Public Safety Committee on April 10th, 2019

That's correct, yes.

That sounds good.

Thank you, Chairman. I'll hold you to that assessment when I'm finished.

Thank you again for the opportunity to speak to you.

As I start, I want to note that in discussions with the clerk and the staff of the committee, I told them that I wasn't an expert on the financial sector, and it was suggested to me that I could make some general comments on national security and cyber, so that's what I'm proposing to do. I hope that will be helpful to the committee.

I want to comment in an odd sort of way on your order of reference, which talks about national economic security. I'm sure that careful thought was given to that, but I'd like to suggest to you—and I'm doing a bit of marketing here—that the issues you're talking about are national security issues, period. They're not a subunit of national security.

This goes to the definition of national security. I hope and think that you use a fairly broad one, but to my mind, it's anything that materially affects a nation's sovereignty. The things that the committee is talking about now can potentially very much affect a nation's sovereignty, just like money laundering conducted by a foreign state, or a devastating national security issue. That's just a small marketing effort on my part.

While I'm not an expert in financial systems, I hope and think that I can offer you a couple of useful context points. One is that context in the environment in which cyber-attacks occur, be they against the financial institutions or anywhere else, is important. These things don't occur in isolation. I would argue that you cannot deal with cyber-threats in the financial sector without an understanding of cyber-threats generally, and you can't understand cyber-threats without understanding threats generally directed against Canada and the west. We all live in a globalized world, and that certainly applies to national security threats.

I say this for a couple of reasons. Some of you may be old enough to remember the Cold War where it was fairly simple: those who were causing trouble and those who were receiving trouble were basically states. I'm oversimplifying, but it was the Warsaw Pact against the west. Some companies were affected.

I think one of the contextual points that are important is that our adversaries or instigators today are states, terrorist groups, criminal organizations—and I'll come back to that—corporations, civil society groups and individuals. I think that any of these could be causing difficulties in the financial systems that you're concerned about.

The targets, on the other hand, used to be basically states. I'd argue that they're now states, corporations, civil society, political parties, non-profits and individuals. The world is fairly complicated, and if either the financial institutions themselves or the government is going to deal with cyber-attacks against them, my suggestion to you is that they have to know and understand the context in which all of that is occurring. They just can't build walls abstractly.

I think the question of who or what might initiate cyber-attacks against our financial sector is very relevant. I don't try very hard to do sound bites, but I have one: National security is not national. It's not national in the sense that no single state can deal with these issues— certainly not a relatively small middle power like Canada—and you need international co-operation.

Second, I would argue that no federal state or nation state can deal with these sorts of things without the help of provincial or regional governments, and corporations and society generally. I would argue with you that it is a significant mistake for financial institutions to argue that they can do it all themselves, just as it is a mistake for the government to accept that hypothesis.

I talked a little bit about context and environment, so I would just like to lay out very quickly the kinds of threats to national security that Canada's facing. I think of the revisionist states, Russia and China; extremisms and extremism generally, including terrorists; the issue of cyber; the dysfunctional west; and the rogue states and issues—Iran and North Korea, come to mind.

I'm emphasizing this a little bit because I think all of these are interrelated far more than they might have been 15 or 20 years ago. They leverage against each other, and they amplify their effects. For example, Russian and China use cyber systems and benefit from a dysfunctional west because we're not fighting them together. Terrorist groups benefit from the discord caused by revisionist states, and they use cyber systems. All of them interact with one another, and I think that we need to keep that in mind when we do that.

One of the other issues I want to emphasize and suggest to you is that Canada is very much threatened by cyber-attacks generally and against our financial institutions. I say this, because when I used to be working, one of the things that used to drive me to distraction was the view of many Canadians that Canada wasn't threatened because we had three oceans and the United States. That view made it very difficult for governments and others to deal with a lot of national security threats. The average Canadian, absent an event, didn't think there was a great issue.

I think Canada is very much threatened by a variety of the institutions and entities that I just talked about, but why is this the case? We have an advanced economy, advanced science and technology; we're part of the Five Eyes and NATO, and we're next to the U.S.

To be honest, we're not thought internationally to have the strongest defences on the cyber side, and any institution will go to the weakest link in the chain. Sometimes we are thought to be that, although I don't think we're doing all that badly. Also, we're threatened, sometimes simply because we're hit at random.

I think it's especially important for the committee to make the point that our financial sector is indeed threatened by cyber-attacks, because I don't think a lot of people believe that.

