Public Safety Committee on Feb. 27th, 2019

That's a great question.

It's hard to predict how threat actors will exploit it. It's a scary game that we can play with each other. If you had a quantum computer, what would you do with it? What's your objective? Do you want to destroy the planet? Do you want to be rich? Do you want to do this or that? Then you would have a different strategy, different tactics, depending on what your strategic outcomes are. It is certainly....

It's like the movie The Imitation Game, about World War II. When the Allies broke Enigma, they were very tactical in terms of how they responded. They didn't want it to be known that they had an Enigma machine.

You might not notice, but there are some indicators. When you start seeing stuff that looks like it came from Microsoft or whatever—it has their official signature, but it never came from them—those are some red flags. That's a big part of the problem. Breaking cryptography is like giving somebody the digital key to the front door. It's a lot easier to go undetected, I would say.

I don't know if Brian wants to add to that.

Oh, oh!

This came up extensively in our discussions in Washington and throughout the United States. The U.S. officials were very circumspect and did not state explicitly that Canada had the right or wrong policy. Rather, they indicated that should we adopt an approach that parallels that of the United Kingdom—one where we would inspect foreign equipment, then evaluate it, then release it into the corporate sector should we desire—then we should look to what has happened in the U.K. They pointed to the fact that last year the U.K. recognized that there were serious supply management problems. Their ability to ensure the safety of Huawei equipment could not be guaranteed as of last year.

There's a series of different problems. One of them pertains to the potential for equipment to be updated in ways that are detrimental to Canada's national security interests. This could involve a firmware update that modifies the way the most basic elements of the boards operate. It could also involve modifications to the software systems that are one layer up on the routing equipment.

Associated with that, there's the possibility that if there are vulnerabilities that are accidentally inserted—code has bugs all the time—the Chinese government could issue an order telling Huawei not to patch it. That may be the most significant type of vulnerability, because it would not be one that was deliberately inserted. Indeed, these types of vulnerabilities have been exploited by the members of the Five Eyes alliance as well, minus any sort of legislative requirement, as far as we know.

Those would be the primary issues. That kind of back door could then be used to modify data, which is probably as dangerous as, or even more dangerous than exfiltrating it. All of a sudden, you would be unable to determine whether the data you were receiving that was being processed through the network was accurate, inaccurate or something else.

It would be incredibly challenging to ascertain it. By the nature of updates, you might be safe at one point and unsafe at another point in the future.

From the perspective of the Citizen Lab, and more broadly the computer security community, security is an ongoing state. Security imposes friction and decreases the likelihood of an opportune activity taking place, but there's no such thing as perfect security.

You point to activities by Pegasus, which was developed by NSO Group, an Israeli group that produces cyber weapons for a variety of organizations and countries. They're exploiting vulnerabilities for which there are no known patches. The vulnerabilities themselves are unknown to the manufacturers. There is the concern that a group like NSO or something like it could target Huawei equipment on the basis that it has a vulnerability that no one is aware of, and that is a very real concern.

Associated with that is having data transiting across these insecure devices, which also opens the possibility that data transmitted from the Internet of things could be modified. One example I like to give is that you might see on your thermostat that it's a balmy 25°C inside and you're enjoying a nice warm Ottawa winter, and it's actually -30°C outside but the thermometer is not sending messages to your furnace to come on.

That would be an example of your Internet of things communicating back and forth and being modified by an insecure middle point.

In the Huawei example, it's very important to trust our network because everyone is using that. We could never control the individual devices that people use, and when there's a specially targeted attack, one individual here and there will always be compromised, but it's very important to pay attention to the network that the world, the whole population, uses.

In the case of CSE, it does possess what's called a vulnerabilities equities program. This is a way by which CSE determines whether it will disclose or retain vulnerabilities that it identifies. It's not public. It's not clear how effective it is, and it's not clear what data is or is not presented to manufacturers, so I think it's important to work through that and present it.

