Public Safety Committee on March 18th, 2019

I thank the committee for this opportunity to contribute to your important deliberations on cybersecurity in the financial sector as a national economic security issue.

l'm pleased to respond to your invitation requesting insights into the context of critical infrastructure, internet routing, routing of data and communications technologies.

ln previous hearings you've heard many valuable points, notably that Internet infrastructure is critical infrastructure not just for the financial sector but for the Canadian economy more generally; that this infrastructure is changing quickly in ways that are risky and not generally transparent or well understood; that threats to security of this infrastructure are multi-faceted, complex and growing.

ln addressing these risks, I particularly endorse Professor Leuprecht's earlier recommendation:

that Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives to require critical data to be retained only in Canadian jurisdictions; set clear standards and expectations for the resilience of Canadian communication infrastructure; monitor that resilience; and impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments without which they would be left vulnerable.

I will elaborate on this recommendation made in the context of 5G networks, but will apply it to reducing the threats posed by excessive volumes of Canadians' domestic data communications, including financial data, flowing outside of Canada even when headed for Canadian destinations. These flows add a host of unnecessary cybersecurity risks while undermining Canadian economic security more generally.

To be sovereign economically and politically a nation must exercise effective control over its Internet infrastructure, ensuring that critical components remain within its territory, under its legal jurisdiction and operated in the public interest. Most obviously, this refers to locating databases. Less obviously, though no less critical, are the routes data takes between databases, users and processing centres. This latter area of vital concern is much less well understood and the one to which I direct my comments.

I'm Andrew Clement, a professor emeritus in the Faculty of Information at the University of Toronto. Beginning in the 1960s, l was trained as a computer scientist, so l've seen a lot of remarkable changes, good and bad, in the digital infrastructure that is now an essential part of our daily lives. Much of my academic life has focused on trying to understand the societal and policy implications of computerization. I co-founded the cross-disciplinary ldentity, Privacy and Security lnstitute to address in a practical, holistic, manner some of the thorniest issues raised by the digitization of everyday life. Currently l'm a member of the digital strategy advisory panel advising Waterfront Toronto on its smart city project with Sidewalk Labs.

One of my main research pursuits has been to map Internet communication routes to reveal where data travels and the risks it faces along the way. My research team developed a tool, called IXmaps, short for Internet Exchange mapping, that enables internet users to view the routes their data follows when accessing websites.

Early in our research we generated a trace route, found on the first image, called Boomerang, which shows the data path between my office at the University of Toronto and the website of the Ontario student assistance program that is hosted in the provincial government complex a short walk away.

This route surprised us, especially since the route to and from the U.S. went through the same building in Toronto, Canada's largest Internet exchange, at 151 Front Street. At the very least it challenged presumptions of maximal efficiency of Internet routing, prompting our further investigations into how widespread this phenomenon was as well as into the reasons for this counterintuitive behaviour. We dubbed this type of path—data leaving Canada before returning—“boomerang” routing. It turns out to be quite common. We estimate at least 25% of Canadian domestic traffic boomerangs to the U.S. The Canadian Internet Registration Authority, CIRA, recently put the figure much higher.

There are several problems related to Internet routing that are relevant to this committee.

The longer route adds risk from physical threats, even as banal as a backhoe cutting through the fibre optic cable. The extra distance adds both expense and latency, undermining economic efficiency and opportunity.

Data passing through major switching centres faces bulk interception by the United States National Security Agency, the NSA. Even before the Snowden revelations, we knew that New York and Chicago were prime sites for NSA surveillance operations. It not only poses risks for Canadians' personal privacy, but also for financial and other critical institutions. At your latest meeting, Dr. Parsons pointed you to a Globe and Mail report that the NSA was monitoring the Royal Bank of Canada and Rogers' private networks, to mention only those beginning with the letter R. The article suggested that the NSA's activities could be a preliminary investigative step in broader efforts to “'exploit' organizations' internal communication networks”.

