Thank you, Mr. Chair.
Good afternoon to all committee members.
My name is Luc Jarry and I'm a senior cybersecurity advisor for Cascades Inc. I'm also a lecturer and I teach industrial cybersecurity at the Polytechnique Montréal, which is affiliated with the University of Montreal.
This is my first time appearing as a witness. I spent some time reading the evidence from other witnesses and I noted that several topics were discussed. Today, I'll talk about a subject that affects virtually every domain, from financial affairs to the industrial, business and personal worlds. I'm talking about the Internet of Things, better known as IoT, which is of course associated with artificial intelligence.
What is IoT? I think the best definition is also the shortest: IoT is a direct integration between the physical world and computer systems. In the past few years, there has been an extraordinary revolution in the way objects connect to TCP-IP networks. I'm talking about the Internet. It has been estimated that by 2020, between 40 billion and 50 billion devices will be connected to the Internet. We will have to ask ourselves wether the "Internet of Things" will become the "Internet of All."
Together with artificial intelligence, the Internet of Things makes possible what was only imaginable a few years ago. Think for example of self-driving cars. They are still in the testing stage. We have all heard about them. Currently, if your car is even halfway modern, it will probably have a monitoring system that measures the pressure in your tires. If a tire's pressure is low, the monitoring system will send a message to the car's computer to warn the driver that one of the tires is low on air. The driver will then have to deal with the problem.
The same thing will happen with the Internet of Things, but in addition to informing the driver, the car itself will make an appointment at the dealership or the garage responsible for maintenance. The car will then drive itself to the dealership so the problem can be fixed, and it will then return to its point of origin. You can start seeing the potential involved. This will open up extraordinary opportunities in all areas.
Unfortunately, all these new technologies make us susceptible to new threats and vulnerabilities. However, computers, which have microprocessors and are controlled by operating systems, are virtually the only devices connected to the Internet. This makes it possible for us to implement basic cybersecurity defences. For example, I can see there are open laptops in this room. I'm sure that those computers have basic cybersecurity protections. This would involve a personal firewall turned on and probably an antivirus program—which I hope has the latest virus updates—as well as a malware scanner. There is something important to note here. These computers have a processor and are able to encrypt and decrypt data. I'm talking about encryption, a widely used strategy in cybersecurity.
The problem with the Internet of Things is that the objects have no operating system or processors. It is therefore impossible to give them basic protections, as we can do with computers. These makes them extremely vulnerable.
Over the last 15 or 20 years industries have invested heavily in mechanization and automation technologies. Today, modern factories use industrial control systems such as programmable automatons and SCADA, which communicate with each other via their own telecommunications protocols on private networks within factories. These networks are invisible to the Internet. We often refer to them as an intranet. For industries to ensure they can use and benefit from the advantages of artificial intelligence, they must connect these automatons or industrial control devices to the Internet in order to communicate with AI service providers. This makes these devices very vulnerable.
Another thing is that, based on my own observations, most industrial controls in factories are maintained and supported by electrical engineers, most of whom have no training in cybersecurity.
There are currently many factories connecting things to the Internet in a way that creates gaps in their internal networks, opening them up to possible intrusions. I'm talking about theft of information and industrial espionage, in short, unauthorized access.
There are now things worse than that. With the Internet of Things, we can imagine a hacker or even a terrorist group taking remote control of critical infrastructure such as a hydroelectric dam, a water processing or oil industry plant, a hospital and so on. Imagine all the ensuing damage and danger to public and financial security and safety.
We must also keep the privacy issue in mind. As you know, an increasing number of users are connecting devices to their own networks at home or via cellular networks. You can for example buy a smart refrigerator equipped with a tablet-like screen that takes inventory of all the food and drinks it contains, monitors their expiry dates and even suggests recipes for the food inside, thanks to artificial intelligence. It's a wonderful thing. However, from a privacy perspective, we might ask whether life insurance companies would be interested in knowing what is in their customers' fridges. The answer is yes.
In Canada, citizens are protected by privacy laws, but there is a problem. Many studies have shown that nearly 95% of users agree to terms and conditions of confidentiality without reading them. Often, people don't really know what they are agreeing to.
Still on the subject of privacy, there are now assistants that connect to the Internet and are activated by a specific sentence or word spoken by a user. You can dialogue with the assistant to obtain various kinds of information available online, such as weather forecasts or the news. If these types of devices are connected to an unsecured home network with easy access, a hacker could use a computer worm to record you. If the device has a camera, the hacker could take pictures of you. This would obviously be a breach of privacy.
I could give you several examples. The document I submitted contains a series of recommendations, but unfortunately I won't have the time to go over them all.
With your permission, Mr. Chair, I will now answer questions.