No.
Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
5:25 p.m.
Liberal
The Chair Liberal John McKay
Mr. Motz, did you know, as an ex-police officer, that there was something else to jailbreaks than what you thought?
5:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Yes, as a matter of fact, I was aware of that particular—
5:25 p.m.
Conservative
5:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Under judicial authorization, Mr. Chair.
I want to get back to a conversation we started on Monday with some of the other groups that were here. We heard there are some longstanding issues around legacy systems, specifically in the banking industry, for example software that's no longer supported. I'm led to believe that some of our ATMs still use and operate under the Windows XP platform, which is no longer supported.
As a financial institution, are you facing these challenges right now? What are you doing to ensure that your systems are secure and that old data is being transferred or made more secure?
5:25 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Like all large enterprises, we have currency issues. We spend a significant amount of our budget on upgrading those systems, including the ATM fleet. Likewise, we operate within a system of layered controls to make sure those networks are a closed loop, that we have adequate encryption from a device back to our systems themselves, and then we have layers of detection to identify any potential misuse to maintain that we're balancing risk along the way.
5:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Okay.
We've been talking at this committee and in the House—and nationally, really—about whether or not to accept Huawei, for example, into our critical infrastructure moving forward. With 5G now on the horizon, is your bank prepared to use servers that are built in whole or in part by foreign entities that are controlled sometimes by foreign governments? How are you navigating that process?
5:30 p.m.
Chief Information Security Officer, Toronto Dominion Bank
We're currently undergoing an assessment on that, so we haven't arrived at a conclusion, nor have we published a policy on it.
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
How do you vet your software and hardware now, then?
5:30 p.m.
Chief Information Security Officer, Toronto Dominion Bank
On the hardware side, we have an acquisition process that is likewise a security accreditation process, prescribed for any internally built or deployed software. On software acquisition, where you commonly reproduce commercial off-the-shelf software, we also go through an evaluation prior to its acceptable use.
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
You make sure that it doesn't have any backdoor bugs in it.
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
All institutions are subject to cyber-attacks. The banking industry certainly isn't immune. In your experience with TD, where do most of your attacks originate and what kind of information is being targeted?
5:30 p.m.
Chief Information Security Officer, Toronto Dominion Bank
The majority of the attacks we see are commonly disguised to look like they're coming from within Canada or within North America more broadly. Where we can trace the original traffic, they're mostly coming from Eastern Europe, Russia or, in some cases, China or North Korea.
5:30 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
What are they targeting, and are you guys using any proactive measures to protect your own infrastructure?
5:30 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Yes, we have a dedicated threat intelligence team that monitors the dark web. We collect threat intelligence and indicators of compromise from multiple source providers. We have a very robust sharing capability through the CBA, and more globally with the FS-ISAC and the U.S., where we get significant intelligence on what the community is seeing. We then use that data to look at actual traffic that is coming in and out of our network.
We proactively block known malicious destinations, so that if anything were to get into our enterprise, it would essentially be quarantined right away. We have layers of control and detections throughout our network and our infrastructure, where we can both identify potential bad-actor activity and quarantine devices in real time.
5:30 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
When you made your initial presentation, you talked about personal accountability being an issue. Our systems were described earlier as being like armoured cars going between two cardboard boxes. That really stands out as an issue.
To what extent does the bank, for example, create pop-ups when people are putting in their passwords or logging in to advise them, “Hey, if you've used this password somewhere else, you've compromised your security?” Do you have anything where you're informing people about the need to come up with new passwords?
