't think you need a new law for that.

I'm fine with that.