One of the other things I'd like to talk about is who I think are the main instigators of potential attacks. I think they're nation states and international criminal groups.

What are they going to try to do? They're going to try to deny service, old-fashioned theft—and I'll come back to that—information and intelligence acquisition, intellectual property theft, and identification theft, for both the purposes of acquiring money and espionage.

Let me give you a couple of examples about states that play with countries' financial systems.

North Korea finances a lot of their operations, gets a lot of their hard currency by using their cyber-capabilities to access the financial systems of various and sundry countries. For example, they had a program some time ago that allowed them to steal money systematically from ATMs around the world. They also had a program that allowed them to claim ransoms using ransomware. More generally, they are the country that was thought to have frozen the United Kingdom's national health service a few years ago.

My point is that you can find out as much about this as I can just by Googling them. The United States has indicted a number of people from North Korea who have tried to do this, and this is just one example of a state that tries to get into western countries' financial systems.

Another one is Iran. You will have seen in the newspapers over the last five or ten years, a couple of examples of how Iran has tried to do this, in particular against the United States and banks. There are indictments against seven or eight Iranians.

I have a couple of words about Russia and China and how I don't think you cannot ignore them when you talk about this topic. I think their main objective is twofold: one is denial of service, and another is to simply reduce western confidence in our institutions. They do this systematically.

Criminal groups I think are becoming much more prominent in this area, and it's something we don't talk enough about. I hope you've had an opportunity to talk to the RCMP about this. If you look at either RCMP or Statistics Canada figures, the extent to which international criminal groups are playing with our financial institutions has gone through the roof over the last little while.

In summary, cyber-attacks on our financial system are a national security issue in my view. These attacks must be viewed in broad context if we're going to deal with them effectively. There's no silver bullet to any of this. It will only work, and we will only reduce the risk, if governments, corporations and civil society co-operate.

I think government needs to share more information with the private sector. It's something that we do far less of than the United Kingdom and United States. You can't expect private corporations to be an effective partner if they're not aware of what's going on.

The financial sector needs to report these attacks and breaches far more systematically than they do.

These issues are evergreen, and we need to talk about them more than we do.

Thank you, Chairman.

Good afternoon, Chairman and members of the committee. My name is Mark Ryland. I'm the director of security engineering with Amazon Web Services. I work in the office of the CISO, so I work directly for the chief information security officer. Thank you for giving us the opportunity to speak with you today.

I suspect you all know a bit about Amazon.com, generally speaking, but allow me to add some Canadian details.

Amazon.ca has been serving our Canadian customers since 2002, and we have maintained a physical presence in the country since 2010. Amazon now employs more than 10,000 full-time employees in Canada, and in 2018 we announced an additional 6,300 jobs. We have two tech hubs, which are important software development centres with multiple office sites in Vancouver and Toronto. We employ hundreds of software designers and engineers who are working on some of our most advanced projects for our global platforms. We also have offices in Victoria with AbeBooks.com and in Winnipeg with a division called Thinkbox.

We also operate seven fulfillment centres in Canada—four in the greater Toronto area, two in the Vancouver area, and one in Calgary. Four more have been announced. Those will be coming online in 2019 in Edmonton and Ottawa.

But why am I here? What is this cloud thing? You might be wondering why we're here discussing the cybersecurity of the financial sector at all. Well, roll back the clock. About 12 years ago, we launched a division of our company we call Amazon Web Services, or AWS for short.

AWS started when the company realized that we had developed our core competency in operating very large-scale technology infrastructure and data centres. With that competency, we embarked on a broader mission of taking that technological understanding and serving an entirely new customer segment—developers and businesses—with an information technology service they can use to build their own very sophisticated, scalable applications.

The term “cloud computing” refers to the on-demand delivery of IT resources over the Internet or over private networks, with pay-as-you-go pricing, so that you pay only for what you use. Instead of buying, owning and maintaining a lot of technology equipment, such as computers, storage, networks, databases and so forth, you simply call an API and get access to these services on an on-demand basis. Sometimes it's called “utility computing”. It's similar to how a consumers flip on a light switch and access electricity in their homes. The power company sort of takes care of all the background.

All this infrastructure is created and built. There is of course physical equipment and infrastructure behind all of this, but from the user perspective, you simply call an API. You call a software interface or click a button with a mouse, get access to all this capability and are then charged for its usage.

It's all fully controlled by software, which means that it's all automatable. That's a really important point that I'll make several times, because the ability to automate things is a big advantage in the security realm. Instead of doing things manually and using.... We don't have enough experts, believe me, to do all the command typing that needs to be done, so you need the right software to automate.

