Public Safety Committee on Feb. 27th, 2019

The response to cyber is typically led by government and finance sectors, and that's universal around the world. Canada is not bad in both of those, in particular because we have only five or six banks, and not 30,000 banks, compared to the U.S. Our banks tend to be big and do a fairly good job. The rest of the industry is woefully behind, and there are sectors that are really pathetic. I get more and more concerned, especially when I look at the critical infrastructure, power generation and so on, and I see they have a lot of embedded equipment with vulnerabilities. It's very hard to update them. Now hackers are getting smarter and more motivated under nation-states, and the risk is becoming greater all the time.

I would just say that this is an area where government can be very effective. If you look at the investments by the Canadian government compared to those of our closer allies, obviously the U.S. is the juggernaut to the south. You can also look at the U.K. and other countries. You can go to European countries. They're investing magnitudes more money into figuring out how to do cybersecurity more effectively.

The other component, just to recognize what my colleague said, is that large banks are comparatively well secured, but the majority of Canadian businesses are small and medium-sized enterprises, and frankly you're just not going to be in a situation where an enterprise of three to 30 people has a security expert on staff. It's essential in that sense, from a structural perspective, for either government or some other group or organization to find a way of facilitating security in those organizations. That's where many Canadians are employed. That's where our economic growth is often derived from, and that's where I think the most important targets are at this point.

Yes, it's been mentioned several times. Being perfectly secure is rather impossible, but for all intents and purposes you can be secure, because the definition of security is that you have to be just an inch better than the effort any hacker is going to be willing to spend against you. If there is a level of security in the industry and you're just a tall poppy and a little bit better than that, you're safe, because the attacks go somewhere else.

It's about paying attention to it, always following best practices and budgeting appropriately, with any of the incentives to get you to pay attention. There will be legislation around liability and all kinds of things as people wake up to a cyber-threat. It's starting to happen slowly, but we need more incentives.

Thank you, Mr. Chair.

I'd like to thank the three witnesses who are here today.

I've always been pretty secure in life, until we started this study here and I started hearing from guys like you out there. It's like, “Oh, now I'm not so secure.” I'm coming out of this meeting with a feeling of insecurity, but anyway....

Mr. Mosca, you mentioned a very interesting thing. You talked about the football field and who builds that plan. We don't quite get to the blue line.

Who does build the plan? What is your recommendation for us in building that plan? We're here to listen to you about cybersecurity, but we need to know what we need to do. Do we need to work with universities? Do we need to work with industry, with government, etc.? I wonder if you could comment on that, please.

I think we need to convene a handful of thought leaders from each of these sectors to figure out the plan. As I said, anyone on their own doesn't have the know-how or the ability to implement the plan, or to even understand what the total plan should be. Together, we can figure it out, but you have to actually do it. It's not a theoretical thing. We have to convene this group of thought leaders with this mission to make us as cyber-safe as we can be, including Quantum-Safe. Let's be economic leaders in this space.

I'm talking about top levels of government. This has to be a top-level mandate. This needs to be implicit in all the relevant mandate letters of the ministers. Industry will show up. In academia, we're here to help. We do need to bolster our ranks, but those of us who are here are here to help, if we're actually summoned with that mandate. We know that it's not academia's job to protect citizens from deadly cyber-attacks or to oversee the economic development strategy of Canada, but we definitely want to help. We'll serve at that table, but we should be pulled into that table very proactively.

Just following through on that, then, I think a way to see what you're saying is that we need a quarterback to lead us off. Who do you think that should be?

Well, we need a coach and a quarterback, yes.

A coach and a quarterback.... Do you think that should be the federal government?

I think the federal government has the strongest moral authority to do that, alongside industry leaders and research thought leaders.

Earlier, my colleague asked you about how long it would take us to notice if someone were to launch an attack. Do we have anybody watching right now in Canada, any agency that is watching what you spoke about, or is it just in limbo-land and hopefully we might catch it?

