Public Safety Committee on April 1st, 2019

Yes. They would love to simplify that environment. It is challenging based on some of the old systems that are still required for the branch network and for other systems throughout their global network. It's certainly on their radar, but incredibly challenging and incredibly resource expensive.

Thank you, Mr. Chair.

On this committee, we've been hearing quite a lot about the collaboration that's needed among the government, private and academic sectors.

Mr. Finlay, you spoke about your visit to Israel and the need for us to gear up and be able to provide the type of training they do. Can you explain a little more about Cybersecure Catalyst, how it compares to some of the training that's provided in Israel, and what the similarities and differences are?

There are a number of different things that are interesting about how the Israeli cybersecurity ecosystem trains its people. It obviously has a unique national service characteristic, with military service in Israel that is different from the Canadian context.

One of the interesting and powerful things that they do is start young—K to 12. We think that is a very powerful way to get at the root of the cybersecurity labour market issue, by making young people very interested in cybersecurity and engaging them in cybersecurity careers. Ryerson, in partnership with Royal Bank of Canada and Carnegie Mellon, one of the leading universities in the United States in cybersecurity, ran a hack-a-thon called CanHack in 2018. It's an online game where high school students engage in monitored, supervised, safe cybersecurity tasks. Our projection was doubled in terms of the number of students who engaged in that program.

We think the opportunity there is extraordinary. That's piece number one, in terms of young people. Piece number two is engaging demographic groups that are under-represented in cyber and workers who are being displaced from legacy sectors. There's an opportunity to introduce workers who are being displaced from some sectors that are losing personnel, to train them up so that they can enter the cybersecurity sector at an entry level. We think that's a very exciting proposition.

Those are two things we hope to do and those are analogous to things we have seen being done in other countries, including Israel.

You spoke about meeting some Canadian companies while you were there that have either temporarily or permanently shifted over in order to receive these types of services, training, for their personnel. What companies or what types of companies are you referring to and do you envision these companies coming back and perhaps setting up near Cybersecure Catalyst?

Yes, we do. At Beersheba there are the major Canadian financial institutions. The major Canadian banks have offices there, and they are there because the skilled people are there. We believe we can create an ecosystem where we're training people. Industry is there to acquire that talent, companies are scaling up through the accelerator program, and university-based researchers are also working with entrepreneurs and with the trainees and the industry. What we saw in Israel exists in other countries too. But what's particularly conspicuous there is they have this alignment among industry, academia and government, and we believe that pulling those pieces together at Cybersecure Catalyst will create that ecosystem.

Thank you very much, Mr. Chair.

Thank you to the witnesses.

Just a couple of things I've been thinking about as I've been listening to some of the discussions. There are a lot of institutions and businesses that have been attacked, and people have gone after their information or frozen their information. Various universities...there would be ransoms that are set up there. That's important when it comes to how businesses are going to be able to move forward, but also smaller businesses start to fear that.

I'm just wondering what types of investigations are taking place and how successful those investigations are in taking care of that particular problem. A lot of small companies worry about the way they might be attacked and being held ransom.

Sir, I can take a first stab at it.

There's not a great job done today of disclosing the nature of breaches in the general public. The banking group does share information in order to try to protect each other from getting hit by the same issue, but outside of that, that information is pretty private and can have a material impact on your operations and the reputation of your brand, so it's largely kept internally.

In the U.S., I believe it's the FBI that has a little more detail in terms of business email compromise and other ransomware and other types of events that happen. To collate that data in Canada, to give an idea of people...the themes that we're seeing, we can talk about them here and talk about access management and system hygiene and training and awareness, but to prove it with real data would be helpful.

I think also with the crypto-locking or the ransomware attacks that you're mentioning, a lot of that comes back to some basic hygiene stuff. Knowing to update or patch your systems would certainly relieve a lot of the problems. Having antivirus software would relieve your problems. Being smart about phishing.... The Verizon data breach report says that 93% of the breaches that took place were because of a phishing attack. I can tell you that we take it very seriously at Mastercard. We have a "three strikes and you're out" rule. My phishing stats for February were 0.4 fail rate, and consider that 20% is about standard.

It's helping those smaller businesses understand the basic things that you need to have and, in case it all goes wrong, backing up your stuff so if it is locked up you restore it and then you can overcome your problem.

There's a lot of money that's being made in the fear factor. I think back to Y2K and the way everybody was so concerned about what was going to happen to the computer systems and so on. A lot of people were making money solving a problem—you folks maybe know whether it was serious, but lot of others thought it was simply a hoax.

Maybe you can comment on that, but I guess my concern, too, is on protection of intellectual property, the concern that people go to all this work trying to develop...and then have other actors, whether they be people, other countries or other companies.... How are you able to determine how best to protect or how people should be trying to protect themselves?

Someone can talk about Y2K if they want.

I'll skip over Y2K, then.

One of the challenges for companies is getting them to actually identify the critical information in their systems that they need to protect. If you don't know what's critical, you can't protect it all, so you start to layer it down on the things that are more important, then you can start to control who gets access to it.

One of the interesting challenges for a lot of companies, particularly when you're talking about ransomware and small companies, is that they traditionally think they haven't any big trade secrets, nothing that somebody wants to steal.

The problem with ransomware is that they don't want to take anything; they just want to deny you access to whatever you have that's of value to you. For a lot of small companies, that's quite a mind shift to get around, because once they get around that, then they can start to realize why they now have to be taking an interest in ransomware, both in terms of the defence of things—there are some things that can be done—and if it happens how they actually recover from it.

Yes, that comes from a report from Deloitte and the Toronto Financial Services Alliance 2018, where they estimated that the growth rate was 7% year over year.

It's a terrific question. There are a bunch of different pieces. We are looking at continuing education, so essentially we are working with employers to upskill their existing personnel. The time frames depend on exactly what skill set those employers need. That's a particular issue in cybersecurity because the threats and the technical frameworks are changing all the time. That's in respect of the executive education base.

In the introductory training for under-represented cohorts, we are looking at six months of programming. In our view, a six-month intensive course can take an individual with relatively little technical training to an introductory entry-level position and make them eligible for entry-level internships and secondments into industry. Then there are undergraduate courses in cybersecurity and computer science, which follow the typical undergraduate pieces. An undergraduate cybersecurity course could be three years; an honours course could be four years. Those are the different frameworks. All sorts of continuing education in cybersecurity of different lengths of time are being offered.

From my perspective as a guy who hires folks. I have members of my team who haven't gone to university or college. They had just tremendous interest, and they spent a lot of time in their high school years working on and understanding computers and developing a sense of security. They demonstrate themselves in our interviews and our tests, and we can see they will be a good person to bring onto our team. They'll be strong in the technical sense, but eventually they'll run into a roadblock because they don't have some of the background you'd want for management.

Right now it's hard to find people coming out of college with a cybersecurity degree. I look for someone with a technology degree, and I can train them on security in my security operations centres. I can give them on-the-job training. What is hard and what we look for in a lot of the roles is experience. We're looking for people who have the college degree. They may have a master's in cybersecurity, but then they have field experience, so your military folks, or people who defended large networks. They're few and far between. I've had roles that have taken two years to fill because it's hard to find the person.