Bug bounties are prospectively very helpful. Quite often, people who are doing security research aren't necessarily actually motivated by the money out of it; it's the prestige, and those are effective processes. They're often the later stage of a vulnerabilities disclosure program that's developed.

I would note that one of the concerns pertaining to the Australian legislation is that, reading through it, there's the prospect that the Australian government may be able to go to companies and say, “We want to know all the bugs that you know exist in your software but have not yet been patched”, in order to run policing or national security investigations. That's a serious concern, because if that is the way the government chooses to read its legislation—and it is suggested that it is how they will do it—it means that bug bounties and vulnerability disclosure programs can actually be used to channel data that is then used by other states, with the risk being that those vulnerabilities might not always be used to the benefit of Canada's interests.

Vulnerabilities, of course, are very valuable, especially to people who want to cause a lot of damage. The NSA had its secret stockpile of vulnerabilities. That got out somehow, and a series of the most damaging viruses and malware in recent memory were born from that set of vulnerabilities, so it's a problem all around.

For context, to compare and contrast with the quantum threat—because there are so many ways we can get hacked and it can get really confusing—breaking cryptography fundamentally would be like the mother of all vulnerabilities, because you can't just fix the code. There's no algorithm to fix. A good implementation of a bad algorithm is still vulnerable.

Second, if we deal with this as a crisis, there are going to be many more vulnerabilities for hackers to exploit without a quantum computer.

There's definitely a concern associated with third party applications gaining access to information and using it in ways that individuals aren't aware of. We see that throughout the app ecosystem.

A variety of things could be done. I would identify one of the lower-stake things, which is to ensure that when legitimate, white hat security researchers—groups such as us at the Citizen Lab—look at these sorts of applications, we aren't put in legal liability or jeopardy by looking at them. We have been in the situation previously where we faced litigious organizations on the basis of our security work. We are not trying to break things in order to ruin the Internet; we're trying to do it to keep everyone safe. We're a comparatively well-funded, well-situated organization.

When individuals who engage in this research, and I speak from personal experience, get sued or threatened to be sued once, it's not that security researchers stop doing the work. They keep doing it, but they don't report it. They're not doing it because they want to hack; they do it because that's what gets them going. This is their intellectual curiosity. We need to find a way of helping those people help us, as opposed to making them hide in the shadows for fear of legal liability.

Maybe I can take a quick stab at it. Unfortunately, you have to deal with all of the above. Obviously, human nature is to dodge the bullet that's about to hit you now, and the bigger catastrophe that might hit you in 10 years you can always put off without any immediate consequence. We need the discipline to do both at the same time, which is hard.

In the day-to-day stuff, there's a quick turnover in terms of threats changing. As we figure out how to solve one problem, people take advantage of a new one. What was previously not the most economical way to hack you might now be the most economical way to hack you. We have to do the tactics and the strategy at the same time.

Quantum offers us two things. One is a way to leapfrog. Perfect security is not possible, but you want to do the best you can. If we do this as part of life-cycle management, if we proactively transition the foundations of our cybersecurity to fight against future threats, it's a chance to.... It's like when you have to fix your basement. While we're at it, let's redo the plumbing and the wiring. We can retool the foundations of our cyber infrastructure. It won't be perfect, but it will be a heck of a lot better than the band-aid on top of band-aid on top of band-aid that we have now.

It's a great opportunity to retool, to do things right. It won't be perfect, but it will be much better than it is today.

I believe it would begin to go a long way. Ideally, any strategy that is laid out should be clear and direct. I think this is an area where you can look to the United States—where it's taken about 10 years, but most of the agencies have started to come together, the intelligence community—to say, here is the way we approach national security. We can agree or disagree on the actual policy framework they are laying out, but it's coherent across branches. That means that all pieces are working toward roughly the same ends. That means that it's productive—for people within government, to see where they have to go; for those external to government, to see what services are needed; and for academics and other parties, to see what technologies or what goalposts we need to move toward as a country.