Evidence of meeting #152 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
Prof. Andrew Clement
Being able to keep a code open so it can be checked is an important means for ensuring confidence and security.
Liberal
David Graham Liberal Laurentides—Labelle, QC
We've heard a lot of security concerns about Huawei devices and a lot of discussion about whether we should ban Huawei in Canada. Is the issue with Huawei that their hardware may have Chinese back doors, as opposed to back doors endorsed by Five Eyes agencies, for example. Where is the source of the issue and is there such a thing as an uncompromised or uncompromisable system?
Prof. Andrew Clement
I don't think there are uncompromisable systems, and I would caution that in some ways Huawei is mirroring what's happened to the undermining of security in western-developed technologies.
Liberal
David Graham Liberal Laurentides—Labelle, QC
There has been a lot of talk over the years about software and having back doors. Once a back door is in place, is there any way to ensure that only the organization that asked for it to be there can use it, or once the back door is there, can anybody get to it?
Prof. Andrew Clement
I wouldn't say anybody could get to it, but once you've created a back door, you've opened the possibility that people you don't know and don't want can access it.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Right. Do we know how much of our Internet infrastructure is compromised at the manufacturing point? A couple of months ago there was a story about a motherboard found to have an extra chip inserted on it at the factory. I don't remember who it was, but you've probably run across this.
Prof. Andrew Clement
I don't know of any estimates. I think it would be extremely hard to find, and we are discovering things that were buried in code ages ago. It's a very difficult thing. We need much more transparency and ability to interrogate code and devices.
Liberal
David Graham Liberal Laurentides—Labelle, QC
That makes sense.
Professor Clement, in your opening comments, you talked about our ability to move data within the country versus outside the country. Do we have the network capacity to move all our data within Canada today, or is expanding our Internet infrastructure a question of national security?
Prof. Andrew Clement
I don't have a measure on the actual capacity versus what we need, but my guess is that we have unused capacity that would be available and that we would need to assess our internal domestic requirements and then make the decision about investing in capacity. The investment will be very small compared with the kinds of investments we've made previously in other network infrastructure, starting with the railway.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Fair enough.
Are either of you familiar with Quintillion and their project in the Arctic?
Liberal
David Graham Liberal Laurentides—Labelle, QC
I'll come back to this at a later date.
Do you have any servers in Canada, because all of the traffic at base essentially starts with a DNS request? Do you have any servers besides .ca in Canada?
Liberal
David Graham Liberal Laurentides—Labelle, QC
All traffic at some point has to at least communicate with outside of the country to at least express the initial intention of who wants to talk to whom. That metadata is available to whoever has the route service, which is mostly in the U.S.
Director, Enterprise Security, Darktrace
If the server is not here, somebody else has access to it. Remember that when it comes to the cloud. It's not a cloud; it's a server somewhere.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Oh, that's right. It's not a cloud; it's somebody else's computer.
Are we sure that AI base attacks are not already running?
Director, Enterprise Security, Darktrace
We thought we saw an algorithm fight an algorithm in 2015, and we've seen hints of it since, but we haven't actually seen a full on AI attack yet. That's we, the company. I can't speak for anybody else.
Liberal
David Graham Liberal Laurentides—Labelle, QC
So it's clearly in development. The black hatting of AI base attack is definitely in development.
In the study we've talked an awful lot about privacy but a whole lot less, I find, about security. I want to know, in the root causes of cyber-mobility—I know I don't have much time left—what's the role of default passwords and default back doors? I talked about back doors earlier. There's a huge amount of hardware out there that has “admin” as the login, “admin” as the password to log into it, and you can do anything you want with it. How big a problem is that side of things?
Director, Enterprise Security, Darktrace
It's a major problem. It's one of the things I talk about all the time. I say, if you buy an Internet of things device, for God's sake, change the default password as soon as you get it in the house, if you can change the default password.
Liberal
The Chair Liberal John McKay
No more.
David, you've got in about three committee meetings' worth of questions in seven minutes.