Evidence of meeting #155 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was data.
A video is available from Parliament.
5:05 p.m.
Liberal
5:05 p.m.
Some hon. members
Oh, oh!
5:05 p.m.
Michael Picard
Should we regulate the announcing of an attack not only in terms of time, to make it as fast as possible, but also use this information and spread it all over the market to inform everyone, protecting the information of the person or the company, but doing it in a way where this information may be helpful somehow?
5:05 p.m.
Chief Information Security Officer, Toronto Dominion Bank
As for privacy information and the protection of the consumer PII, I believe the privacy laws and reporting time frames are adequate. As a bank or large institution, we go through various security scans, looking for malicious activity on a daily basis. The question really comes down to finding the threshold of abusive activity, whether some activity is actually a problem. My view would be that the reporting we do at our primary regulator is adequate.
The typical things we see at TD Bank relate to attempts at customer-based criminal activities against our online banking systems. One of the things I mentioned in my opening remarks was credential stuffing. If you look at all of the data breaches that exist now from Marriott, Yahoo, etc., we have millions, in some cases billions, of credentials. Yahoo reported 3.5 billion sets of credentials. Criminals are scripting attacks against various banks, looking for consumers who reuse their user names and passwords throughout the institution. The volume of that traffic is significant, and it forces banks and corporate defenders to invest in leading technologies to remediate that traffic. That becomes business as usual for us, no different from fraud losses within a period of time.
5:05 p.m.
Liberal
5:05 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
My colleague asked you a question about data storage. As you pointed out, TD Bank generally stores its data in Canada but may also store some data in the U.S.
On Monday, we heard from Mr. Green, the head of cybersecurity at MasterCard, and he told us that banks were the ones keeping the data on file.
You work with Visa. Do you store the data related to TD Visa cards here, in Canada, or in the U.S.?
5:10 p.m.
Chief Information Security Officer, Toronto Dominion Bank
The core processing is outsourced and that data actually resides in the United States.
5:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I see.
I'd like to come back to the oft-mentioned ethical hackers.
What you do call them again?
5:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Very good.
In 2017, TD created the red team, a group of ethical or white hat hackers that work for the bank and spend 24 hours a day looking for holes in the system.
What kind of service contract do you have with those individuals?
5:10 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Good question. Even prior to the development of the red team, we had our own internal ethical hacking team as well. The purpose of that team was to support our system development activities and make sure a credit system was secure before we placed our trusted data in it, or exposed it to customers. The red team, specifically to your point, is made up of ethical hackers who test our production systems on a daily basis. Those are internal employees. We augment those resources with experts in the field. We do that not just for capacity, but also for shared expertise, because the way to strengthen this industry is by constantly bringing in new skills, new talents, and continuously testing our systems.
5:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
I'd like to talk about the trust relationship between the bank and the group. At their core, they are people who enjoy hacking. What they do is slightly criminal, but you hire them to work as the good guys, if you will, helping the bank and supporting its system.
How do you make sure you can always trust them?
5:10 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Obviously, these employees go through our pre-employment screening. We do background checks, etc. They are part of our insider risk program, and they're aware that because of the sensitive position they hold in are testing production systems where customer data may reside, they will be continually monitored beyond the level that average employees are subject to. They will go through a periodic screening on an ongoing basis.
5:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You said that TD had a cybersecurity office in Israel. We heard from two witnesses who cited Israel as their preferred location.
Why is Israel so important from a cybersecurity standpoint?
5:10 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Israel has a unique ecosystem in regard to their mandatory military service. They were very early adopters and had early recognition of the importance of cybersecurity. The availability of talent and high skills in that location are very desirable. That said, we are very selective about the positions we place over there. We look at security innovations, security intelligence, and monitoring for potential risks to TD Bank or our customers. In some cases, we run proofs of concept for rapid development of cyber-tools and products.
5:10 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You mentioned Israel's ecosystem with respect to military service. Ultimately, Israeli culture offers a certain way of looking at the world. Security is a huge issue for them. We've heard a lot about Israel. How can Canada follow in Israel's footsteps to make sure young Canadians are better equipped for the challenges or take an interest in the issue?
You brought up the military. I served in the armed forces. It may be beneficial to look to Canada's military as well. Cybersecurity plays a big role in military operations, but it's done in a bubble. Is there a way to work with the military in that regard?
5:10 p.m.
