Evidence of meeting #152 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Charles Docherty  Assistant General Counsel, Canadian Bankers Association
Trevin Stratton  Chief Economist, Canadian Chamber of Commerce
Scott Smith  Senior Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce
Andrew Ross  Director, Payments and Cybersecurity, Canadian Bankers Association
Ruby Sahota  Brampton North, Lib.
Andrew Clement  Professor Emeritus, Faculty of Information, University of Toronto, As an Individual
David Masson  Director, Enterprise Security, Darktrace

4:30 p.m.

Assistant General Counsel, Canadian Bankers Association

Charles Docherty

I'll speak to some of that, certainly.

In terms of skills development, the banks are heavy investors in hackathons and these types of events that are aimed at promoting cyber-skills within Canada.

Andrew, is there anything you'd like to add?

4:35 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

Certainly, the banks are fortunate to have the resources to put against cybersecurity risks. As we mentioned in our remarks, trust is at the forefront of everything we do in banking, so we need to invest significantly in cyber. We do a number of things in the private sector. We mentioned our own CBA cybersecurity summit, where we have a thousand security experts from the various banks come in for a one-day session. As well, many of the banks have invested in partnerships with universities across the country and around the world.

4:35 p.m.

Brampton North, Lib.

Ruby Sahota

What universities are leading the way in this area?

4:35 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

There are a number of them. Waterloo is one, with quantum computing. We also see a lot of work being done out west. New Brunswick has had a significant focus on cybersecurity. There are various hubs that continue to pop up. Obviously, Canadian banks want to support it. We do think there is a good story in Canada; we're starting from a good place. But there is a worldwide shortage, and we see a continued shortage of cybersecurity expertise. It's important to get it into the everyday psyche of Canadians, which is why we suggested starting with public school education and getting people thinking about cybersecurity as a first order of business.

4:35 p.m.

Assistant General Counsel, Canadian Bankers Association

Charles Docherty

In terms of specific examples of investment, our members have funded cybersecurity labs at the University of Waterloo. Members have invested internationally, including in Ben-Gurion University in Israel, which is a globally renowned cybersecurity hub. Another member has a strategic alliance with the Israeli bank, Leumi, and the National Australia Bank to collaborate in areas of digital banking, financial technology and cybersecurity. We've got a few examples of investment both with Canadian institutions and abroad.

4:35 p.m.

Brampton North, Lib.

Ruby Sahota

Where do your members hire professionals in-house? Are they able to find people in Canada or are they hiring from overseas? If so, where?

4:35 p.m.

Assistant General Counsel, Canadian Bankers Association

Charles Docherty

They're not restricted in whom they hire. Certainly there is a global shortage of cyber-skills out there, so they're looking in every country to try to find cyber-talent to protect the personal information of the clients we serve.

4:35 p.m.

Brampton North, Lib.

Ruby Sahota

Have there been repercussions in terms of fines, or has it been just in the interest of public security and in the interest of keeping business going? What has motivated the banks to be leading the way in cybersecurity?

4:35 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

I think it's maintaining the trust that Canadians have come to expect from the banking sector. I think it's the whole financial stability of the economy in general.

We've been very vocal in our interest in sharing our knowledge with other sectors. We mentioned in our earlier remarks that the banks are strong supporters of the Canadian Cyber Threat Exchange. This will essentially allow the banks, which are very good at detecting cyber-incidents, to share with others who may not be as capable.

4:35 p.m.

Brampton North, Lib.

Ruby Sahota

How much time do I have?

4:35 p.m.

Liberal

The Chair Liberal John McKay

A little less than two minutes.

4:35 p.m.

Brampton North, Lib.

Ruby Sahota

Okay.

Recently there was some news about a digital currency company called Quadriga. I was wondering if you've heard a little about that. After the owner died they discovered that the digital currency that people had invested in was completely empty. Apparently they were called “wallets” or something—it's like a Bitcoin, I guess.

How do you feel about the current regulations these companies operate within versus the regulations the banking industry is required to operate within? Do you have any comments on that?

4:40 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

As far as I'm aware, the government is looking at some cryptocurrency legislation. Those entities currently fall outside the financial sector, or at least the requirements and regulations under which banks operate.

4:40 p.m.

Brampton North, Lib.

Ruby Sahota

I know the government is looking at it. Do you have any suggestions or opinions as to how these companies can be regulated so they can better protect the digital currency they're involved with?

4:40 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

My only general comment would be that, as we move into a digital world, these sectors that continue to move into that space need to make sure they have the proper oversight to ensure that things like cybersecurity provisions are established.

4:40 p.m.

