Evidence of meeting #152 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
5:35 p.m.
Liberal
The Chair Liberal John McKay
Yes, high compression. David was compressing you.
Mr. Motz, a lower compression rate, for sure, thankfully.
5:35 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Dr. Clement, you wanted to speak on a number of occasions there and didn't get an opportunity. I want to give you an opportunity to interrupt David and say what you want to say.
5:35 p.m.
Prof. Andrew Clement
Partly, I might have given expressions of interest because I was supporting some of the statements that Mr. Masson was making. I guess the one comment that I wanted to get in had to do with the question of investments. I guess the question was whether the Canadian government was well-enough prepared to deal with these cyber-threats.
My view is that a big part of the problem we encounter now has been the way in which the development of the Internet and services on it have been driven almost entirely by the business interests of entrepreneurs. Obviously, in many cases, they're doing wonderful things, but governments have explicitly had a hands-off approach, and I think we are reaping some of the costs of that. Part of that is that now I would say that public institutions have lost an image of what a publicly oriented infrastructure would even look like. That, I think, is a deep, structural problem that needs a lot of education and talk. That, I think, would have protected us quite a bit.
Go a bit slower, but do things more carefully and more transparently so that they can be held more accountable. The urgency of more innovation, pile-on innovation, very often deepens the problem, because we're fixing problems that we should have thought about more carefully.
5:40 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
That's a great segue to a comment that both of you alluded to just a few minutes ago, which was the interrogation of the supply chain. How do we go about that? How do we best ensure that the supply chain we talk about is secure and safe? How is that best accomplished? Is it accomplished as you suggest, Dr. Clement, through government intervention, or is it best accomplished in some other way?
I ask both of you the question.
5:40 p.m.
Prof. Andrew Clement
Go ahead.
5:40 p.m.
Director, Enterprise Security, Darktrace
Okay.
What I would suggest you do is to accept that threats are going to get inside. In fact, accept that a threat has already arrived. Maybe it arrived through your supply chain, through your third party vendors and all that kind of thing. Expect that it's going to happen and start coming up with some systems that expect this to happen but can find it without having to know what it is and without having to know what the bad stuff is.
There are a lot of stringent regulations right now. I think CSE publishes a lot of stuff about what you have to abide by when you get a government contract, but at the end of the day, if somebody got at the chip in the factory, as one of the MPs mentioned earlier, the only way you're going to find out about it is once you've plugged the chip in and have seen what has happened.
5:40 p.m.
Prof. Andrew Clement
This gets into oversight mechanisms. While there are some, I would say that they are lagging behind in the development of these complex systems. I would be particularly careful when you develop highly tightly coupled systems, so that when something goes wrong, the damage can spread quickly. Allow for some buffers in there. That's not the nature of competitive supply chains, because speed is primary, but if we take a longer strategic view, then we need to slow down a bit and pay closer attention.
5:40 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
I have one last question for both of you.
We know that in this country and across the globe there are higher rates and a higher incidence of cyber-intrusion. The theft of data and the theft of finances seem almost inevitable. I think the Canadian public almost seems immune—it's going to happen anyway—unless or until it happens happens to them, and then it's a big problem.
I hate to be a doomsdayer, but should we be preparing for this to be a common occurrence, in that if you're hooked up to the Internet, you're going to get hacked and you're going to get stuff stolen, so get used to it? Or are we saying that there's hope on the way?
5:40 p.m.
Director, Enterprise Security, Darktrace
Can I go first? I'll just say that if you use AI, there's hope. All right? If you use AI, you can get ahead of the attackers and put the advantage back in the hands of the defender.
Professor.
5:40 p.m.
Prof. Andrew Clement
Yes, I would say that we don't accept that kind of approach in other areas of our vital infrastructure. As in the development of other infrastructure, we need to look much more closely and carefully at what's being put in place and have it meet public interest requirements, so that we're not just loading things onto the public and expecting them to suck it up, which is basically what's happening now.
5:45 p.m.
Liberal
5:45 p.m.
Liberal
Michel Picard Liberal Montarville, QC
As a government, if I ask what are the steps I should look for in terms of building my cybersecurity, it's as if I'm assuming that I don't have a system in place. I think it's fair to say that my system should be fair to good somewhere, because I do have agencies that work with me. I have protection. I have systems. I have tools. I'll just twist my question. What are the steps that I should make sure I have covered and on which I can build something strong and improve on that? What are the main parentheses?
The Bankers Association said that the best solution for good cybersecurity was awareness. If I base my cybersecurity on publicity, I'm in trouble, I think. I need more than just publicity and awareness. What are the main topics that I should address in order to make sure that I have at least the basis for a good cybersecurity system?
5:45 p.m.
Prof. Andrew Clement
An important point in that, I think, is independent expert review that's independent of the organization and that has the capacity to actually examine what has been proposed and the possible threats and to advise on that. That's the one general thing you can say. Otherwise, you have to get more specific about what kinds of systems you're talking about.
