I thank the committee for this opportunity to contribute to your important deliberations on cybersecurity in the financial sector as a national economic security issue.
l'm pleased to respond to your invitation requesting insights into the context of critical infrastructure, internet routing, routing of data and communications technologies.
ln previous hearings you've heard many valuable points, notably that Internet infrastructure is critical infrastructure not just for the financial sector but for the Canadian economy more generally; that this infrastructure is changing quickly in ways that are risky and not generally transparent or well understood; that threats to security of this infrastructure are multi-faceted, complex and growing.
ln addressing these risks, I particularly endorse Professor Leuprecht's earlier recommendation:
that Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives to require critical data to be retained only in Canadian jurisdictions; set clear standards and expectations for the resilience of Canadian communication infrastructure; monitor that resilience; and impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments without which they would be left vulnerable.
I will elaborate on this recommendation made in the context of 5G networks, but will apply it to reducing the threats posed by excessive volumes of Canadians' domestic data communications, including financial data, flowing outside of Canada even when headed for Canadian destinations. These flows add a host of unnecessary cybersecurity risks while undermining Canadian economic security more generally.
To be sovereign economically and politically a nation must exercise effective control over its Internet infrastructure, ensuring that critical components remain within its territory, under its legal jurisdiction and operated in the public interest. Most obviously, this refers to locating databases. Less obviously, though no less critical, are the routes data takes between databases, users and processing centres. This latter area of vital concern is much less well understood and the one to which I direct my comments.
I'm Andrew Clement, a professor emeritus in the Faculty of Information at the University of Toronto. Beginning in the 1960s, l was trained as a computer scientist, so l've seen a lot of remarkable changes, good and bad, in the digital infrastructure that is now an essential part of our daily lives. Much of my academic life has focused on trying to understand the societal and policy implications of computerization. I co-founded the cross-disciplinary ldentity, Privacy and Security lnstitute to address in a practical, holistic, manner some of the thorniest issues raised by the digitization of everyday life. Currently l'm a member of the digital strategy advisory panel advising Waterfront Toronto on its smart city project with Sidewalk Labs.
One of my main research pursuits has been to map Internet communication routes to reveal where data travels and the risks it faces along the way. My research team developed a tool, called IXmaps, short for Internet Exchange mapping, that enables internet users to view the routes their data follows when accessing websites.
Early in our research we generated a trace route, found on the first image, called Boomerang, which shows the data path between my office at the University of Toronto and the website of the Ontario student assistance program that is hosted in the provincial government complex a short walk away.
This route surprised us, especially since the route to and from the U.S. went through the same building in Toronto, Canada's largest Internet exchange, at 151 Front Street. At the very least it challenged presumptions of maximal efficiency of Internet routing, prompting our further investigations into how widespread this phenomenon was as well as into the reasons for this counterintuitive behaviour. We dubbed this type of path—data leaving Canada before returning—“boomerang” routing. It turns out to be quite common. We estimate at least 25% of Canadian domestic traffic boomerangs to the U.S. The Canadian Internet Registration Authority, CIRA, recently put the figure much higher.
There are several problems related to Internet routing that are relevant to this committee.
The longer route adds risk from physical threats, even as banal as a backhoe cutting through the fibre optic cable. The extra distance adds both expense and latency, undermining economic efficiency and opportunity.
Data passing through major switching centres faces bulk interception by the United States National Security Agency, the NSA. Even before the Snowden revelations, we knew that New York and Chicago were prime sites for NSA surveillance operations. It not only poses risks for Canadians' personal privacy, but also for financial and other critical institutions. At your latest meeting, Dr. Parsons pointed you to a Globe and Mail report that the NSA was monitoring the Royal Bank of Canada and Rogers' private networks, to mention only those beginning with the letter R. The article suggested that the NSA's activities could be a preliminary investigative step in broader efforts to “'exploit' organizations' internal communication networks”.
Boomerang poses a further, more general threat to national sovereignty. If one country depends on another for its critical cyber-infrastructure, as Canada does with the U.S., it makes itself vulnerable in multiple respects—and not just from their spy agencies or to shifts in the political relationship, as we're seeing now. Will even the best ally keep the interests of its friends in the fore, when its own critical infrastructure is threatened? If the U.S. experiences a cyber-attack, might it not feel compelled to shut down its external connections, leaving Canada high and dry? Previously, you've heard that some see Canada as a softer target than the U.S. and, hence, potentially, as an entry route into the U.S. At some point, might the U.S. see Canada as a source of threat and disconnect us?
So far I've focused on the risks from routing Canadian domestic traffic through the U.S. A similar argument applies to Canada's communications with third countries, but even more so. Our mapping data suggests that approximately 80% of Canadian internet communications with countries other than the U.S. pass physically through the U.S. This is related to the relative lack of transoceanic fibre cabling that lands on Canadian shores, as shown clearly in the maps produced by the authoritative TeleGeography mapping service. You can see the slides, I hope.
Only three transatlantic fibre cables land on our eastern coast, compared with much greater capacity south of the border. Most of our traffic with Europe goes via the U.S. Remarkably, on our west coast there are no trans-Pacific cables, so all traffic with Asia transits the U.S. One way of assessing how well banks can withstand severer financial downturns is subjecting them to stress tests. What would a stress test of Canada's cyber-infrastructure reveal? If, for whatever reason, our connection with the U.S. was cut, even in its own legitimate self-defence, how resilient would Canada's Internet prove to be? We should know the answer, but we don't. However, the evidence available suggests very poorly.
What should we do about this? Broadly speaking, the appropriate policy response, as mentioned, is to pursue a strategy of “sovereign data localization” that includes data routing. More concretely, this would involve a coordinated set of technical, regulatory and legislative measures designed to achieve greater resilience.
First, we should require that all sensitive and critical Canadian domestic data be stored, routed and processed within Canada. Second, we should support the development and use of Canada's Internet exchange points for direct inter-network data exchange to avoid U.S. routing. CIRA has lead the way on this. Third, we should increase fibreoptic capacity as needed within Canada, as well as between Canada and other continents. Fourth, we should include transparency and accountability reporting requirements in cybersecurity standards for financial institutions and telecom providers, in relation to routing practices. Fifth, we should establish a Canadian cyber-infrastructure observatory, with responsibility for monitoring Canadian cyber-infrastructure performance and resilience, responding to research requests and reporting publicly.
Thank you for your attention and I look forward to your questions.