My name is Christopher Parsons. I am a Research Associate at the Citizen Lab, which is part of the Munk School of Global Affairs and Public Policy at the University of Toronto. I appear at this committee in a professional capacity that represents my views and those of the Citizen Lab.
My comments today focus on a range of securitization practices that, if adopted, would mitigate some of the contemporary risks that participants in the financial sector face.
Canadian government agencies, private businesses and financial institutions, as well as private individuals, rely on common computing infrastructures. We use the same iPhone and Android operating systems, the same customer service interfaces and e-commerce platforms, the same underlying code bases and largely identical third party cloud computing infrastructures.
The sharedness of these platforms means that efficiencies can be leveraged to improve productivity and efficiency, but these benefits are predicated on the overall security of these shared products. To be blunt, the state of computer insecurity is profound, and a large number of vulnerabilities in these shared products, writ large, threaten the financial sector to the detriment of Canada's national security interests.
In my remaining time, I want to point to four issues in particular that I believe need to be taken up to ensure that Canada's national interests are better secured in the future than they are today. These issues include the need for Canada to formally establish a responsible national encryption policy, update Canada's vulnerability equities programs, develop a vulnerability disclosure program framework and promote two-factor authentication.
I now turn to the issue of responsible encryption policies. Given the state of computer insecurity, it is imperative that the Government of Canada adopt and advocate for responsible encryption policies. Such policies entail commitments to preserving the rights of all groups in Canada to use computer software using strong encryption.
Strong encryption can be loosely defined as encryption algorithms for which no weaknesses or vulnerabilities are known or have been injected, as well as computer applications that do not deliberately contain weaknesses designed to undermine the effectiveness of the aforementioned algorithms.
The benefits of strong encryption cannot be overstated. In a technological environment marked by high financial stakes, deep interdependence and extraordinary complexity, ensuring digital security is of critical importance and extremely difficult. The cost of a security breach, theft or loss of customer data or corporate data can have devastating impacts for the private sector and individuals' interests. Any weakening of the very systems that protect against these threats would represent irresponsible policy-making. Access to strong encryption encourages customer confidence that the technology they use is safe.
It is important to recognize that there are risks in the availability of strong encryption. As an example, one of Canada's closest allies, Australia, has adopted irresponsible encryption policies, which may introduce systemic vulnerabilities into code used by the financial sector, as well as other sectors of the economy. Once introduced, such vulnerabilities may be exploited by actors holding adversarial interests toward Canada or Canadian interests. Threat activities might be carried out against the SWIFT network, as just one of many examples, should any element of that network rely on cryptographic products made vulnerable by Australian demands.
Furthermore, strong encryption prevents our closest allies from monitoring Canada's financial activities beyond the above-the-board processes associated with a program such as FINTRAC.
As an example, The Globe and Mail revealed that the United States' National Security Agency was monitoring the Royal Bank of Canada's virtual private network tunnels. The story suggested that NSA's activities could be a preliminary step in broader efforts to “to identify, study and, if deemed necessary, 'exploit' organizations' internal communication networks.”
In light of these kinds of threats, we would suggest that the Government of Canada adopt a responsible encryption policy. Such a policy would entail a firm and perhaps legislative commitment to require that all sectors of the economy have access to strong encryption products, and it would also stand in opposition to irresponsible encryption policies, such as those calling for back doors.
I now turn to the management of computer vulnerabilities of the Government of Canada itself. Vulnerabilities in computer code are acquired by Canada's Communications Security Establishment, or CSE. Thereafter, the CSE determines whether to retain or disclose the vulnerabilities. The CSE is motivated to retain vulnerabilities to obtain access to foreign systems as part of its signals intelligence mandate and also to disclose certain vulnerabilities to better secure government systems.
To date, the CSE has declined to make public the specific processes by which it weighs the equities in retaining or disclosing vulnerabilities. In contrast, the United States publishes how all federal government agencies evaluate whether to retain or disclose the existence of a vulnerability.
CSE's stockpiles of vulnerabilities could potentially be uncovered and used by adversaries, and this has happened to both the United States' National Security Agency and the Central Intelligence Agency. The effect can cost billions in direct economic damage.
The ongoing presence of these stockpiles and lack of clarity concerning what vulnerabilities are retained in the businesses and private individuals have reduced confidence in the reliability and security of products needed to enhance Canada's economic efficiency and productivity, and prospectively slowed Canadians' adoption of contemporary and next-generation software platforms and infrastructure.
To alleviate these concerns, we would suggest that the Canadian government publicize its existing vulnerabilities equities programs and hold consultations on their effectiveness in protecting the software and hardware that is used in the course of financial activities. Furthermore, the government could include the business community and civil society stakeholders in the existing, or reformed, vulnerabilities equities programs. Including these stakeholders would encourage heightened disclosures of vulnerabilities and thus improve the availability of well-written software and reduce threats faced by the financial sector.
Now, it is also important to recognize that security researchers routinely discover vulnerabilities in hardware and software that are used in all walks of life, including in the financial sector. Relatively few organizations, however, have explicit procedures that guide researchers in how to responsibly disclose vulnerabilities to the affected companies. Disclosing computer insecurities absent a vulnerability disclosure program can lead companies to inappropriately threaten litigation to white hat security researchers. Such potential reduces the willingness of researchers to disclose such vulnerabilities.
Beyond studying the laws around unauthorized access to computer code, I would recommend that this committee, and this government, create a draft policy for the financial sector companies to adopt. Such a disclosure policy should establish to whom vulnerabilities are reported, how reports are treated internally and how long it takes for the vulnerability to be remediated. It should also insulate security researchers from legal liability, so long as they do not publicly disclose the vulnerability ahead of the established delimited period of time. Moreover, the government should move to develop and adopt a similar disclosure program for its own departments so that the government can benefit from researchers reporting vulnerabilities in government systems.
Finally, I turn to the topic of two-factor authentication, or 2FA, which refers to an individual being in possession of at least two factors to obtain access to their accounts. The factors most typically used for authentication include something that you know, such as a PIN or a password; something that you have, such as a hardware token or a software token; or something that you are, such as a biometric like a fingerprint or an iris scan. These multiple factors mean that losing a log-in and password pair does not necessarily enable third parties to access a protected system or data store.
It is important for customer-facing systems to have strong 2FA to preclude unauthorized parties from obtaining access to personal financial accounts. Such access can lead to better understandings of whether persons can be targeted by foreign adversaries for espionage recruitment, cause personal financial chaos designed to distract a person while a separate cyber-activity is undertaken, or direct money to parties on terrorist or criminal watch lists.
Admittedly, some Canadian financial institutions do offer 2FA but often default to a weak mode of second-factor authentication that relies on SMS or text messages. This is problematic, because SMS is a weak communications medium and can easily be subverted by a variety of means. It is for this reason that entities such as the National Institute of Standards and Technology in the United States no longer recommend SMS as a two-factor authentication channel.
To improve the security of customer-facing accounts, I would recommend that financial institutions be required to offer 2FA to all clients, and that the 2FA utilize hardware and/or software tokens. Implementing this recommendation would reduce the likelihood that unauthorized parties can obtain access to accounts for the purposes of recruitment or disruption activities.
To conclude, Canadian businesses and private individuals rely on digital tools for all aspects of their lives, including activities that intersect the financial sector. To be clear, the proposals I have outlined will not solve all of the computer insecurity problems that threaten Canada's national security interests and the financial sector, but we believe these proposals do represent a good effort in resolving the most basic threats and would also serve to build trust in the security of our digital tools and the governance of security.
Thank you for your time. I look forward to your questions.