As of today, we provide highly reliable, secure, resilient services to over a million customers in 190 countries. Actually, you can think of our cloud platform as a federation of separate cloud regions. There are 20 of those around the world and 61 availability zones. Each region is made up of separate physical locations to create greater resiliency.

Montreal is home to our AWS Canada region, which has two availability zones. Each availability zone is in one or more distinct geographic areas and is designed with redundancy, for power, for networking, for connectivity and so forth, to minimize the chance they could both fail. With this capability, with these multiple physical locations, our customers can build highly available and very fault-tolerant applications. Even the failure of an entire data centre need not result in an outage for our customers and their applications.

The companies that leverage AWS range from large enterprises such as Porter Airlines, the National Bank of Canada, the Montréal Exchange, TMX Group, Capital One and BlackBerry, to lots of start-ups, such as Airbnb and Pinterest, as well as companies like Netflix, which many of you have heard of, all of which are running on the AWS cloud.

We also work a lot with public sector organizations around the globe, including the Government of Ontario, the Ministry of Justice and the Home Office in the U.K., Singapore, Australia, the U.S.A. and many customers globally in the public sector area.

What are the advantages of moving to the cloud? There are three primary benefits that I want to highlight.

The first is agility and elasticity. Agility allows you to quickly spin up resources, use them, and shut them down when you don't need them. This really means that for the first time, customers can treat information technology in a more experimental fashion because experiments are cheap. You can actually try things, and if they don't work, you spend very little money. Instead of this large capital expenditure with large software licensing costs, you can do this in a much more dynamic model. Experimentation is very helpful when it comes to innovation, so that leads to greater innovation.

In terms of elasticity, customers often had to over-provision for their systems. They had to buy too much capacity, because only once a year or once a month was there a need for a great deal of capacity.

Most of the time, the systems are relatively idle. You have a lot of waste in this over-provisioning model. In the cloud, you can provision what you need. You can scale up and add more capacity or subtract capacity dynamically as you go.

Another advantage is cost savings. Part of what I just described also leads to cost savings. You're using only the amount of capacity you need at any one time. You can also treat your expenditures in terms of moving from capital expenses to operational expenses, which many people find very helpful.

In short, our customers are able to maintain very high levels of infrastructure at a price that is very difficult to do when you buy and manage all your own infrastructure.

The third reason, and the one that I really want to emphasize here in my testimony, is actually the benefit of security. The AWS infrastructure puts very strong safeguards in place to protect customer security and privacy. All the data is stored in highly secured data centres. We provide full encryption very easily; you just literally check a box or call an API. All your data is encrypted, which acts as controls in logging, to see what's going on and to monitor and control who has access. Also, our global network provides built-in inherent capabilities for protecting customers from DDoS and other network-type attacks.

Before the cloud, organizations had to spend a lot of time and money managing their own data centres and worrying about all the security of everything inside, and that meant time not focused specifically on their core mission. With the cloud, organizations can function more like start-ups, moving at the speed of ideas, without upfront costs and the worry of defending the full range of security threats.

Previously, organizations had to either adopt this big capital investment program or enter into long-term contracts with vendors. Really, the most difficult part was that the companies and organizations were responsible for the entire stack. Everything from the concrete to the locks on the doors and all the way to the software was completely the responsibility of the customer. With cloud, we take care of a number of those responsibilities.

What about cloud security? More and more, organizations are realizing that there's a link between IT modernization and using the cloud and improving their security posture. Security depends on the ability to stay a step ahead of rapidly and continuously evolving threat landscapes and requires both operational agility and access to the latest technologies. As the legacy infrastructure that many of our customers use approaches obsolescence or needs replacing, organizations move to the cloud to take advantage of our advanced capabilities.

Increased automation is key, as I mentioned before, and the cloud provides the highest level of automation. The possibility of automation is maximized using the cloud platform. Cloud security is our number one priority. In fact, we say that security is job zero, even before job one, and organizations across all sectors will highlight how commercial cloud can offer improved security across their IT infrastructure.

Therefore, many organizations, such as financial institutions, are modernizing their capabilities to use cloud platforms. We've been architected for the security of organizations, and for some of the most security-sensitive organizations, such as financial services.

Now, there is a shared responsibility. Customers are still responsible for maintaining the security of their environments, but the surface area, the amount of things they need to worry about, is greatly reduced, because we take care of a lot of those things and they can focus their attention on what remains. From major banks to federal governments, customers have repeatedly told us—and we have quotes that we can supply to the committee—that they feel more secure in their cloud-based deployments of their applications than they do in their on-premise physical infrastructure in their own data centres.