5:45 p.m.
Director, Enterprise Security, Darktrace
In terms of looking at the future, I've spoken a lot about bad actors using AI, so let's move on. I would be advising the government to really focus big-time on critical national infrastructure attacks, absolutely, and particularly attacks on what are known as OT systems. Most of what we've talked about there was IT systems. I'm talking about OT systems, the things that run the robots in a car factory and that kind of thing. There should be a big major focus on that, absolutely, particularly on those systems inside critical national infrastructure.
5:45 p.m.
Liberal
Michel Picard Liberal Montarville, QC
A very old question that I ask quite often—and I asked the same question in the ethics committee where we talked about something similar—refers to one risk that I will never be able to control, namely the human risk. What do you suggest by way of solutions to reduce or just minimize the risk of human resources? I can't eliminate it.
5:45 p.m.
Prof. Andrew Clement
Well, yes, you can never eliminate risks. You can mitigate and minimize them. For human resources, it's a general precept that when you hire, when you train, when you manage people, they be given respect and be signed-up for the mission of the organization.
It's only through people acting carefully, with attention to the wider picture, that they are going to serve the interests of that organization. It's a basic question about any kind of organization.
5:45 p.m.
Director, Enterprise Security, Darktrace
Yes, people always say that humans are the weakest link, but sometimes I feel as though that's a derogation of responsibility by larger organizations. They just blame it on the people all the time.
Absolutely, more education and awareness is needed, but also the development of a proper security culture inside organizations, not just the people down below. Everybody must have this kind of security culture and make sure it's delivered in a sincere manner. It's not a case of people barking commands at you, but a genuine prevalence and leadership by people who are trying to promote a security culture.
5:45 p.m.
Liberal
Michel Picard Liberal Montarville, QC
When the Chamber of Commerce commented on small businesses, they said that some of them perceive themselves as too small to be hacked. I think it's a case of their being too small to have a budget to be secure. These are companies that do deal with the Internet, web services and the virtual world.
As an individual, someone who hacks my phone can anticipate whether I'm home or not, because I can control my heating system from my phone. When they see that I am not on the scheduled heating system, it's because I am not there and I keep my temperature low, so my phone is not safe.
Apparently, my fridge is not safe, because it can talk to me. Everything with a chip in it can talk to me, so as a person, the presentation we heard scared the hell out of everyone. Sorry, I almost said it.
Is it too late for me?
5:50 p.m.
Liberal
The Chair Liberal John McKay
It probably is. You're past your five minutes.
We're going to have to leave Mr. Picard in a state of anxiety.
We have about five minutes left and a number of questions. Mr. Motz has very generously decided to split his time with me.
When you made your presentation, Mr. Masson, you were very concerned about the data, the network, the transmission staying in Canada. You essentially adopted Professor Clement's recommendation.
The Bankers Association, however, seemed to be a bit more relaxed about it and their argument was, “Well, we still have jurisdiction over the data.”
What would your response be to the Bankers Association? It felt perfectly comfortable with the current situation, which may mean that the data goes from Toronto to Chicago to New York, and back to Toronto to be stored, or stays in New York to be stored, or wherever. What would your response be?
5:50 p.m.
Prof. Andrew Clement
I think I heard that exchange at the end of their session. They said they relied on the contractual arrangements with the outsourcing party that they could insist on, and that they would then take full responsibility for making good to individual consumers. I'm not questioning the ability of the banking companies to fulfill that in narrow and specific cases, but if there's a major problem, what are they going to do when their data is outside the country? Are they going to be able to sue the outsourcer? They're going to have to go to another jurisdiction. I don't think contractual arrangements are adequate. As they mentioned or alluded to, these arrangements don't deal with the laws of the country that the data is in. Those laws apply, and any outsourcer is going to have to comply with them, even if it means breaking their contract—or they're going to be in a dilemma there.
I was much less reassured by their confidence that they could just outsource to other countries and rely on the contracts. I think they'd be much better off if they could bring that service within Canadian jurisdiction and Canadian territory. I don't see any major reason why they can't, at least in the long term, hit that goal—have their cake and eat it too, so to speak.
5:50 p.m.
Liberal
The Chair Liberal John McKay
The final question has to do with the maps that you very kindly provided to us. They reminded me of a trip I took on a Canadian frigate this summer. We went from Iqaluit down Frobisher Bay and to Greenland. In Greenland we met with the Danish general in charge of NATO and, of course, there was some commentary on Russian intrusions into NATO territories, etc. Apparently the Russians have an immense fascination with scientific investigation of the cables that connect Europe and North America. That seems to speak to your concern, Professor Clement, that one of the ways all of these networks could easily be hacked is by attaching devices in some manner or another to those cables.
You graphically demonstrated the vulnerability of all of our data.
