Evidence of meeting #156 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was payments.
A video is available from Parliament.
6:15 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
You're going to replace it completely. Okay.
Mr. Picard, do you have anything to add?
6:15 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Part of the transaction, I guess.... It might be a bit complicated to know every member of your group, but if I withdraw money in Europe, those banks are part of your network somehow. I don't know how it works. Do you know, or is it possible to know whether banks outside Russia, in Europe and elsewhere, which are maybe owned by Russian interests, are part of your network?
6:15 p.m.
Chief Risk Officer, Interac Corp.
They're definitely not part of our network. I'd say the financial ecosystem in Canada has gotten quite mature and robust in our sanctions screening and in understanding transfer agencies and those types of things. We definitely secure the network.
We do very few transactions outside of Canada, so it's not a problem that we encounter or that we see.
6:15 p.m.
Liberal
6:15 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you.
We've met with Mastercard representatives. Mastercard has red teams, which are known as “ethical hackers” in French. I know that there have been discussions about the term, and I don't know how you translate it. These people work internally and really try to break and outsmart the system to see whether it has any flaws. Do you have any similar teams in your company?
6:20 p.m.
Chief Risk Officer, Interac Corp.
We do. We have a very robust IT security team, which uses a number of tools that allow us to proactively scan the system for vulnerabilities and manage detection and response capabilities as well. We actively scan our systems on a daily basis and keep quite current.
6:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
You have internal information technology teams. You carry out scans. However, you don't really hire hackers, who will try to find the flaws in your system.
6:20 p.m.
Chief Risk Officer, Interac Corp.
We have a very large IT security team. We don't call them “white hat hackers”. We call them IT security. We have a large IT security team that's constantly testing—we call it penetration testing—and scanning the system. I think it's fundamentally the same. “Red team” and “white hat hacker” are kind of buzzwords these days.
6:20 p.m.
Chief Operating Officer, Payments Canada
I can answer for Payments Canada. As you can appreciate, we don't speak specifics about the techniques we use, but we're well aware of those techniques, as well as other ones, and we employ those that are most suited for ensuring the safety and security of the system.
6:20 p.m.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Lastly, the goal of our study is to look at the banking and financial system as a whole in terms of cybersecurity. As partners of the banking system, in your opinion, what are the main vulnerabilities with regard to cybersecurity?
6:20 p.m.
Chief Risk Officer, Interac Corp.
We see two vulnerabilities that I spoke to earlier in my remarks. One is a lack of ability of government, RCMP and law enforcement to openly share information. The criminal activity changes quickly. It is a real-time fraudulent environment, so the ability to access that information more quickly would enable us to have stronger defences than we already have today.
Two is public education, which you all seem quite aware of. Public education on what they should and should not do would go a long way to securing the system and the ecosystem.
6:20 p.m.
Conservative
6:20 p.m.
Chief Operating Officer, Payments Canada
It's an ecosystem, and there are many actors in it and varying degrees of capability and risk. We know we are stronger when we work together, and the answer to identifying vulnerabilities is to work together in identifying them and to each play our part in resolving and managing them. That's where we put our time and effort, and we believe our counterparts do as well. We support our members and anybody in the financial institutions in that coordination, and we're confident that's the best strategy.
6:20 p.m.
Liberal
6:20 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Thank you, Mr. Chair.
Again, I fully appreciate the levels of confidentiality you need to preserve, but in the mind of this committee or the Canadian public, we sometimes get the perception that there's a qualitative difference between a state-led, state-directed or state-owned attack and what comes out of the private sector or the underground world. Is there qualitatively an appreciable difference in those attacks? Does a nation-state have greater capacity to do us harm, or is that misplaced, in the sense that if we are fighting effectively against attacks that come out of the “private sector”, we are as equipped to fight off a state-led attack or a series of coordinated attacks?
6:20 p.m.
Chief Information Security Officer, Payments Canada
Certainly, nation-states have more resources than most criminal organizations, but unfortunately we've seen that some exploits that have been leaked from nation-states have ended up in the hands of criminal actors, which creates a threat environment that's constantly evolving. While we monitor these things and focus on the safety of the national payment system, we recognize that continued investment and focus are required to address all these threats.
6:20 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Both fronts are equal, and if you do it well, you're able to stave them off no matter where they come from.
