Public Safety Committee on April 10th, 2019

Chairman, would you allow me to make two quick statements?

Mr. Ryland has been talking about what he does and what his clients do. If we imagine a bank for a minute, I think it's important that we not become mesmerized by the really effective things that Mr. Ryland does. If I took a device that I could probably get if I tried hard and stuck it under the desk of the executive vice-president of the Bank of Montreal, it would be a recording device. As he accessed the information and put in all his passwords, I would be able to access these from the office next door or in another city.

Talking about the Internet of things, I still don't think we've come to grips with developing a relationship with a light bulb. I think things are better than they used to be, but again, if you control the light bulb—and I'm making a joke of it.... But whatever device you want to use has the capacity for acquiring information.

The security of the systems we're talking about has two real components, the part that Mr. Ryland talked about and the environment that the financial institutions use. They're equally important, because if you get in from the financial institution's perspective effectively, either through a device that I've talked about or some other device, you can wreak not only on that financial institution but also complicate Mr. Ryland's life a great deal.

It's not just the highly complex security devices that Mr. Ryland talks about. It's a whole raft of other things as well. I would argue that the Royal Bank of Canada probably does these very well. A lowly Manitoba credit union may not. Forgive me, anyone here from Manitoba. It's the weakest link in the chain issue that we haven't really come to grips with as effectively as we could.

Yes, I think there is.

If you look at what you can do—and I'm not an engineer, so I've reduced this to language I can understand—you can have purely defensive measures. You build something in whatever system you have: You have firewalls and whatever.

Then you have what I call “aggressive defensive”: You have the capacity to know when somebody's trying to go out or come in, and you deal with that.

Finally, you have the purely offensive: You have the capacity to go out and either seek trouble or degrade somebody else's capabilities.

I think we're fairly good at the first. We're not so bad at the middle. I don't think we're so great at the third. I'm not sure that we, Canada, have to do this alone. We can do this with a bunch of other countries. However, the capacity of what I will call “cyber adversaries” to use 37 cutouts makes it very difficult for people to know where they're coming from, and whatnot.

You really do need some sort of worldwide monitoring system. I don't think we have that. I think the United States, insofar as I understand, tries, but there's a limit to what even they can do.

You've probably heard of former U.S. Secretary of Defense Donald Rumsfeld. He was ridiculed at one point, but I think he said one thing that's true, and it applies to this area: You don't know what you don't know.

I think Mr. Ryland will agree with me—

There are the known unknowns and the unknown unknowns.

Those are the ones I'm worried about.

Technology is moving so fast that we find it very, very difficult to stay ahead.

This is a long answer to a short question, but I don't think we're doing as well as we might do internationally.

Well, if you're dealing with the Government of Canada, I would probably say yes. I think that government, over the course of the last and current governments, has made some real strides in developing the capability to defend Government of Canada systems. They've limited the Government of Canada's systems' access to the Internet, which made things a lot easier to control.

I kept coming back to the weakest link in the chain. All you need is one weak link that allows you to access everything. Having said that, I think on the cyber side, the government is doing better than it might do on terrorism. I don't think it's doing terribly on terrorism. I was just trying to suggest that there's a limit somewhere to what you can do.

If you expand that to provincial governments, for example, there are connections between the provinces and the federal government. The provinces vary a great deal, I believe, in how protected they are. Then you keep moving on, and it doesn't take a great deal of imagination.

I'll give you an example: I read a couple of years ago that there was a mom-and-pop metal welding shop—I think it was in Arizona—that had its own little server and whatnot. A foreign state used a problem there to access an element of the U.S. government in China. The point I'm trying to make is that it doesn't take a big hole, to use a physical manifestation, to get in.

I think, generally speaking, we're not doing badly. We really aren't, but if we think that we have blocked every possible cyber-attack against us or our economy, then I think we're being way too optimistic.

It's not so much siloing. Some of my former colleagues will want to kick me under the table for saying this, but I don't think there's a central controlling brain to deal with cyber issues in the Government of Canada.

I think CSE has a real role. I think Public Safety has a role. The military looks at things slightly differently. GAC has a role in dealing with things internationally. ISED—I think that's what it's called—is involved in the regulation of the Internet and how we play with them.

I don't think the American practice of creating a czar is necessarily the issue. I would suggest, at least on the basis of when I was the national security adviser, that we could have used more coordination, and maybe at some point, more direction. It's a very complex field and departments worry first about themselves.

The machinery of government is the Prime Minister's prerogative. He or she will organize things as he or she wants, but this is one area that I think is so global in its manifestation, so complex, that simply saying to various departments and agencies they have to cooperate may not be enough.

I think that's a very fair summary. They certainly feel that they have a leg up in building proper defences, because we're taking care of a lot of things they would otherwise have to worry about.

It's very safe, because we constantly build and test our systems to assume that we have hostile customers. We assume we're being attacked by our customers, and we take that into account and make sure that the isolation properties of the system are very strong.

Yes.

I think, Chairman, I would go back to one of the points I made earlier. I think Parliament legislatively has to impose obligations on financial institutions, in much the same way it has done with money laundering. It has to require them to do a variety of things. Right now, most of the things are done in the self-interest of the financial institutions. They tend to be pretty good, but we should up, significantly, our reporting of breaches and attempted breaches. There's a regulation, if I remember correctly, that requires that now. It's not as fulsome as it might be.

The Americans and the Brits, in particular, have severe penalties for institutions not reporting breaches. I don't know how we can expect to deal effectively with breaches if we don't know when they're occurring. I think it's better than it has been, but still.... So I would say imposing clear obligations on the institutions and reporting of breaches. Again, some of my former colleagues are going to kick me under the table, but I don't think we share enough classified information with the private sector. I think we do far better than we did 15 or 20 years ago, but if you take the most senior technological official in the Royal Bank—which happens to be where I bank, but I'm not trying to promote it—and you ask them to collaborate on cyber issues, and the Canadian official isn't authorized to share any classified information, I don't see how you can have a real dialogue. The States and the U.K. clear, from a classified information perspective, people in the private sector. I don't mean to suggest that we don't do any of this, because we do. I'm just arguing that we don't do enough of it. I would say those three things.

That is, I think, Mr. Chairman, the $57,000 question.

Oh, oh!