Boomerang poses a further, more general threat to national sovereignty. If one country depends on another for its critical cyber-infrastructure, as Canada does with the U.S., it makes itself vulnerable in multiple respects—and not just from their spy agencies or to shifts in the political relationship, as we're seeing now. Will even the best ally keep the interests of its friends in the fore, when its own critical infrastructure is threatened? If the U.S. experiences a cyber-attack, might it not feel compelled to shut down its external connections, leaving Canada high and dry? Previously, you've heard that some see Canada as a softer target than the U.S. and, hence, potentially, as an entry route into the U.S. At some point, might the U.S. see Canada as a source of threat and disconnect us?

So far I've focused on the risks from routing Canadian domestic traffic through the U.S. A similar argument applies to Canada's communications with third countries, but even more so. Our mapping data suggests that approximately 80% of Canadian internet communications with countries other than the U.S. pass physically through the U.S. This is related to the relative lack of transoceanic fibre cabling that lands on Canadian shores, as shown clearly in the maps produced by the authoritative TeleGeography mapping service. You can see the slides, I hope.

Only three transatlantic fibre cables land on our eastern coast, compared with much greater capacity south of the border. Most of our traffic with Europe goes via the U.S. Remarkably, on our west coast there are no trans-Pacific cables, so all traffic with Asia transits the U.S. One way of assessing how well banks can withstand severer financial downturns is subjecting them to stress tests. What would a stress test of Canada's cyber-infrastructure reveal? If, for whatever reason, our connection with the U.S. was cut, even in its own legitimate self-defence, how resilient would Canada's Internet prove to be? We should know the answer, but we don't. However, the evidence available suggests very poorly.

What should we do about this? Broadly speaking, the appropriate policy response, as mentioned, is to pursue a strategy of “sovereign data localization” that includes data routing. More concretely, this would involve a coordinated set of technical, regulatory and legislative measures designed to achieve greater resilience.

First, we should require that all sensitive and critical Canadian domestic data be stored, routed and processed within Canada. Second, we should support the development and use of Canada's Internet exchange points for direct inter-network data exchange to avoid U.S. routing. CIRA has lead the way on this. Third, we should increase fibreoptic capacity as needed within Canada, as well as between Canada and other continents. Fourth, we should include transparency and accountability reporting requirements in cybersecurity standards for financial institutions and telecom providers, in relation to routing practices. Fifth, we should establish a Canadian cyber-infrastructure observatory, with responsibility for monitoring Canadian cyber-infrastructure performance and resilience, responding to research requests and reporting publicly.

Thank you for your attention and I look forward to your questions.

For the sake of brevity, I won't read it all because I believe you've all got a copy on your desk.

Good afternoon, Mr. Chair, members of the committee and ladies and gentlemen. My name is David Masson, and I'm the country manager for Canada of Darktrace, a cybersecurity company.

We are the world's leading AI company for cyber-defence. We have thousands of customers worldwide, and our self-learning AI can defend the entire digital estate that people have. We've more than 800 employees—actually, it's 900 now—and 40 offices worldwide, and here in Canada we have three offices.

Prior to joining Darktrace and establishing the company in Canada in 2016, it was my immense privilege and honour, as an immigrant to Canada, to serve my country at Public Safety Canada for several years. Prior to that, I had worked inside the United Kingdom's national security and intelligence machinery, and had done so since the Cold War. I've been a witness, as the previous witness just said, to cyber's evolution over time, from before the Internet to its current mass prevalence and ubiquity in our society today.

In earlier meetings of this committee, I think you heard an awful lot about the scale and size of the cyber-threat that exists in this country, so I'm going to focus on three things. First I plan to share with you some reasons why cybersecurity poses a seemingly insurmountable challenge, and I'll dive into some specific threats. I'll close by offering some suggestions and solutions to these issues.

What we're seeing at Darktrace is that most organizations, unfortunately, aren't as secure as they think they are. When we install our artificial intelligence software in the networks of a Fortune 500 company—sir, you mentioned this earlier—80% of the time we detect a cyber-threat or vulnerability that the company simply did not know about. Outside of the Fortune 500, when we look at smaller businesses, this percentage of companies compromised in some way jumps up to 95%, so that's pretty much all the time.