In sum, cloud should not be seen as a barrier to security, but as a technology that helps security and is therefore very helpful in the financial services realm as a part of a general solution for modernization and improving security.

We also have a few policy recommendations, which we'll provide in our written testimony.

One of the things is that we think there's an overemphasis on the physical location of data. Very often, people think, “I've got to have data physically here in order to protect it.” Actually, if you look at the history of cyber-incidents, everything is done remotely. If you're connected to a network and the network has outside access, that's where all the bad things happen.

Physical location of data, especially when you can encrypt everything, such as physical access to storage drives or whatever, literally is not a threat vector. Really, there should be some flexibility for banks and other institutions as to where they physically place their data, and they should be able to run their workloads around the globe, reaching their global customers with low latency and storing data potentially outside of Canada.

There are another couple of recommendations, including data residency. We believe also that centralizing security assessment makes a lot of sense. Instead of having every agency or every regulatory body separately evaluating cloud security, centralize that in an organization like the CCCS, where they can do a central evaluation and determine whether clouds are meeting the requirements. Then, that authority to operate can be inherited by other organizations throughout the government and under industries that are regulated.

Thank you very much for your time.

Well, I tend to agree with you that drawing distinctions in this area is a little bit artificial and that one of the things that should be avoided to the extent possible is the development of these silos. We have quite enough of them as we are, and we don't need any more.

I think National Defence's main contribution is through the Communications Security Establishment and, insofar as the private sector is concerned, the Centre for Cyber Security. They tend to operate quite co-operatively with other parts of the national security environment in Canada. I would argue, in part on the basis of what I knew when I was working, but in part because I now operate a little bit in the private sector, that they certainly were a welcome development, but they have not solved all the problems of cyber-attacks here or anywhere else.

I think one of the big problems they have, and this is a Defence issue, in the sense that the defence minister is responsible, is that we talk about these things, but we talk about them less and share far less with the private sector than a variety of other countries do. I don't blame any particular government or any particular official. There's something in the Canadian DNA in that we think that national security should be dealt with and not talked about, but I would argue that in many cases we're far better off if we talk about them a little bit, without going into operational detail. It raises awareness. It allows both government and corporations to talk and to share more information than is otherwise the request, but I think the main contributor is CSE.

I think there are state actors and state actors. I think China and Russia are at the top of the league. They spend almost unlimited resources on their cyber-capabilities. They're very, very good at it. I think it's generally accepted that China uses the vacuum cleaner approach. They'll grab just about anything they can. The Russians, I think, are somewhat better technologically and more surgical in what they seek to acquire.

I think international criminal groups are not at that level, but they're getting to be very, very good. It's a very smart collection of people there, who have figured out that it's easier to enrich themselves using cyber devices than using kinetic action of some form or other. Also, there are no borders, and to the extent that there are no borders, it's far easier.

I guess the last group I would mention is terrorist groups. They're in a different category. Some of them have a limited cyber-capability. It's not really worldwide.

I guess the point I would make again is that the state actors in particular make it important that we regard cyber-defences as evergreen. I'm not talking in particular about Mr. Ryland's company, but for any protective measures that we put in place, if we have a really aggressive actor and we give them enough time and technology, they'll find a way around them. My point is, we need to constantly renew our defensive measures. We need to constantly advance our technology, mostly against nation-states, but increasingly against international criminal groups.

I think content is appalling, disgusting and unrealistically terrible. If you sit down some Saturday afternoon or on a rainy Sunday and, with a bit of imagination, start going through the web, you will find right-wing stuff that is as bad as the Nazis, and you will find jihadist literature that advocates the systematic killing of people. That's not talking about the dark web, which is another problem again. I think content is a real issue.

I would argue that what Facebook is trying to do is a good first step, but I really don't want Facebook to become my thought controller. On the other hand, I worry rather the same way about governments. I don't want governments to become my thought controllers by determining what happens. I think we need a bit of a national discussion on who does this.

One way that Parliament has dealt with this issue is in the area of money laundering. You may recall there was a debate years ago about how to deal with money laundering: Were we just going to make it a crime? What Parliament basically did is that they imposed an obligation on banks to know their clients. That has significantly improved the capability of everybody to deal with money laundering. It hasn't eliminated it, but it has helped it.

