Thank you. I am Steve Drennan and I'm pleased to be here today representing myself and ADGA in the cybersecurity domain and financial sector in Canada. Thank you for the invitation to provide testimony to the public safety committee at the House of Commons today and for all of your time.
For a bit of background, ADGA is a one hundred per cent Canadian company that has delivered strategic consulting, professional services and world-class technology in defence, security and enterprise computing for over 50 years. It provides high-end solutions, engineering and staffing in the government and commercial spaces. ADGA has a lot of insight, given all of this, and expertise into domains such as cybersecurity. ADGA also has strong views, as do I, on coast-to-coast security requirements and evolution and on our being abreast of the landscape and strategic partners. ADGA has a strong converged security capability with lots of cyber assessment design and compliance background. That's just to give you a feel of where I'm coming from today.
From reviewing previous testimony online, I saw a theme that the committee already had a lot of feedback on cyber-attacks, challenges, ranges and faults in the domain. Given all of that, I thought I'd focus today on cybersecurity solutions. There isn't a silver bullet to it, but there is a lot of capability that can be deployed on scale and a lot of other parts that can be developed to really increase what we do and strengthen the Canadian financial sector.
I like to think of it as critical infrastructure. You probably think of power stations and dams and classified systems as critical infrastructure, but the financial sector certainly is critical infrastructure. It's one large interdependent system that ranges across lots of different entities, like the Bank of Canada, Payments Canada, Interac—who I know were presenting—the Receiver General, merchants, small and large commercial entities and also consumers. Those are a lot of end points. There are a lot of things that can go wrong there. It's all the data, too, that is in transit and in storage. If you've been hearing and thinking about one network, one piece or one solution, it's not the whole story.
There's a shift occurring in cyber. It's shifting to socio-political attacks and brand manipulation, along with small and large volume financial attacks. Given what's at stake and the ability of cyber criminals to hide, obfuscate, and launch attacks on a non-stop basis, Canada needs to have an updated approach to cyber defence in the financial sector. The days of hiding behind walls, actual walls or firewalls, are past. It's a very interconnected space out there.
It's important to understand the adversary too. I think you've been well briefed on that, but cybercriminals and nation states have massive sets of resources. They'd be a very large country by GDP if all the cybercriminals put their wealth together. They are often physically unreachable because of where they come from.
One stat, a brief example, and I won't get into too many, from a recent Mandiant report—Mandiant is the cyber arm of FireEye, one of our strategic partners—is that the global median dwell time is 101 days. Dwell means the time that malware lives in a network until it's found and stopped. Just think about that for a second. That's an incredible amount of time for something to be sitting there exfiltrating and taking data before it's even found. Sometimes it goes up to 2,000 days before it's found. While the cyber problem is complex, it can be tackled in a way that is simplified for users, merchants, businesses and banking organizations. That's what I want to focus on today, that is, on some of the ways we can address this.
I'll focus on cyber solution themes that can address large-scale cyber-threats to the Canadian financial sector. Theme one that I'd like to go over is what I call “convergence of cyber data and protection capability”. Think of this as next generation solutions that could be deployed on scale for everyone to use and take advantage of. The concept is that one organization could actually lead this effort and put this capability in a central location so that it would be turned on for all of the entities I was just speaking about—everything we've been thinking about.
There's really fantastic new technology. One of them is linking ideas around centralized artificial intelligence, machine learning, advanced analytics, threat hunting—if you haven't heard about that, you can ask me questions about it later—and security orchestration. You can actually create semi-automatic cybersecurity detection and response. It can be fairly automated. Sometimes you do want somebody to be able to make decisions on key points and react when you sense a cyber-threat, especially if you're shutting down part of a network.
Smart buildings and networks can also be a part of this. It's not just green. Green is good, but when you introduce all kinds of Internet of things sensors, you're introducing a whole bunch of data, and that data can then be compromised. If we have an ability to sense across the physical data—operational data, sometimes called OT data, and the IoT data—we can have solutions that can better sense when there's a problem. For instance, if there's an environmental problem or an attack against a building or data centre, you'd probably want to know about that in the cyber-world and be able to respond to it. Today it's not very merged, but it can be.
There's the notion of moving forward on cyber-active defence or even offence, and that is linked to legislation and what the rules are. When you know you're being probed and attacked, the ability to respond to it, to determine where it is and to shut it down to at least protect yourself, is a very important capability.
The securing of domain name service, which is at the heart of the Internet, has standards around it called DNSSEC and others. That's really important because, if you can't trust your address resolution and where you're going to for data, that's really important.
Cyber-threat intelligence, which we touched on earlier, is really interesting because it can be done vertically. You could have just Canadian data and banking information, so you would see trends in attacks in the Canadian market space, and you'd be seeing them before they hit most of your end points, and then you'd be able to react to it in advance. You'd be able to make decisions and do updates before it became a widespread attack. That could be zero-day attacks or APT attacks, but the ability to see and respond before they become a problem is very important.
