Thank you again for the opportunity to speak to you.
As I start, I want to note that in discussions with the clerk and the staff of the committee, I told them that I wasn't an expert on the financial sector, and it was suggested to me that I could make some general comments on national security and cyber, so that's what I'm proposing to do. I hope that will be helpful to the committee.
I want to comment in an odd sort of way on your order of reference, which talks about national economic security. I'm sure that careful thought was given to that, but I'd like to suggest to you—and I'm doing a bit of marketing here—that the issues you're talking about are national security issues, period. They're not a subunit of national security.
This goes to the definition of national security. I hope and think that you use a fairly broad one, but to my mind, it's anything that materially affects a nation's sovereignty. The things that the committee is talking about now can potentially very much affect a nation's sovereignty, just like money laundering conducted by a foreign state, or a devastating national security issue. That's just a small marketing effort on my part.
While I'm not an expert in financial systems, I hope and think that I can offer you a couple of useful context points. One is that context in the environment in which cyber-attacks occur, be they against the financial institutions or anywhere else, is important. These things don't occur in isolation. I would argue that you cannot deal with cyber-threats in the financial sector without an understanding of cyber-threats generally, and you can't understand cyber-threats without understanding threats generally directed against Canada and the west. We all live in a globalized world, and that certainly applies to national security threats.
I say this for a couple of reasons. Some of you may be old enough to remember the Cold War where it was fairly simple: those who were causing trouble and those who were receiving trouble were basically states. I'm oversimplifying, but it was the Warsaw Pact against the west. Some companies were affected.
I think one of the contextual points that are important is that our adversaries or instigators today are states, terrorist groups, criminal organizations—and I'll come back to that—corporations, civil society groups and individuals. I think that any of these could be causing difficulties in the financial systems that you're concerned about.
The targets, on the other hand, used to be basically states. I'd argue that they're now states, corporations, civil society, political parties, non-profits and individuals. The world is fairly complicated, and if either the financial institutions themselves or the government is going to deal with cyber-attacks against them, my suggestion to you is that they have to know and understand the context in which all of that is occurring. They just can't build walls abstractly.
I think the question of who or what might initiate cyber-attacks against our financial sector is very relevant. I don't try very hard to do sound bites, but I have one: National security is not national. It's not national in the sense that no single state can deal with these issues— certainly not a relatively small middle power like Canada—and you need international co-operation.
Second, I would argue that no federal state or nation state can deal with these sorts of things without the help of provincial or regional governments, and corporations and society generally. I would argue with you that it is a significant mistake for financial institutions to argue that they can do it all themselves, just as it is a mistake for the government to accept that hypothesis.
I talked a little bit about context and environment, so I would just like to lay out very quickly the kinds of threats to national security that Canada's facing. I think of the revisionist states, Russia and China; extremisms and extremism generally, including terrorists; the issue of cyber; the dysfunctional west; and the rogue states and issues—Iran and North Korea, come to mind.
I'm emphasizing this a little bit because I think all of these are interrelated far more than they might have been 15 or 20 years ago. They leverage against each other, and they amplify their effects. For example, Russian and China use cyber systems and benefit from a dysfunctional west because we're not fighting them together. Terrorist groups benefit from the discord caused by revisionist states, and they use cyber systems. All of them interact with one another, and I think that we need to keep that in mind when we do that.
One of the other issues I want to emphasize and suggest to you is that Canada is very much threatened by cyber-attacks generally and against our financial institutions. I say this, because when I used to be working, one of the things that used to drive me to distraction was the view of many Canadians that Canada wasn't threatened because we had three oceans and the United States. That view made it very difficult for governments and others to deal with a lot of national security threats. The average Canadian, absent an event, didn't think there was a great issue.
I think Canada is very much threatened by a variety of the institutions and entities that I just talked about, but why is this the case? We have an advanced economy, advanced science and technology; we're part of the Five Eyes and NATO, and we're next to the U.S.
To be honest, we're not thought internationally to have the strongest defences on the cyber side, and any institution will go to the weakest link in the chain. Sometimes we are thought to be that, although I don't think we're doing all that badly. Also, we're threatened, sometimes simply because we're hit at random.
I think it's especially important for the committee to make the point that our financial sector is indeed threatened by cyber-attacks, because I don't think a lot of people believe that.
One of the other things I'd like to talk about is who I think are the main instigators of potential attacks. I think they're nation states and international criminal groups.
What are they going to try to do? They're going to try to deny service, old-fashioned theft—and I'll come back to that—information and intelligence acquisition, intellectual property theft, and identification theft, for both the purposes of acquiring money and espionage.
Let me give you a couple of examples about states that play with countries' financial systems.
North Korea finances a lot of their operations, gets a lot of their hard currency by using their cyber-capabilities to access the financial systems of various and sundry countries. For example, they had a program some time ago that allowed them to steal money systematically from ATMs around the world. They also had a program that allowed them to claim ransoms using ransomware. More generally, they are the country that was thought to have frozen the United Kingdom's national health service a few years ago.
My point is that you can find out as much about this as I can just by Googling them. The United States has indicted a number of people from North Korea who have tried to do this, and this is just one example of a state that tries to get into western countries' financial systems.
Another one is Iran. You will have seen in the newspapers over the last five or ten years, a couple of examples of how Iran has tried to do this, in particular against the United States and banks. There are indictments against seven or eight Iranians.
I have a couple of words about Russia and China and how I don't think you cannot ignore them when you talk about this topic. I think their main objective is twofold: one is denial of service, and another is to simply reduce western confidence in our institutions. They do this systematically.
Criminal groups I think are becoming much more prominent in this area, and it's something we don't talk enough about. I hope you've had an opportunity to talk to the RCMP about this. If you look at either RCMP or Statistics Canada figures, the extent to which international criminal groups are playing with our financial institutions has gone through the roof over the last little while.
In summary, cyber-attacks on our financial system are a national security issue in my view. These attacks must be viewed in broad context if we're going to deal with them effectively. There's no silver bullet to any of this. It will only work, and we will only reduce the risk, if governments, corporations and civil society co-operate.
I think government needs to share more information with the private sector. It's something that we do far less of than the United Kingdom and United States. You can't expect private corporations to be an effective partner if they're not aware of what's going on.
The financial sector needs to report these attacks and breaches far more systematically than they do.
These issues are evergreen, and we need to talk about them more than we do.
Thank you, Chairman.