These statistics highlight two things. First and foremost, obviously, no organization is perfect or immune. Organizations of every size and every industry not only are vulnerable to cyber attacks but are currently more at risk than they imagine. Successful attacks against some of the biggest companies in recent years have revealed that something isn't working. Even Fortune 500 companies, which have budgets, resources and staff to deal with cyber-threats, are still found wanting.

Second, this raises the question: Why are so many companies and organizations unaware they are under attack or vulnerable? The legacy approach that businesses have previously taken to cybersecurity does not work in the face of today's threat landscape and increasingly complex business environments.

In brackets, it's not just the cyber-threat that we're facing. It's actually just business complexity that's bamboozling people.

In the past, companies were focused on securing their networks from the outside in, hardening their perimeter with firewalls and end-point security solutions. Today, migration to the cloud and the rapid adoption of the Internet of things has made securing the perimeter nearly impossible. Another traditional approach, known as rules and signatures, relied on searching for known bad. However, attackers evolve constantly, and this technique fails to detect novel and targeted attacks. Most importantly, these historical approaches fail to provide businesses with visibility and awareness into what is taking place on their networks, making it hard, if not impossible, to identify threats already on the inside.

I'll now look at two potential types of attack that have far-reaching impacts.

Attacks against critical national infrastructure are increasing around the world. When one mentions critical infrastructure, people commonly think of power grids, energy and utilities, companies, dams, transportation, ports, airports, roads. However, Canada's financial sector, the purpose of this committee, the big banks, etc., are also part of a nation's critical infrastructure. Just as roads connect our country physically, these organizations connect the national economy. A successful cyber-attack against these core institutions could dramatically disrupt the rhythms of commerce. The security of financial institutions should be discussed in the same breath and with the same severity as the security of our power grids.

Another type of attack that's more common in recent years is trust attacks. These attacks are not waged for financial gain. As a company, we haven't been able to work out what the financial gain of these attacks is. Instead, they're waged to compromise data and data integrity. Imagine an attacker is looking to target an oil and gas company. One tactic would be just to shut down an oil rig, but another more insidious type of attack would be to target the seismic data used to identify new locations to drill. Effectively, what they do is they get the company to drill in the wrong place.

I also want to touch briefly on what we at Darktrace think we can expect from the future of cyber-attacks. We use artificial intelligence to protect networks, but as artificial intelligence becomes ubiquitous in seemingly every industry, it is falling into the hands of malicious actors as well. Although there's some debate as to when exactly we'll see AI-driven attacks, we think it might be this year, but others think 2020 or 2025. They're something that we will no doubt have to contend with in the near future.

Darktrace has already detected attacks so advanced that they can blend into the everyday activity of a company's network and slip under the radar of most security tools.

Up until now, highly targeted advanced attacks could only be carried out by nation-states or very well-resourced criminal organizations. Artificial intelligence lowers the bar of entry for these kinds of attacks, allowing less-skilled actors to carry them out. AI is able to learn about its target environment, mimic normal machine behaviours and even impersonate trusted people within organizations.

Companies will soon be faced with advanced threats on an unprecedented scale. We think it's critical that companies and government—both in Canada and around the world—consider what this will mean and what steps need to be taken to ensure that they can defend against AI-driven attacks.

As this committee and the broader industry looks for answers and solutions, I want to propose a few.

In October 2018, (ISC)² announced that the shortage of cybersecurity professionals around the globe had soared to three million. I saw this figured repeated again this morning on LinkedIn. Roughly 500,000 of these unfilled positions are located in North America. In Canada, I think we're seeing 8,000, but I suspect it's more. This shortage is only expected to increase. Businesses are struggling to hire professionals. Those individuals they can hire are struggling to keep up.