I think there is something to be said for government setting up a framework, either statutory or regulatory, which requires companies that play in this broad area to know whom they're allowing to access the web and then to direct them as to what they can and can't do.

Because of my old age and after 40 years in government, I've become a bit wary about being told what to think, but whether it's government or the private sector, I think there needs to be a measure of transparency so that we know both what is being done and what is not being done.

But none of this is going to work, I think, if the average Canadian isn't more aware of what's available and that average Canadian has some means of registering his or her displeasure. Right now, yes, you can call the Mounties, but they have so much to worry about that it's pretty low in their priorities.

Yes. When I talk about the dysfunctional west, I mean that.... I'm sure you don't want to get into a large discussion about the current U.S. administration, but they are a significant issue right now in the sense that the views of the current U.S. President are promoting massive instability. People are uncertain as to what's going on. The United Kingdom hasn't taken a major decision in a year and a half. Monsieur Macron is concerned about what's going on with les gilets jaunes. Germany is preoccupied with replacing Mrs. Merkel, and God knows what the Italians are doing.

My point is that while we're worrying about these major issues, we're giving an opportunity for Russia and China in particular to poke and prod in a way that they could not do if we were a little bit more together. I'm not suggesting the world's coming to an end. I really am not, but I think our adversaries—and I call them adversaries, not enemies—are very active. They take advantage of every opportunity. I think we need to start rebuilding those close ties that we've had amongst some countries since World War II.

I also think we need to realize more than we do—it's one of the pathways that I think we need to talk about—and appreciate that Russia and China are, in their own way, great countries. They've made great contributions to civilization. But right now they are fundamentally unhappy with their position on this planet and they're trying to change it, using virtually any method. I don't think we think about this very much. If we don't think about it and try to do something about it, we're really behind the eight ball.

I think the first thing is to develop a greater understanding of what's happening. Somebody asked me the other day in the media why Russia went to Syria. There's no prospect of territorial acquisition, except that they are trying to cause trouble, and they have effectively succeeded. They delayed the elimination of the caliphate. They're doing this in a whole raft of areas. They played with the elections in the United States, Germany, France, and I believe Italy. All they're trying to do is not really shift who's going to win; they're trying to diminish public confidence in public institutions.

All of this, I think, needs to be talked about more. We need to get a grip amongst particularly core western countries, about how serious the problem is. Parts of the U.S. administration consider this more important that we do sometimes. The Brits are at another level. We need a consensus in the west that we have a problem. The U.S. has just shifted their national security priorities to great power conflict, after being on terrorism for the last many years. Well, if that's the case, we need to think about what we're going to do about Russia and China, without going to war, which is not what I'm advocating. We need to be talking about it, understanding the nature of the threat and developing closer ties internationally. I do firmly believe that national security is not national, not in the way it's run today; we need to work with everybody.

I should admit up front that I'm probably prejudiced, having spent a goodly number of years working in this area, but I think there has been a lot of progress over the last little while and there's much more co-operation and collaboration.

But I would argue two things. One is that the world is becoming much, much more complex, and I think it could be argued that we need more resourcing. When I used to work for the government, the last thing you wanted to do was embarrass your minister by saying you wanted more money. I'm not really saying that now, but if you consider the Cold War to terrorism and the current cyber issues and great power conflict generally, yes, all of these institutions have had more resources, but the resources may not be enough today, so I would ask that.

I guess the other issue I would note is this. I was told over the years by several politicians from both sides that there aren't very many votes on national security, and that's one of the reasons why governments are sometimes hesitant to take some of the steps you've implied. However much politicians may get frustrated with officials, officials do take the lead from the political side of things, and I think we need to be a little bit more proactive sometimes than we are, because technology is moving, the threat is moving, and we seem to be playing catch-up.

I don't direct this at any government or any official. It just seems to be the way we do it, largely because, if you're the Minister of Finance or the President of the Treasury Board, the last thing you want to do is to say every two years, “Here's another quarter of a billion dollars.” I'm just picking a number, but you know, there are technological changes, some of which Mr. Ryland talked about, and there are a whole raft of others. It's very hard for government to keep up with these things without a constant ongoing effort, and at the same time, you're worrying about Russia and China and North Korea and Iran. You're worrying about international criminal groups. I think we're beginning to underestimate the problem with terrorists just because we've whacked a few of them.

So, as a long answer to a short question, I think generally speaking people are doing as well as they can, but it's very difficult to galvanize everybody who works on this—political officials and the private sector—unless there's some consensus on how serious the threat is.

I would say, with great respect, there's no such consensus in Canada.