Well, I don't know what's happening in the classified space. I would anticipate that there is some activity there. In academia, we're watching and very openly explaining what we know.

One important thing I didn't emphasize is that at some point we're not going to know, and we just need to take that threat off the table. Why are we playing this crystal ball game when we know how to just take that threat off the table? What I was saying earlier is that it's really in the threat actors' hands whether they want to just bleed us slowly or completely decimate us. It's their choice. We hope that it's not in their business interests to completely destroy us, but they can if they want to, so why would we even want to go there? Let's just take that threat off the table.

At one point Canada was a leader in quantum computing, I remember, at the University of Waterloo and at a couple of B.C.-based companies. Where do you think we stand today compared to the rest of the world? Are we getting interest from our youth through academia? Are we getting people interested in moving into that field, or are you having a hard time recruiting?

I think we're still second to none in fundamental science and technology development and so on. We wrote the business plan for owning the quantum world, and we raced ahead in implementing it, and we still have absolutely world-class assets, very much to be proud of, all across the country—in Quebec, Ontario, the west, and the Maritimes. We have a lot going for us on the fundamental science in tech, and we're sort of inching forward toward more applied stuff.

This is sort of separate from the cybersecurity thing. Quantum-Safe Canada can be one pillar of a broader quantum strategy to really own the podium in terms of benefiting economically from these decades of investments, but that coordination isn't happening yet. It is urgently needed, because we're talking about tens of billions of dollars being invested around the world in sort of eating that lunch that we've been preparing for however many decades.

We need to do that very quickly if we're serious about this. We don't want this to be the quantum Avro Arrow, so there's a great urgency to coordinate these wonderful assets we have in quantum. Again, Quantum-Safe Canada could be the leading piece of that, and as these other pieces keep maturing, we can also own the podium economically in quantum tech—not just tech, but the applications, the software and so on, the uses of quantum computing and quantum technology.

Thank you for the question.

You're absolutely correct. The human factor is one of the greatest, if not the greatest, vulnerabilities, and that's not going to fundamentally change. New mathematics, quantum entanglement, is not going to change our fallibility as humans and our corruptibility as humans, but good cryptography does reduce our dependence on trustworthy individuals. We still need some, but it reduces our dependence, which is a really important thing.

Second, the vulnerabilities intrinsic in human mistakes and human compromise tend to be more ephemeral and fixable. If there is a corrupt individual, if somebody uses a bad password or clicks on something they shouldn't click, you detect and you remediate. That's sort of at the top of the stack in terms of stuff that's hurting.... It's very common. It's not going away, but we have a fighting chance if we adopt better discipline and better detection mechanisms and, again, reduce our dependence on smart—not smart; we're all smart—but on people who are not making mistakes, because of course we're going to make mistakes. We can reduce that vulnerability, but not to zero.

Further down the stack, for broken crypto, there is no quick remediation there.

You're absolutely right—you can't just deal with one solution in isolation, because it's the whole ecosystem that works together. Definitely that's why I wanted to advocate for these 20 senior research chairs for Canada. Now it's 50, because we have to catch up. About a quarter of those need to be in the social and human sciences to help us get around the best way to handle all those aspects.

I think there's a fundamental challenge in building out secure infrastructure and secure systems. It is very hard. To give you an example, it has taken probably the better part of 10 or 15 years to simply ensure that when you update your web browser or your operating system, it works, and we can guarantee that it works.

I say this because encryption is complicated, and any effort to undermine the few systems that are working would have devastating consequences. Unfortunately, we are seeing that this has happened in certain jurisdictions, Australia being one...and calls in other domains to do it, such as the United States for law enforcement purposes, and to a lesser extent in Canada, also for law enforcement purposes.

I think we're in a situation where it isn't just about evaluating how we can be secure. It's also about how to evaluate what we need to do. My argument, and certainly the argument of Citizen Lab, is that we need to preserve the few functional tools we have now to facilitate secure systems, rather than risk them in the pursuit of short-term law enforcement investigative pursuits.