Threats are moving at machine speeds now. In the time that an analyst steps away to grab cup of coffee, ransomware can enter a network and encrypt thousands of files. Beyond these machine-speed attacks, analysts are faced with a deluge of alerts around supposed threats that they need to investigate, handle and remediate. We need to find a way to lighten the burden for cybersecurity professionals, expand the field of potential candidates by hiring more diversely, and arm them with the technology and tools to succeed.

I'll skip the next two paragraphs.

Collaboration between the private and public sector will also be key to solving the challenges we face. The previous witnesses spoke to some of that. Governments around the world collect a wealth of information on adversaries' attacks and attack techniques. Although certain limitations about what governments can share is understandable and necessary, I'd urge the Canadian government and the intelligence community to share what information they can with corporations. Information is an asset. If companies understand the attacks they are facing, they can better defend against them. The Canadian economy is better ensured from the impacts of these cyber attacks.

On the other hand, it's critical that private companies like mine share insights and lessons-learned with the government. The private sector's ability to pivot quickly and trial new technologies make it in some ways a testing ground for new cybersecurity technologies and techniques. Through discussions around what's working and what isn't, the government can learn what's necessary for companies to succeed, compile and disseminate this information—perhaps through CCTX, which I know has been mentioned several times—and help entire industries quickly improve their security practices.

I want to close with a call for innovation. Attackers are constantly coming up with new ways to infiltrate networks, attack businesses and wreak havoc. It's critical that we, the defenders, are innovative as well. Whether this be by developing novel technologies, adopting cutting-edge techniques or enacting new regulation, creative thinking and collaboration are going to be the key. At the end of the day, it's not just about keeping up with attackers, but getting one step in front of them.

I look forward to your questions.

Thank you.

Thank you for both of your presentations. They were very insightful.

Recently the Diplomat & International Canada magazine published a survey in which sources said they were concerned about their online privacy. Their top concern was cybercriminals; the second was Internet companies themselves attacking their privacy.

Do you think that companies, especially social media companies and any that you probably have as clients, could be doing more, not only to ensure that their users' data is protected but also to ensure that users have a sense of protection? From your presentation, it seems like things are very grim. With all of the technology we're using, everything is in the cloud now. It seems like it's more unsafe than ever.

Where do we go from here? I know you've proposed a couple of solutions. In terms of innovation and investment by the government, you talked about exchanging information between the private sector and the government. How do you think a government can spur innovation?

You mentioned regulations as well. How do you think they can regulate it? Is there something we can do? Is there a jurisdiction that's doing it better than us at this point? What lessons should we learn from them?

Those are a lot of questions.

On the social media bit, can I ask the professor to step in first? I think his take will be slightly more interesting than mine.

Well, I don't know about that, but yes, there has been a great deal of press recently about the role that social media companies play, particularly Google and Facebook, because of their business model, which requires the monetization of personal information and the communications between individuals.

I would say that they in particular need to be subject to much greater regulation and we need to understand much better what they are doing. This is a moment, particularly in the case of Facebook, when this can be pressed because we are learning almost daily about the behind-the-scenes work they have been doing of resisting oversight, and also of how they are trying to monetize this. That would be one place to start, with the largest of those.

Is any jurisdiction ahead of us in regulating these companies?

Well, certainly Europe is, with their recent GDPR, the General Data Protection Regulation, which I believe you've heard about and that imposes stiff penalties. They have fined some of these companies for various offences. I would look to Europe as not necessarily being ideal, but they are doing a much better job in grappling with this than Canada or the United States.

They are definitely imposing major fines. Do you have an data on the effectiveness of creating regulations that impose fines? Has there been an increase in the number of companies stepping up and increasing their security when it comes to—

I will give you a quick example of GDPR working. When Facebook got hacked last year, they told the Irish data commissioner within 24 hours that they had been hacked, and the provision under the GDPR is 72 hours. They didn't hang about. They admitted it pretty damn quick. So there you go: It's that's an effective piece of legislation, I would suggest.

Yes.

Did you want to say something.