Chief Information Security Officer, Toronto Dominion Bank
Their mandatory military service gives them an advantage, not just from the mindset they have but the networks they create. What's unique of their small ecosystem is that they leverage those military networks throughout their careers. Somebody could be working for Intel or somebody could be working for IBM, and they're working on a unique problem. It spurs very interesting collaborations. In some cases, it spurs a lot of the start-up nation mentality that you hear.
5:15 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
Mr. Foster, thank you for being here.
I want to talk about artificial intelligence. It has been raised a few times. In particular, it's being used by bad actors to learn how to attack weaknesses in systems. My understanding is that more and more we're seeing it being used also as a protective measure, learning how to protect.
I think TD acquired an AI start-up last year. I'll start with the security perspective and I'll get to other aspects of it.
From a security perspective, for both defending and your perception of those who are attacking, what's your sense of the current state of affairs?
5:15 p.m.
Chief Information Security Officer, Toronto Dominion Bank
I'll start with the attackers.
Although we're highly concerned about adversaries leveraging artificial intelligence to attack us, we haven't seen many examples of that in practice. Given that it's an evolving space, it's one that our threat intelligence team monitors very closely.
On the defence side, it's a significant asset and tool for us. Traditional security products were very good at a period of time where attacks were very repeatable. You could define signatures; you could block them.
Current attacks are very sophisticated. They're evolving on an almost daily basis. From the time of zero day out in the public to the time the commercial vendor can patch, to the time that large institutions can patch those vulnerabilities, the window, although getting so much shorter, is still significantly greater than the speed at which adversaries can develop scripting and start scanning everyone on the Internet. Part of that automation, in some cases using AI to be more rapid in how it identifies these vulnerabilities, is becoming a much more significant problem for us.
How we detect the more sophisticated actors in some of those regards, where they know how to get around our traditional security equipment, is through AI and machine learning and big data.
5:15 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you for that. That's the security side.
From a business or marketing side, AI can also be used to advance the needs of a business, to identify customer needs, and so forth. Layer 6, which you acquired, actually even says in their mission statement that they use machine learning technologies to help businesses better anticipate their customers' needs, which is a laudable goal. Those of us who use banking apps see these things being incorporated, where they're trying to predict spending trends or things such as that.
How does that get used? I know it's a broad question, but I want to understand. If data is being collected inevitably, how does your organization, your business or your bank, go about culling that information and making sure you're not gleaning things that maybe shouldn't be gleaned or that haven't been consented to, at least not explicitly?
5:15 p.m.
Chief Information Security Officer, Toronto Dominion Bank
In regard to data protection, not just for Layer 6 but for any technology system within TD Bank, we go through a very robust accreditation process that we call our “secure SDLC” program. That really starts in understanding basic requirements, risk assessments and privacy impact assessments, and then providing prescriptive measures on how that data is supposed to be protected. We have a very robust data classification standard. Then we leverage various schemes to protect that data.
The first strategy, of course, is if you don't actually have an explicit need, you don't get the data. Then there are various techniques, from tokenization obfuscation to encryption, to protect that data.
5:15 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I appreciate that.
The other aspect I wanted to go to is with regard to apps. Earlier, I was asking the Office of the Privacy Commissioner about this notion that when you install an app on your phone you're sort of giving broad permission. Some of the time it's explicit and other times it's less so in terms of such-and-such app wanting to access your microphone, your camera, and this, that and the other thing.
When your organization is developing the app, I'm wondering how you reconcile what's going on within the application for the banking activity of the client and the fact that there might be a variety of flaws that exist within, whether it's the firmware or other flaws that are being exploited within the mobile device itself. How does that work? What do you see as recommendations going forward?
5:20 p.m.
Chief Information Security Officer, Toronto Dominion Bank
All I can tell you is how we approach the security with the TD Bank for our applications.
You're right. Our application has to live in an ecosystem. No different from your computer, it's dependent upon the underlying operating system and the firmware. We build those applications with a couple of principles in mind. One is least privilege. Of the data that's in there, we try not to persist any data on the device itself. That way, if there are any inherent weaknesses, there's no data there for it to actually access.
We make sure the application is hardened. I mentioned the ethical hacking team that we have, in addition to the red team. Their role within the bank is that prior to the launch of any of these products, they perform very robust security testing, to make sure the application adequately insulates the application from the other things that are going on within the device itself.
