Evidence of meeting #156 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was payments.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Clerk of the Committee  Mr. Naaman Sugrue
Terri O'Brien  Chief Risk Officer, Interac Corp.
Justin Ferrabee  Chief Operating Officer, Payments Canada
Martin Kyle  Chief Information Security Officer, Payments Canada

5:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

They access the information through the back door; they're not hacking the system. We're talking about certain foreign actors who, because of the technology that's in place, could potentially intercept communication that happens on a daily basis, and we don't even know it's being siphoned off.

5:50 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

We do vulnerability scan controls and have intensive security scans. We use only Canadian networks, Canadian telecom providers, and have Canadian data centres in multiple provinces. We run our transactions only through our Canadian data centres, so I don't anticipate that.

5:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Okay. Thank you.

Payments Canada, what is your response to the first question?

5:50 p.m.

Chief Operating Officer, Payments Canada

Justin Ferrabee

As you can appreciate, we wouldn't discuss specific capabilities or principles or how we manage our infrastructure.

What you're raising is a very acute thing we're aware of and are concerned about. Part of the motivation for the tracking of supply chain ingredients is to know that, because we would have providers of a service who would have technology and they may not know exactly where it has all come from, so we wouldn't know.

We have to imagine that it is not safe or secure, and we have to prepare ourselves for that—and we are. We are aware of these risks, but without that kind of knowledge, even if they were to attest that this is true, it might not be true. We can't afford to take those risks, so we plan as if it's not and we try to make it so.

5:50 p.m.

Liberal

The Chair Liberal John McKay

You have a little more than a minute.

5:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

A previous witness at committee some time ago—and I asked this the other week—called Canadians “innocent”, which I thought was a very polite way of saying that we don't have a clue about our own cybersecurity.

From the perspective of both of you, what needs to change in Canada to get the consumer to get it, to be more vigilant in their own cybersecurity, and thus their own privacy? What role do we have as legislators to make sure we encourage them?

5:50 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

While I am not privy to the comment, the “innocent” comment seems to be directed more at general public knowledge.

5:50 p.m.

Conservative

Glen Motz Conservative Medicine Hat—Cardston—Warner, AB

Yes.

5:50 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

Our resiliency in Canada, particularly with the financial institutions, is quite strong on a global scale.

To your question about Canadian consumers, I would agree. I think public education is immensely important. Certainly this time of year, with the level of CRA scams that come out, from both phone calls and emails that people receive—and I'm sure all of you are well versed in that—Canadians do get pulled into those scams. They don't have enough education or awareness to understand when they should hang up the phone or delete the email, and also to up the system security on their home computers, and how important that is.

5:50 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Motz.

Mr. Graham, you have five minutes, please.

5:50 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

Thank you. I hope it's enough.

Mr. Cannings, I'll just tell you how the things we talked about earlier work. The postal code in your constituency office is V2A 5B7. If you're trying to use your postal code, you'd have the numbers from that: two, five and seven, plus zero, zero.

In the U.S., your postal code for the purpose of your card is 25700. Now you know how it works.

5:50 p.m.

NDP

Richard Cannings NDP South Okanagan—West Kootenay, BC

Okay. Next time I'm in Texas I'll remember that.

5:50 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

Have a safe trip, and keep in mind that your postal code is a public record. Everybody knows how it works now, so there you go.

5:50 p.m.

Liberal

The Chair Liberal John McKay

It might be fraud, but that's another thing.

5:50 p.m.

Some hon. members

Oh, oh!

5:50 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

To come back to the matter at hand, we're talking about foreign-built devices. There is one thing I'm curious about, and this applies to both organizations. When you have third party software, or hardware for that matter, do you always get the source code, audit it and compile it yourself?

5:50 p.m.

Chief Information Security Officer, Payments Canada

Martin Kyle

We do risk assessments on all the software and projects we deploy. Those risk assessments include an inventory of the libraries that are included in the applications that we develop, as well as any defects associated with those libraries.

The digital supply chain comes from all around the world. This microphone probably comes from many different countries around the world, so the risks that are represented in the components that make up this piece of equipment need to be assessed. They need to be assessed for vulnerabilities that could allow adversarial groups to enter this piece of equipment, or a piece of software.

We make sure that when we deploy something, it goes through a rigorous risk assessment process where we evaluate things as much as possible.

5:55 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

The question at the core is, do you have access to the source code of what you're using, or is the risk assessment “We don't need it in this case because we trust this company”?

5:55 p.m.

Chief Information Security Officer, Payments Canada

Martin Kyle

We ensure that we do audits on the organizations that provide source code to us. We certainly have access to some of the source code. We build some source code. Where we don't have access to the source code, we go through a rigorous risk assessment process with the company that provides it to us.

5:55 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

Terri, is it the same story?

5:55 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

No, actually. All of our high-risk and transaction-based systems are proprietary code bases. Proprietary code means that we have a large development team that builds the code themselves. We put it through quite rigorous security standards and vulnerability scanning. We have a managed detection and response, layered security protocols that are quite robust and a private, closed-loop network.

We do, of course, have the source code, because we have a team that writes the source code, and we have very robust security layers. We're constantly reviewing our security posture as well.

5:55 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

What does Interac know about a transaction? If I go to the store and buy something, what do you know about the transaction?

5:55 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

I can share with the committee that all the data meets the minimum required standards in order to process the transaction, and any personal, identifiable information that is required to process the transaction to your bank account and not somebody else's bank account is fully secured.

5:55 p.m.

Liberal

David Graham Liberal Laurentides—Labelle, QC

How about what the transaction is actually for?

5:55 p.m.

Chief Risk Officer, Interac Corp.

Terri O'Brien

Do you mean the intended use and purpose of the transaction in terms of the merchant where it's being purchased?