Public Safety Committee on April 1st, 2019

I think, fortunately, Canada does lead the way in cybersecurity technology development. I just mentioned Ethoca. We also acquired a company called NuData, which powers a lot of the security control features that we enable within mobile devices. I think there's an opportunity to continue that effort to develop new cybersecurity solutions that can help the marketplace, the fintech environment. I think that is a strong place to come from. You are also, just being at the centre, very open to working more collaboratively with the private sector, so there's the ability to share intelligence information.

There are things that we have an opportunity to see globally that may be of interest to your teams, and hearing from your teams about new threats that are out there gives us an ability to more proactively stop things from happening. That's a big interest for me.

We have to defend against all comers, individuals all the way through nation-states. We think about all potential threat actors that there may be, and we implement layered defences in order to overcome delay, and prevent such attacks from being successful. However, if such actors were successful, we would depend very much on our government partners to help us with the mitigation of the effect, but then also, depending on what the attack may be, take other actions. I only defend—that's my lot in life—but if something else needed to happen, it would have to be with one of our government partners.

I frankly think that the establishment of the Canadian Centre for Cyber Security is a fundamental improvement in the Government of Canada's position in respect of cybersecurity and in bringing all the partners together.

You properly identified industry, the academy and government having to work together.

I mentioned Israel in my opening comments. What's interesting to me about that ecosystem is how closely those three pillars of civil society, if you like, work together on the cybersecurity problem. I think that the Canadian Centre for Cyber Security acting as a convenor in bringing all those parties together is very important. In terms of advice, I think that the government's and the administration's opportunity to counsel all parties to work closely together is very important, and that it should be made a repeating theme, in terms of your discussions about cybersecurity, that everybody needs to work together.

I wouldn't say naive. I think we're a little bit more numb to cybersecurity events than other cultures. I think we're a little bit quicker to let it go. That would be my comment.

I think about when we adopted things like the automobile into the environment. There was a period of time where no one understood, no one knew what it was, and we're all lucky to be alive because none of us had car seats or anything like that. If you look at cars today versus cars a long time ago, you will see lots of maturity, lots of improvement. We're in that same kind of cycle. We're not naive. It's just that we're still innocent about these things. We have to pick this up.

A lot depends on the particular incident, with respect to who's more responsible for the issue that occurs. First and foremost, an attacker is always the first person. They are the ones who did the wrong thing, but within the four-party model, there's an issuing bank, an acquiring bank, and then you have the merchant and the cardholder.

The cardholder reaches out and works with the merchant, and I would say a lot of times we encounter issues with the merchant because there's some sort of security issue, there's something wrong there. Maybe information is captured or stolen from this point.

We're doing a lot to remove the value of any information that the merchant may have with tokenization. If you use your Apple Pay, there's not a PIN, there's not a 16-digit number that you're most comfortable with. We provide a token that can only be used a certain way. You can't steal it and then make it usable on another device or a computer. There's a token that's on your Apple Pay. We power the token that's in Apple Pay. We're taking that tokenization—

The 16 digits that make up your card are what we call a PAN. It's a certain number that you're most common to use—you know it and you see it because it's on your plastic card. A token is something we create. It actually works throughout systems, but we can create them and throw them away, then reuse them.... It's not as fixed as just that 16-digit number.

So when we create a token, like in the case of a merchant where...we replace PANs and we work with them to place tokens. If they are breached and the tokens are stolen, it doesn't matter. We'll just make new tokens. We will take away the value of the PAN—the credit card number—and replace it with a token, so we can just create more tokens.

It's not all about data collection. It's about having the right data at the right times.

I don't want to make this too difficult, but in the future, identity stores will be less important than the ability to get the identity information when you need it.

When you want to make a transaction, we can connect to the identity stores to pull in the information to identify you, Matthew, when you need to make that transaction. Then when you're done, it all goes away. There's no need to store it. We just want to reach out and make sure the information is there when you need it.

Yes, it's in a computer somewhere.

It can be transitional, so it's there for a period of time. It's not there for always. It's there when you need to do the thing that you're trying to do, and then when it's no longer needed, it's gone.

The information that we transact is a PAN—the 16-digit number—and the date, time and the amounts. We don't hold cardholder information. Your issuing bank does.

We see just that the 16-digit number did a thing. The merchant asks, “Can the 16-digit number pay for it?” We ask the issuer. We don't actually know the cardholder, but the issuer knows the cardholder. The issuer says, “Yes. That 16-digit number that belongs to Matthew can pay for that”, and then we pass that information back to say, “Yes, they can pay for it”. Then a charge goes back.

It's all information that passes from one side to the other. Depending on what you're asking for....