Public Safety Committee on April 10th, 2019

Spear phishing is more accurate phishing. If it looks like the Hon. John McKay is sending a message to all of you and he tells you it is urgent and you have to click on it, you may think about clicking on it because it looks like it's coming from John McKay.

Oh, oh!

Well, it was one example. If it looks like it's coming from a position of authority and looks like it's your style of writing and mentions things that are typically in the messages you exchange, it would seem more likely that you should just click on it. They can use pressure. We'll see sometimes formatting problems, misspelled words, but you have to look. How often do we just pull out our devices and work really quickly to click through the messages?

A bit of training, though, and awareness around spear phishing can help, and you can't just do it once. You actually have to do it several times. One of the ways to do that is to do an anonymous type of analysis spear phishing campaign and you actually send almost everyone in the organization a spear-phishing type of email. You're the ethical person, so it's okay. There's a link, and if they click on it all it will do is register anonymously that someone clicked on it. At the end, you end up with a statistic of how many people clicked on it. And it's not going to be good the first time. Then you say, “By the way we ran a spear-phishing campaign. Come and visit at lunch and learn and we'll explain why you shouldn't have clicked on it.” So many people did. The next time you do that, because you do it a second time and a third time, the awareness gets raised. You start raising this awareness with your users and then your users are much better. They're never going to be 100%, but getting the percentage a lot lower is much better.

Yes. I think there are two points in here. There's the cyber-awareness training and the passwords, so we'll talk about both.

For the passwords, yes, there should be more standards. They're actually easily set by policies. You should set more policies on it. That can be mandated in legislation. It would be more clear. When I look at MITS or at requirements, it's not always clear what the password guidelines are. It's not prescriptive enough.

Absolutely, that's just one example. You probably want to do away with common and known passwords that people choose often. You want to try to make sure that they don't choose dates that are reflective of their own personal history and that an attacker might also already have.

There are ways of making sure that gets legislated and then enforced. That's a very good example—

Yes.

Not that I'm aware of, but Germany and Europe tend to have a lot more legislation around this. With GDPR and other standards, you might see it there. I'm not a hundred per cent sure.

I would say that the other thing, though, is that there are too many passwords, too many different passwords. How many systems does everyone in this room have that they log into just at work?

You can actually have a lot of those passwords synchronized, and then make it two-factor or add biometrics on top of that to create a stronger but more consistent password. That's actually a lot more effective. When you back it up with the ability to audit your users and look for behavioural issues that you might see on the network, it's a much stronger approach than everybody here having 15 passwords that they have to recycle all the time.

We are not as ready as we need to be, but we're not at zero. I would say that, unfortunately, it might vary a lot depending on which group you're looking at. For instance, at the Canadian Centre for Cyber Security they're focusing on analytics and the sharing of indicators of compromise and that sort of thing, where they could play a bigger role and probably will over time in terms of their capabilities and how that can be shared.

There are other organizations, too, that have varying capabilities because they have different security technology deployed. Some of them would have Fortinet firewalls and some other people will have, say, Check Point or Cisco firewalls. Some of those firewalls will have different kinds of capabilities enabled, and some of it is next generation and some of it is not.

Unfortunately, there's a lot of variation in terms of what we can respond to. You mentioned AI, machine learning and quantum. As the attacks become more sophisticated, we do need to have more sophisticated countermeasures on scale, and that's why I was talking about the use of a public cloud. For the financial sector, if it were run from a common place, that more advanced capability would be there for almost everybody connected to that source. That's one way of bringing the level up for everyone.

Yes, that's at the core of what is very important to ADGA.

ADGA is led by a female CEO. We're very proud of that and of our proud Canadian history and diversity as well. We invest heavily in co-op programs and bringing in people who have emerging skills to get them into cybersecurity—because that's what we're talking about today—but also into other fields as well.

There's a lot of work that we all play.... Recruiting is a function that we can get involved in at the university and college level. We can help with the actual programs they're taking. For instance, at Algonquin College, they have a very good program on cybersecurity. There are a number of cybersecurity parts that are being built out now at the university level as well. That's just here in Ottawa. We take an active role in that. We work with other colleges as well.

It's important to purposely recruit diverse talents and diverse skills and have a big diverse population, I guess, in terms of the people you have. We in Canada have to make sure that we maintain that talent. Keeping people excited and energized about the work is a responsibility for all of us. If there's a lot of cyber-work this year but none next year, where does all the talent go?

Yes. We actually have that opportunity. I've been involved in giving feedback to Algonquin's program in the past. There's also Willis College. We've talked to them. They have a program, and I've given feedback on how much cybersecurity is in there, on what should be in there, and on the Government of Canada security clearances they should get for their students as they go through, which will enable them to have better careers and stay in Canada. We have influenced and we do work with the universities on the programs—for instance, the programs for all the engineering students. We regularly meet with these groups. We're directly involved. We do get an opportunity with the faculties in academia to set those agendas.

I can think of a few key differences. One of them is that it's like a dam bursting. In cybersecurity in Defence, they are just waiting to move from what's called “defence” to “active defence” to “cyber-offence” as the legislation gets moved forward, because it's a critical enabler. Cyber is now seen as a whole new area; just like having naval or air force, cyber is its own theatre of combat. It's pretty critical that we move that legislation forward so that National Defence can do more on the cyber landscape. As they deploy troops and as they're in theatres of operation, they can now win and lose battles based on cyber. That's one difference. They're held back a little bit. They also have a whole bunch of classified networks and other elements that all have to be brought forward. That has to do with funding and large changes that are being looked at right now.

In the private sector, there aren't as many rules. We talked about cyber-threat intelligence earlier. You will see the large vendors being able to gather that data across the world from the nodes they have in different countries, because it's less restrictive on how they operate. That's actually very positive, because then they're able to share that data with government and industry.

Yes, we are seeing that issue. For commercial clients, they're much more flexible. If your company has the right reputation and if you have the right people and skills, you can get those cyber engagements. We do a lot of security assessments and design and cloud security work. The message in terms of what you're able to do with the commercial sector, which is very sizable in Canada, is much more straightforward.

It is a challenge. I have lots of security clearances. It's been simpler for me, but for others, if they don't have enough residency in Canada, they can't get the security clearance. Typically, “secret” is required for most things. It can be “top secret”, but “reliability” isn't often the requirement. You need, I think, a five-to-10-year residency in Canada, and often to be a Canadian citizen. It might be good to look at mechanisms on how we could also do other security checks that would get people to secret and how we could make it much more uniform. There's probably no reason that every government department needs its own clearance process and its own rules. If you're trusted, you're trusted. If the company is trusted, it's trusted.

These are things that probably could be reformed over time. We probably should look at other ways to clear individuals. We have a bit of a brain drain in Canada. We should be recruiting talent from other countries. As we get those people here, we need to be able to get them busy and onto important projects and still give comfort to the government and banking that they have the right clearance and the right background.