Public Safety Committee on April 10th, 2019

I don't think the discrepancy is the issue. I think the issue is time. Now you're losing a year or two years sometimes before you can get key people in on engagements. For some of the cyber knowledge you want, you could take a group of people—I think we talked about how people can be accelerated and there's been witness testimony on how we can get people started quite quickly into cybersecurity, entry level positions and others. If you have a key group of people whom you can clear based on adding some people who are trusted from companies—and sometimes you need subject matter experts, let's say, from the U.S. So comparable clearances and moving quickly on it is fundamental. Sometimes what happens is that it's more about the time that we lose because of all these different clearances and that the impact of that is direct to national defence and to other groups that can't get teams meaningfully started for a year or two sometimes. The Department of Finance might not require as many clearances. DND requires what's also called a VCR at each site, but other entities don't do that. It's about having the same standards applied to everyone. If the data is more sensitive, that's what the clearance should be for everyone.

Yes and no. I think we can go to the Five Eyes community and get a lot of that talent and have comparable clearances, but yes, we should also look at extending to other countries. How do we have a fast track clearance process from other countries so we can trust individuals for information, and how can we do it quicker?

Yes.

It's a really key point. I just didn't have enough time to go into it too much, so thank you for the opportunity.

We all trust when we walk into a bank, and we all trust when we walk into the Bank of Canada, or one of these trusted places like the Department of Finance. That is something that can be leveraged in a very positive way. One of the things we talk about is passwords. When you're setting up credentials online, you have to be able to trust how you set that up. I think we should be leveraging that space and those personas and organizations more. That can establish more security for those online credentials and it can play a broader role. It can be more uniform as well. That's a key thing. We can set up stronger credentials that are more uniform that could be used in a more specific way for cybersecurity.

The main thing would be that the bank would play a role called a “registration authority”. The bank doesn't have to have the data.

I think you've been briefed on tokenization. The data wouldn't have to be held by the bank; the bank could be the enabler of saying, “You are who you are, we know it, you've come into a bank, we trust you, you trust us, we've done a registration check.” It would be a function in support of setting up the online identity rather than holding the data.

Yes, I am in favour of using secure public cloud. That would mean large data storage, but the ability, then, to detect attack correctly when it's happening and protect the data better.

In terms of protecting that data, there are lots of mechanisms that can be used. For example, there are good products for cloud that enable you, at the field level, to encrypt data whenever you need to. If you have an insider threat and there's a breach, the data that's stolen is encrypted data. It's protected because it was protected properly as you stored it.

What we don't do a lot sometimes is organize our security design correctly, so when we're breached, we're not protected properly. We don't detect it fast enough and we don't know how to respond. To your point, if we organize ourselves and there is an insider threat, the data can be protected and we can more quickly detect and respond to the event, too.

One example I'm sure everyone is aware of is Snowden. He actually had a lot of access, and then was able to give himself more access. That's not exactly the paradigm you want to have in an environment. There are better ways of doing that.

I'm speaking from some first-hand experience, but it's probably because PKI, or public key infrastructure, can be a bit of a big hammer in actually deploying certificates. Then what assurance of certificates are you deploying, and are they proprietary?

S/MIME was very good, but the point is that there are ways of establishing identity and having digital certificates, or proof of the message originator and who sent it and whether it has been tampered with, that can be added and done better.

Absolutely, there are technologies. If we standardized on one, that would be good. I don't know if we need full public key infrastructure. We have to be careful about what digital certificate approach we take, given the massive community that would be involved in the financial community.

Well, we're moving away from email. That's more for productivity reasons. Email is not necessarily being used for what it was created for. There are things such as Slack and other tools that can create more efficient conversations.

Earlier we talked about user awareness. People need to know how to use email and what to click on. Just because everything is encrypted doesn't mean a bad actor didn't send an encrypted email to you, so it still comes down to that point.

There are ways to do it. If we wanted to have a portal service where there would be secure emails kept in a location that you could pull down, that would an option. There's time-to-live encryption, so that when you send messages, they're encrypted, and then if you don't open them fast enough, they expire and disappear.

There are some options to look at.

In our cybersecurity team in the organization, we have a lot. We have the ability to hold and process top secret information. We have classified environments. We all get top secret clearance and these extra clearances that we were just talking about. We do that because it enables us to be able to do the contracts we were talking about earlier. We know we have to do it. It affects whom we can hire as well, and that's an unfortunate byproduct because we always want to get as much diversity as we can. But we get all the top clearances for sure. And some other parts go with it for—

No, creating more consistency.