Liberal

The Chair Liberal John McKay

Mr. Motz, you have five minutes.

4:40 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Thank you, Chair.

Thank you for being here.

You indicated earlier that education is a big component of improving cybersecurity and the cyber-frauds that are perpetrated. Do your banks support any specific organizations that work on improving education or best practices for your consumers, or for Canadians at large?

4:40 p.m.

Assistant General Counsel, Canadian Bankers Association

Charles Docherty

Certainly the Canadian Bankers Association supports initiatives aimed at financial literacy. Part of that education relates to not falling for fraud scams and those sorts of things. We also have information on our website. It's Fraud Prevention Month right now so we're certainly involved in that.

I know we're heavy contributors to the Canadian Cyber Threat Exchange, so we're sharing information about cyber-threats.

4:40 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

We also partner with Public Safety on Cyber Security Awareness Month.

4:40 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Okay.

When this study was initiated, my colleague Michel Picard wanted us to focus on the.... When we talked about cybersecurity, we said we wanted to focus on the economic impacts on Canadians and on the financial end of this from a cybersecurity perspective. From many of the witnesses we've had to date, we've heard, almost exclusively, technical information about how it happens and some of the vulnerabilities that exist in our Internet and infrastructure.

I guess from a Canadian consumer perspective, from the Canadian public's perspective, there has to be, from both of your organizations, a perspective on how we can leverage this whole study, if you will, or the whole concept of cybersecurity to reduce the risk of identity theft for Canadian consumers. We all know that data's the biggest theft commodity on the black market, on the dark web. Obviously, then, that leads into financial gain.

With that in mind, what things do you see that we as a committee can do or recommend to ensure that the Canadian public is.... I know they play a role in their own vulnerabilities—we get that—but from a government perspective, what can be done to try to mitigate that risk?

4:40 p.m.

Director, Payments and Cybersecurity, Canadian Bankers Association

Andrew Ross

To me it comes down to public awareness. If the government is able, and the financial sector is willing to work with government, to spread the word, at the end of the day, we do our best within the sector to share with our customers the vulnerabilities that exist. We need to recognize that there are a lot of vulnerabilities beyond the financial sector. If we as Canadian companies across sectors and with the public sector can get the message out on the risks that exist, that, to me, would be the number one step.

4:40 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

That said, if companies on either side, chamber members or banking companies, identify a vulnerability in their own systems, are they prone to having that reported or would they try to cover it up? If we're talking about protecting Canadians, there's a line, and we have to make sure that we're all in the same boat together and try to fix a vulnerability. What are you seeing industries and businesses doing to deal with their own vulnerabilities in order to protect Canadians?

4:45 p.m.

Senior Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

If you don't mind, I might like to tackle this one. CCTX, the Canadian Cyber Threat Exchange, was mentioned a couple of times. It's a group of businesses that have gathered together under one umbrella to share information about vulnerabilities.

Maybe we want to just focus on the language here for a second. There's a big difference between a vulnerability and a breach. A vulnerability means there's a back door open somewhere and I don't know about it. There may be a threat existing on my network, but that doesn't necessarily mean there's been a breach or any significant harm from a breach. It means there's a hole I need to close up. Sharing of information is important. That's happening with a group of large businesses right now, like the banks and the insurance companies and some of the telecom companies. They're sharing information right now. What's happening is that it's not making it out to the large majority of businesses out there, which don't have a concept of what some of those threats are. I think that's the hurdle government could help cross, by getting some of that information out to those small businesses.

I know that at the CCTX they're looking for ways to engage small businesses—they've certainly come to us, and we're trying to find ways to help them do that—and to get that information out to the business community, beyond just the major banks, the telecom companies and the major transportation companies, which are all doing an excellent job right now of protecting Canadians.

4:45 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Motz. That does bring our questioning to a close, unfortunately.

We are going to have Mr. David Masson in the next panel. In his paper he argues that industries are currently more at risk than they imagine. He says that at Fortune 500 companies, his own company has detected 80% of the time a cyber-threat or a vulnerability the Fortune 500 company didn't know about, whether dormant malware, a misconfigured network, or so on. In smaller companies the risk went up to 95%.

Mr. Smith, what would you say to Mr. Masson? He's sitting back there, right behind you.

4:45 p.m.

Senior Director, Intellectual Property and Innovation Policy, Canadian Chamber of Commerce

Scott Smith

I'd say he's probably right on the smaller companies. I think the average number of days that a threat exists on a network before it's discovered is 271 days. That's probably less true of larger organizations. Honestly, I couldn't tell you what that number is. There are a number of different surveys that scatter about on what that numbers is, but it's bigger than it should be.