Public Safety Committee on Feb. 20th, 2019

Evidence of meeting #149 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A recording is available from Parliament.

On the agenda

M-167, Rural Crime in Canada
Cybersecurity in the Financial Sector as a National Economic Security Issue

MPs speaking

John McKay
Michel Picard
Pam Damoff
Sven Spengemann
Glen Motz
Matthew Dubé
Julie Dabrusin

Also speaking

Jill Slay  Professor, La Trobe Optus Chair of Cyber Security, La Trobe University, Melbourne, As an Individual
Yuval Shavitt  Professor, Tel Aviv University, As an Individual
Jim Eglinski  Yellowhead, CPC
Ruby Sahota  Brampton North, Lib.

4:40 p.m.

Prof. Jill Slay

Yes, it's the same for us. We're always aware of the possibility of internal attack. We always joke about the 15-year-old script kiddie who can do just as much damage as a nation-state. We do have that awareness, but currently, with the issues around Huawei and China, I think there's an international focus on external attack.

4:40 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

With the minute I have left, as we've seen in other fields such as intelligence and law enforcement in more traditional terms, the focus sometimes leads us to forgetting the other side. Is there a possibility, a risk, that the domestic side gets neglected with all this focus on foreign actors?

4:40 p.m.

Prof. Jill Slay

If we focus on defending our systems from external attack, we're protecting it from domestic attack. Insiders is a different issue.

4:40 p.m.

Liberal

The Chair Liberal John McKay

Professor Shavitt.

4:40 p.m.

Prof. Yuval Shavitt

[Technical difficulty—Editor]

4:40 p.m.

Liberal

The Chair Liberal John McKay

I have a couple of questions, with the indulgence of the committee. Even if the committee doesn't indulge me, I'm going to ask them anyway.

Professor Shavitt, I want to focus on your analysis of the router, which, as I understand it, is your specialty. You talked about the attack points, both the software and hardware attack points, and where they can be compromised and route information to where you don't want it routed. The question I have for you is that this is the current state of affairs with the 4G network, and when it comes to a 5G network, what is the significant difference, if any, in terms of how you protect those routers?

4:40 p.m.

Prof. Yuval Shavitt

I don't think there's a significant difference. It's just that this is a good point in time where you renew your equipment and you want to do it in the best way possible in terms of cybersecurity.

4:40 p.m.

Liberal

The Chair Liberal John McKay

Professor Slay, do you agree with that observation?

4:40 p.m.

Prof. Jill Slay

Yes, I do. This is the time to be having a good look at your defences.

4:40 p.m.

Liberal

The Chair Liberal John McKay

On the insertion of malware in the hardware part of these routers, you'd apply the same analysis as if it was in a 4G network as you would in a 5G network. Is that correct? Okay.

The second question I had is with respect to the ownership of the infrastructure, because Israel has made a decision, and it is a relatively small country and therefore more able to control the ownership structure. Is ownership actually an illusion, in fact, and any system can be penetrated from outside regardless of the ownership of the system?

4:40 p.m.

Prof. Yuval Shavitt

It's true that any system can be penetrated from the outside, but you have to defend those systems. You don't want to make life easy for the attackers. Again, it's risk management. You want to make the penetration of your critical infrastructure as hard as possible. You can never be 100% secure, but you can get as close as possible.

4:45 p.m.

Liberal

The Chair Liberal John McKay

Your argument would therefore be that if it is a domestic actor, the possibility of security increases rather than decreases.

4:45 p.m.

Prof. Yuval Shavitt

Yes.

4:45 p.m.

Liberal

The Chair Liberal John McKay

Professor Slay, do you have any comment on that?

4:45 p.m.

Prof. Jill Slay

I think my advice would be that particularly when we're talking about critical infrastructure—I'm also particularly concerned about the cloud—there has been a trend for money saving within government and to use other people's external public-private clouds, and I'm talking about my government. But I've noticed a trend, even now this week, to talk about having the cloud storage on Australian soil.

I would be recommending that you weigh out the costs and benefits from a national security and finance point of view of keeping all your data on shore, in your own country.

4:45 p.m.

Liberal

The Chair Liberal John McKay

Thank you.

Professor Shavitt.

4:45 p.m.

Prof. Yuval Shavitt

There's one thing that is easy to do and that governments don't seem to do.

People tend to align with the body that they are part of. Look at the Snowden case. Snowden was a contractor. He was not a government employee. There's a good chance that if he had been a government employee, he would have felt more like he was part of the system, and the chances that he would go against the system would have been lower.

In cybersecurity, don't hire contractors. You should make it possible to pay cybersecurity professionals higher salaries than what government used to pay, but make them part of the system.

4:45 p.m.

Liberal

The Chair Liberal John McKay

On behalf of the committee, thank you to both of you for your advice, wisdom and experience.

Colleagues, at this point, I can either adjourn or suspend. We have 10 minutes until the vote. If we suspend, then we can come back and possibly deal with the motion or we can adjourn and we'll deal with motion M-167 at another time.

What's your pleasure?

4:45 p.m.

An hon member

Adjourn.

4:45 p.m.

Liberal

The Chair Liberal John McKay

The meeting is adjourned.