Oh, I would just say that these are still early days for the GDPR. It only came into effect in May last year. It certainly got people's attention. I don't think there has been time to study its effectiveness, but I would say that the signs are good that it is beginning to grapple with the issues. Canada faces the challenge of determining whether its own privacy legislation, PIPEDA, will be considered substantially equivalent to the GDPR. Hopefully, PIPEDA will be strengthened so that an equivalency determination can be maintained.

I go to a lot of conferences and trade shows, and for the last couple of years everybody has been talking about the GDPR. As a new immigrant to Canada, I was a bit upset that nobody seemed to be concerned about the Digital Privacy Act and the upgrade to PIPEDA that we were going to do. People were more worried about the effect of GDPR than our own legislation. They are probably right to have been worried because the GDPR is more draconian than ours, I believe.

In ours, you don't have to report by a specific time other than “as soon as possible, please”. There was talk of fines of up to $100,000, but I haven't actually seen it actually saying what you have to pay. At the end of day, it's about breaches of personal information; it's not about breaches in general, whereas GDPR, I think, covers both of them.

Okay, thank you.

Do I have another minute?

Okay, perfect.

A lot of this work comes down to money and how much the government has to spend on making investments in the right place. We definitely put a lot of money towards cybersecurity in our last budget, over $500 million, so it's definitely a step in the right direction the government is taking.

Where would you like to see the funds spent, and if there is more funding needed, where should that funding go?

I think one of the best steps in the right direction was absolutely setting up the Canadian Centre for Cyber Security as a one-stop shop, because prior to that, there was a bit of confusion about whom to talk to. I mean, if anybody gets hacked, whom do you call? Nobody is really sure about that. That's not a great place to be.

They probably want to put some more money into considering some more regulation. History shows that large conglomerations never do anything until they are forced to, but I've shown you that Facebook certainly jumped to it with GDPR when they got hacked, so you probably want to look into that. In addition, you probably want to look into some more legislation to stop foreign influence in elections, looking at fake news and foreign influence activity. That's actually in there. You probably want to do a bit more on that front.

I'll go first, Professor, but I'll be very quick.

A lot of effort in Canada goes into what we'll do after it happens. We'll wait until it happens and then we'll deal with it. A lot of effort goes into dealing with it afterwards. I really would like to see Canada put more effort into not having the hack in the first place, into making sure it doesn't happen, or into doing our best to make sure it doesn't happen. A lot more effort could be done that way.

In terms of the banking system, outside of government there's not a lot of information about the scale of the threat we face in Canada. Inside government, where I used to be, there's a lot. I'm sure you've heard talk about the millions of hacks at the government, but outside of government we don't really know. With the DPA coming out last week, with the provisions for reporting breaches of privacy through cyber-activity to the Office of the Privacy Commissioner, we probably have a chance now to get a better evaluation of what the scale of the threat is outside of government. I'm not entirely sure if the Office of the Privacy Commissioner is the right place for that, to do evaluations, but that's where it will be that they will gain that information.

To give you a scale of one to 10 on the banks, who pretty much keep to themselves—albeit I'm sure they're very open with the Bank of Canada—I'd be swimming it to come up with an assessment for the banks, to be honest with you. I'm going to say that they're probably better than most western liberal democracies that we live in. The fact is that Canada has a history of fairly good regulation of the financial system, which is why Canada didn't suffer the way everybody else did in 2008. They were still buffeted by it afterwards, but they came out reasonably okay. So I would go for about a seven or an eight. There you go.

Yes; I will say yes. I mean, you need a carrot and a stick, but you probably do need a bigger stick. The DPA is saying that you have to report breaches as soon as possible. Really? Why not go for the 72 hours like everybody else? Yes, definitely you could beef up the stick part; absolutely.

For a carrot in terms of investment, replying to something that Ms. Sahota said earlier, it would certainly be directing your investment into those parts of the Canadian private sector, but probably more academia, that are doing some really innovative work right now in combatting this problem and allowing the private sector, who, as I said before, can pivot quite quickly, to fail forward and fail fast. We do that all the time. We're not bothered about it; you know, failure's success. Put that investment in those companies who are prepared to do that to try to get to where we need to be as quickly as possible.

The professor might have a comment on that.