Evidence of meeting #154 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
5:15 p.m.
Liberal
5:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Mr. Green, just to put Mr. Dubé's questions to bed, PayPal is in the U.S. I think the point of the question is your private networks might be private networks all you want. If they go through the U.S., they are still subject to the USA PATRIOT Act. I think that's the concern at the core.
How do you address that?
5:15 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
I still don't know who you are in my network.
5:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
You said you have a 16-digit number. It's not hard to de-index a 16-digit number. If somebody gets their hands on that number to get to know who you are, if they figured out how to get into your system to get that number, they are going to figure out who you are. So I don't buy that argument necessarily. Do you see my point?
5:15 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
You're saying if they have some other way to reverse-engineer the 16-digit number...because it would have to be by legal process. I'm not just open to the U.S. government to come in when they choose to, and look at stuff, and I don't share that way.
5:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
But it's in that cardboard box that John likes to talk about through which your VPN runs. I'm assuming it's a virtual network. You talked about your private network. You're not running your own fibre line across the world so those are virtual networks, right?
5:15 p.m.
Liberal
5:15 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
I encrypt, though. I don't just run open.... I have the second biggest HSM footprint next to the Department of Defence so I have a lot of cryptology that happens across my network.
Yes, there's still a private network that may go through a third party, but it's still encrypted for me to all of my end points, and the transactions that cross it are encrypted.
Encryption's not trivial. As to whether a nation-state has some way of breaking through the encryption that I'm not aware of could intercept what it is we're doing, that's possible, but not to my knowledge.
5:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Mr. Gordon, when I got my first route password about 22 years ago, we followed a thing called rootprompt.org. You might remember it. It was a website that did effectively what you're doing now with CCTX, monitoring all the current vulnerabilities and posting them so we as system admins could stay on top of them. Then one day rootprompt.org got rooted, and there was no more rootprompt.org.
What organizations do you not want in CCTX? What are the vulnerabilities you have? How do you address that?
5:20 p.m.
Executive Director, Canadian Cyber Threat Exchange
What organizations do I not want?
5:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Yes, because you said you want lots of organizations to join. What organizations do you not want?
5:20 p.m.
Executive Director, Canadian Cyber Threat Exchange
I want organizations that do two things. I want organizations that are interested in collaborating, so sharing what's going on, and also honouring the agreement we have, and what they are going to use the information for. I want organizations that are going to use the information to defend their networks.
Somebody who is going to use the information for a purpose other than that—I prefer they go and join something else.
5:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you, Mr. Chair.
Mr. Green, since Mastercard is an international organization, your network is linked to a number of banks in different countries. Are Canadian banks well equipped, compared to European or American banks? You work directly with the banks because you use them for your transactions. Are Canadian banks well organized, compared to banks in other countries?
5:20 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
I think the Canadian banks are actually in relatively good stead compared to U.S. or European banks. I have seen banks in other places that I'm not so....
5:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Our study concerns the Canadian banking system and the insurance company system. Your company works directly with banks around the world. According to you, Canadian banks are among the well-protected banks in terms of cybersecurity. Is that what you're saying?
5:20 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
I think they're well protected. There are a number of banks that we converse a lot with. We see it as an opportunity to make sure that we're all working together. I think about wildebeests. When we're together, we're less of a target. If we're alone, we're more of a target. I've had a number of Canadian banks come out—even Canadian Tire—and look at our fusion centre, work with us and build up a collaboration channel.
5:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I have one last quick question.
Mr. Green, does Mastercard have cyber defence strategies to protect itself against attacks from the dark web?
Mr. Finlay, are these topics regularly studied in the university sector?
5:20 p.m.
Executive Vice-President and Chief Security Officer, Mastercard Canada
We have an intelligence team that looks for threats in the dark web. We pay providers to look at different things within the dark web. We have different government partners that are also looking at things within the dark web to find out how they're attacking and what's different so that we can prevent that. We also share that information with our customers.
5:20 p.m.
Brampton North, Lib.
All of this has been very fascinating today but being an MP from Brampton I have a particular interest in Cybersecure Catalyst, which is already partially set up and will be in full swing, thanks to Ryerson. I am happy to see that in budget 2019 there is a commitment made to Cybersecure Catalyst.
I want to know, more particularly, what types of certifications you'll be providing through the training. Are these certifications internationally recognized? Are they comparable to other training programs available anywhere around the world? Also, how many people do you anticipate will reskill or skill up, and how many introductory courses do you plan on being able to complete once you're in full swing?
5:20 p.m.
Executive Director, Cybersecure Catalyst
With respect to certifications, it's our goal to deliver a suite of internationally recognized certifications from established third party cybersecurity training organizations. These are well known in the marketplace. These are entities like SANS, EC-Council and Palo Alto. There are lots of different providers that offer these and we are engaged in developing partnerships quite intensively with SANS and EC-Council to deliver these courses.
This really goes to the posture of Cybersecure Catalyst, which is industry-focused. We are very much interested in supporting the Canadian cybersecurity industry through the partnerships that we've discussed with academia and, obviously, through collaboration with the government. The cybersecurity sector in Canada promises to be one of the best in the world, and it can be one of the best in the world. We're going to work extremely hard to support that. We are aiming for those kinds of industry-focused certifications.
In terms of numbers, we have a five-year model out with respect to the introductory courses, that is, bringing demographic groups that are under-represented in cyber into the sector. We're looking at approximately 500. In terms of the work that we're going to be doing with our private sector partners, that will be in the thousands. In terms of engagement with young people, that will be, we hope, in the tens of thousands. Cybersecurity is a big problem and the numbers that we need to reach in order to have a material impact on this issue are large.
That's the ambition for this centre.
