Public Safety Committee on Feb. 20th, 2019

Evidence of meeting #149 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A recording is available from Parliament.

On the agenda

M-167, Rural Crime in Canada

Cybersecurity in the Financial Sector as a National Economic Security Issue

MPs speaking

Also speaking

Jill Slay Professor, La Trobe Optus Chair of Cyber Security, La Trobe University, Melbourne, As an Individual

Yuval Shavitt Professor, Tel Aviv University, As an Individual

Jim Eglinski Yellowhead, CPC

Ruby Sahota Brampton North, Lib.

4:05 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

I appreciate that. Thank you.

Professor Slay, I want to speak more specifically about the Australian experience.

Last year, I believe, legislation was adopted there. This comes back to this idea of the concern often raised about these so-called back doors. I'll express it in layperson's terms. Any sort of back door that's potentially opened to decrypt for law enforcement potentially opens the same avenue for bad actors—to not use the expression “bad guys”.

I'm just wondering what your thoughts are on that legislative experience that Australia has had, or if it's too early to tell if that's what has happened. I believe that concern was raised at the time.

4:05 p.m.

Prof. Jill Slay

I think that issue has not been resolved, because it has gone back to Parliament. From my point of view, I believe the vendors have overreacted to what they believe is the government threatening to weaken their products, whereas I've worked with government for many years and have been one of those who, as a professor of digital forensics, has actually helped them to understand how law enforcement can actually get evidence.

I personally have objected the other way to those who want to stop law enforcement genuinely in serious cases getting evidence, but that issue has been not resolved. It's in the paper this week. Really, we don't know how this will end, because traditionally the government has sort of won the argument from a national security point of view. If you're going to follow us, I think you had better wait a bit.

4:05 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

That's fair enough.

You'll forgive me for perhaps not being that well read on the topic, but I'm just wondering what the law looks like. Is it case by case? I would assume there would be the intention of a warrant or something along those lines. Could you perhaps provide as brief a response as possible to that for clarification?

4:05 p.m.

Prof. Jill Slay

Unfortunately, I'm not an engineer either, so I don't know the intricacies of the legislation, but essentially, yes, I believe there's a case-by-case basis, law enforcement being able to force.... It's to do with encryptions, something being encrypted—that's how I understand it to work—but it isn't as drastic a blanket piece of legislation as many people present it, in my opinion.

4:05 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Okay, thank you.

Professor Shavitt, quickly, in the minute I have left, with regard to the Internet of things, you talked about the time that data can remain in one place before it moves to another. Is there a concern that devices themselves are also very weak in terms of their security protocols, especially as they proliferate more in the future?

4:05 p.m.

Prof. Yuval Shavitt

Of course. The problem with the Internet of things is that we are talking about very low-cost devices, and people will not be able to spend a few cents more to make them more secure. We really have a problem in having many, many billions of devices that really have no security. It's a big problem, and we need to see how to solve it at the system level.

4:10 p.m.

Liberal

The Chair Liberal John McKay

You still have 20 seconds.

4:10 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

That's fine. Thank you, Chair.

4:10 p.m.

Liberal

The Chair Liberal John McKay

Okay, thank you.

I hadn't realized it was such a misfortune to be an engineer.

Monsieur Picard, I do not believe you share that misfortune. You have seven minutes.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

No, I'm not an engineer at all.

I'll start with Professor Shavitt.

Just remind me what you said about the fact that no telecom companies in Israel can come from outside Israel or foreign entities.

4:10 p.m.

Prof. Yuval Shavitt

I'm not sure about the legal aspect, but for sure this is not happening. So, yes, all the telecoms in Israel are Israeli-owned.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

To your knowledge, what prevents Israel from seeing its own local telecom companies being bought by a foreign interest or having their services rented by a foreign interest, who thereby can get around this interdiction?

4:10 p.m.

Prof. Yuval Shavitt

I think they cannot be bought by foreign entities. There has to be an agreement by some committee. I don't think this can happen. Can somebody be rented? Well, maybe.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

We enter a grey zone, if I understand that.

4:10 p.m.

Prof. Yuval Shavitt

Yes.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

Okay.

Professor Slay, a few weeks ago there was an article stating that London has looked at Huawei and is maybe starting to change its perspective on the company with the security issue they had to deal with, and they might not be as scared or have to be as protected as they thought they should be, although in Australia you got rid of the company and that was that.

Are you aware of this change of mind in the U.K., and if so, what do you think of it?

4:10 p.m.

Prof. Jill Slay

I've been following that quite closely.

The first report from GCHQ said they felt it was far too great an effort for their lab to provide assurance about the Huawei equipment, but I believe it was only yesterday that GCHQ said maybe they could assure the equipment. I believe there are political implications in the U.K. because of the nature of their board, which were not necessarily the same for us in Australia. I believe we have already made that commitment not to use Huawei at the federal government level, but we have not always tracked the relationships Huawei has in the country with, for instance, others who are not purchasing for the federal government. For instance, the Government of Western Australia has a contract with Huawei for equipment for their train system, and the University of New South Wales, where I used to work, has bought equipment for some kind of building works.

In Australia the federal government can control federal purchasing. For instance, it was able to control or to in some way stop Optus, one of our telcos, from using Huawei for 5G, but we don't have an overarching blanket control, because we're a democracy and because we have states as well as a federal government.

My own opinion is that the British decision will not affect the decision we have made in Canberra, mostly because we see the link between cybersecurity, the ability to infiltrate our systems' back doors, cyber-espionage and foreign interference. That is the theme at the moment, rather than just the security of the equipment.

4:10 p.m.

Liberal

Michel Picard Liberal Montarville, QC

I'm not sure about that part, but in terms of iPhones, aren't some parts of iPhones manufactured in China? Do I have to start not trusting my iPhone now? If it's that, then I would trust no phones or equipment at all. In my riding, we don't manufacture anything, so I have to buy it from somewhere else.

4:15 p.m.

Prof. Yuval Shavitt

There's a greater understanding now of the risk of not being able to understand your supply chain. It's not a simple problem, because we live in a global world and sometimes you have no way other than purchasing some of your parts in places that you might not want to buy them from.

The idea is that if there is an integrator, it has to have the responsibility to examine the supply chain, identify the risks and be able to control them by inspections, testing, etc.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

You said an interesting word. I have no choice. I have the choice of what I put on my Facebook page. I can be as discreet as possible or maybe look for more friends if I don't have any—I just have two.

4:15 p.m.

Voices

Oh, oh!

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

The market goes on the web, and if we don't go on the web, there's no evolution or progress, because this is where we are and we have to go there. I might not want to share my financial information over my phone or my computer, but the chances are that I won't go every day to the bank to do my statements on paper; they have to go on the web. We know that we are plunging into a hole, and we don't know whether there's a limit to it. Is that the “no choice” that we have?

4:15 p.m.

Prof. Yuval Shavitt

Well, I think we know quite well how to secure websites. It's never perfect, of course, and not everybody is doing whatever they need to do in order to secure them, but there are ways.

Basically, we're talking about risk management here. Probably the cost to go from 99.5% to 100% is going to be too high, but you can get security that is pretty good. You just need to invest money and effort and be aware of what you're doing.

4:15 p.m.

Liberal

Michel Picard Liberal Montarville, QC

As a good citizen, how do you value the fact that you might be the 1% under the risk management where it's, “Well, too bad, we lost this one”?

4:15 p.m.

Prof. Yuval Shavitt

This is statistics, no?