Public Safety Committee on Feb. 20th, 2019

May I answer?

Last week we publicly announced a major attack on Parliament—on all our email and all our service. The Prime Minister talked about it on Monday. They also attacked each of the three major political parties. This morning I woke up to find that a huge Melbourne hospital has had an attack with ransomware and that patient records have been garbled and can't be properly decrypted.

I would say that you must not see yourselves as the sort of poor country cousins in any way. We are all under the same amount of attack. As the Five Eyes in particular, we rely on each other to support each other. I think the level of attack is pretty high at the moment though. For us, that's because we're facing a general election, but there are other political issues. I see it from both a political and a criminal point of view. There are nation-states and cybercrime, and it's only growing.

I think it's probably the same worldwide. Maybe Israel gets a little bit more because of the Israeli-Arab conflict, but in general, we're all suffering.

I have to say that it's a sovereign issue. It's really for Canada to decide.

Obviously, I can't speak for government. I just speak for myself. I think it would be easier for the Five Eyes partnership, just thinking from a technical point of view, if we had a common view on Huawei. But I think the announcement yesterday from the British, which was a halfway announcement that perhaps we might be able to deal with this, which says perhaps, with effort, we can provide the kind of assurance...would also then complicate the system for Canada.

I'm a very black and white person and a very black and white engineer, so I'm comforted by the fact that the federal government is not going to buy Huawei. I'm also the Optus chair, and Optus funds a lot of the research at my university. Obviously, Optus was the company that had the relationship with Huawei for 5G. I felt myself in huge conflict because I was called the Optus chair, so I was highly relieved when I didn't have to deal with that issue.

From a political point of view, I think for maintaining the solidarity of the Five Eyes, I would hope that we could come to the same kinds of conclusions. But I think there will be other people having that discussion this week.

It's a risk management thing. As I said in my initial statement, we know from the Snowden report that American companies collaborate with the American government, so there's no reason to suspect that in other countries it doesn't work this way, especially not in China. It's risk management. How much would you invest in order to avoid having Huawei in Canada? Of course it's going to cost you more for equipment.

I would say that if you decide to use Huawei, you need to put in place monitoring equipment and monitoring facilities to make sure that funny things don't happen.

I think it is part of the international understanding, which has already been stated, that basically, in the same way that China might want to just collect as much data as it can from the system, China has had a much more systematic way of sending Ph.D. students to Australia, the U.S., and, I presume, Canada. Those of us who are deemed to be leaders in our country end up with many Chinese students wanting to be our Ph.D. students.

With one of my very first Ph.D. students, I was working on a project with the police. It was in a public university, so it wasn't classified data. Nevertheless, without going into details, the IP was stolen and taken back to China. I was there, unfortunately, without knowing when it was handed over. Since that time, I have been very cautious about what's going on.

I've read a little bit about the political parties being hacked. Do you know what kind of data? I know you're going into an election. We are also going to be having a federal election in October of this year. On another committee I sit on, we've been talking quite extensively with the democratic institutions minister about the potential threats Canada faces as do many countries around the world regarding elections and protecting democratic institutions.

What kind of wisdom can you give us from the experience that Australia has been having?

I don't think we've formally announced—and I don't think we will be able to formally announce in the short term—whether any data were stolen. We actually don't know. That's from the parliament service. The greater concern has been raised with the [Technical difficulty—Editor] parties, the three major parties, and the fact that very little finance is being made available to them.

It's only in the order of $70,000 a year to actually secure their systems. However, on their systems, they will have all the data of memberships, donations and things like that. Those are the things that are causing public debate this week. We, like you, will be remembering what happened or what was claimed to have happened in the U.S. election. We're being assured by government that it was caught very early and that it's under control, but I don't think there will be much more of a public statement, to be honest. We have to all be careful.

Do you feel the lack of a public statement is due to wanting to protect the integrity of the system there and not wanting people to be fully aware of what may or may not have happened?

They're not ready to announce anything. Attribution is hard and that's part of the discussion. It's easy to pretend to be a nation-state setting up in a different nation-state. We can't tell where the attack is actually coming from. We very often cannot tell where the attack is coming from, because people are very good at espionage and hiding themselves, pretending to be somebody else.

We've had those conversations, as well, when it comes to private companies. Many people are not revealing the breaches that are occurring due to public scrutiny or shame.

When it comes to our democratic institutions, do you think we should be trying, through the Five Eyes at least and through other democracies, to work together in order to lessen the potential threats, and how so?

We should be and I think we are. There is probably a lack of under-reporting publicly, but I'm pretty sure that within international organizations, within governments, there is also a lot of sharing. My experience is that there is a lot of sharing, whether it's law enforcement or whoever. I don't think we're necessarily constrained by those things.

It might be smaller companies that don't want to acknowledge they have been breached. However, particularly in Australia, there is more of an openness now to talk about it, particularly since before Christmas, the government, Alastair MacGibbon, the deputy secretary, the prime minister's adviser, did made it very clear that many companies have been breached, and there is more openness, more willingness to accept that because there's just so much of it.

Of course, you're always afraid of criminal activities. Criminals identify the Internet as a great place to make money very easily. Yes, you have to be protected also against domestic attacks.