Evidence of meeting #163 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
May 15th, 2019 / 4 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
I'd like to thank all the witnesses for being with us today.
Mr. Jarry, I have a question for you.
I'm sure you heard about the CRTC participating in an RCMP investigation of an individual who was using software known as “bots” for cryptocurrency. Everyone heard about it because it was the first time those powers, which were granted under the anti-spam legislation, were used.
That got me thinking, and it raised a question I'd like your thoughts on. If legislative and regulatory changes were to be made to address all the issues raised during this study, such as the Internet of things, would the CRTC be responsible for dealing with problems? For example, would it be better to create a new organization to enforce standards for devices? Is that something that would be looked at from both a legislative and a regulatory standpoint?
4 p.m.
Senior Advisor Cybersecurity, As an Individual
In the telecommunications industry, the CRTC definitely has an important role to play, especially in the whole area of electronic transmission security. Let's not forget wireless. Cybersecurity is not just about telecommunications; it's also about programming and development. We're also talking more and more about the physical aspect, which needs to be taken into consideration.
I think there should be an organization overseeing all those organizations, something that deals with all those fields. It's not just the CRTC.
4 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I understand and I agree.
What about the subject of the search warrant, who might be a cybersecurity threat? It had something to do with cryptocurrency, but we know the individual may have been engaged in other related activities. Under the act, would the RCMP or the CRTC have been able to do anything? Do we really need to update the act? As you said, do we need to be clearer about who deals with what to avoid confusion?
4 p.m.
Senior Advisor Cybersecurity, As an Individual
At the government level, I can't really answer that question, but I can tell you what I see in the industry. In my presentation, I said that electrical engineers are the ones who take care of a lot of equipment now. Those people have no cybersecurity training, but they are connecting things directly to the Internet.
To answer your question, yes, a number of things can be done. Should we have a specialized police force or response team? Maybe, but there are a number of fields involved. As I said, cybersecurity is not just about telecommunications.
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Gentlemen, you talked a lot about wanting to collaborate with Hydro-Québec. I'd like to look at another aspect of the issue that hasn't been raised. I'd like to know what you think about this because of the work you do.
A few years ago, the Government of Quebec, the Union des municipalités du Québec and Hydro-Québec indicated that Hydro-Québec's growing fibre-optic network, which has smart meters, might be a way to provide connectivity in more remote regions. What do you think of that idea in connection with the proposals you've made?
4:05 p.m.
Advisor, Tawich Development Corporation
We are talking to Hydro-Québec about using its dark fibre network, but that network is still just serving the south. It would help optimize the Eeyou Communications Network, the ECN, and enhance security for the south, but it is not a solution for the north.
We think the committee should look at that because it's a very important issue right now.
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Absolutely. You explained that well. That brings me to another question.
One of the cybersecurity concerns is the impact on our day-to-day lives because we use more and more things that could be compromised by cybersecurity attacks.
What is the reality for you, being physically far away from major centres? If there were a cybersecurity attack on a network in a major centre, the system would go down and we'd have all kinds of problems, but at least we are geographically close to other communities and other people. What impact could that have on your communities?
4:05 p.m.
Advisor, Tawich Development Corporation
I can answer that indirectly. Ideally, we'd be like Sweden, where the dark fibre network was installed by the government. All the providers use it and light up the same fibre. If there's a breakdown, one provider would be affected but not the others.
Our problem right now is that there is just one provider using one fibre. The goal would be to have a diversification strategy, and that's what we're talking about with government people. We want to see if there's some way to have more than one provider serving the region.
4:05 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Perfect.
I've covered all my questions, but I just want to pick up on what Mr. Graham said about how it would be good to have a concrete, forward-thinking solution rather than always focusing on current threats. That's important, but your perspective is important too.
Thank you.
4:05 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Thank you, Mr. Chair.
Mr. Jarry, you mentioned that you work for Cascades too.
4:05 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Ever since computers have been around and companies have had electronic systems, we've had IT departments to handle software, updates, firewalls and so on.
Is the cybersecurity department just a new name for the IT department, or is there a different dimension to this that explains why private companies like Cascades now have cybersecurity departments?
4:05 p.m.
Senior Advisor Cybersecurity, As an Individual
The IT department is still the same, but there's now a cybersecurity group connected to governance that's not part of the IT team.
4:05 p.m.
Liberal
Michel Picard Liberal Montarville, QC
What process did the company go through in setting up that cybersecurity element? Was it concerned about its equipment and afraid of service interruptions or machinery shutting down? Or was it worried about external attacks compromising its administrative data?
4:05 p.m.
Senior Advisor Cybersecurity, As an Individual
Sir, cybersecurity is based on three principles: confidentiality, integrity and availability of data. There is also a compliance aspect. All companies have to be in compliance now. I'm not old, but I'm experienced, and I remember a time when cybersecurity measures, though considered best practices, were only suggestions, not mandatory.
We now have mandatory laws and rules in place. Cascades was one of many companies to establish security policies and standards based on ISO 27001 and 27003. The company set up a governance group and deployed a security policy in accordance with its own standards. The policy is based on system confidentiality, integrity and availability.
4:10 p.m.
Liberal
Michel Picard Liberal Montarville, QC
How do you ensure that your suppliers comply with the same standards to guard against being a victim of an attack within your system?
4:10 p.m.
Senior Advisor Cybersecurity, As an Individual
It's in the contracts. We can require suppliers to have specific certifications. For example, when our employees' personal information is involved, we require all our suppliers to have ISO 27018 certification, which covers the protection of personal information. That's one way to do it. Otherwise, we include specific standards or obligations in our contracts.
4:10 p.m.
Liberal
Michel Picard Liberal Montarville, QC
My next question might seem like a trap, but I have to ask it anyway.
Let's look at things from the other way around. If Cascades were to be the victim of an outside attack on its data, would it be obligated to report that to someone, somewhere, in some way?
4:10 p.m.
Senior Advisor Cybersecurity, As an Individual
That depends on the kind of attack. If the attack affected personal information, then absolutely, we'd have to report the incident.
4:10 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Okay.
That happened at École Polytechnique Montréal and at Ryerson University. My colleague invited a representative from there, but we don't have a lot of institutions or resources in Canada with the expertise to manage our cybersecurity problems. Resources are limited, even rare. We are concerned that, as good as the expertise may be, it's not enough.
If we compare that to expertise developing elsewhere, especially the quality and scope of outside attacks, how would you compare the level of expertise and training available in Canada to those external threats?
I don't want any publicity or marketing here, but frankly, if we want to improve the situation, we need to know where we're at.
4:10 p.m.
Senior Advisor Cybersecurity, As an Individual
You are right. It is a concern not just in terms of training, but for all aspects of the industry. Experienced resources are becoming increasingly rare.
I have to say that more and more young people are becoming interested in cybersecurity. However, this field is still evolving. It is extremely difficult to find good resources with experience.
As I mentioned, I am a lecturer. We should not forget that this requires expertise in the subject matter taught as well as teaching skills. Those are two different things.
4:10 p.m.
Liberal
Michel Picard Liberal Montarville, QC
In developing its cybersecurity strategy, is Cascades concerned that the attacks could compromise the survival of the company? Perhaps we are not yet there either?
4:10 p.m.
Senior Advisor Cybersecurity, As an Individual
In recent years, Cascades has modernized all its platforms. It has migrated to modern platforms, to SAP platforms, among others. With respect to availability, when these systems fail, the intolerance period is about two hours. This means that the plants start shutting down and cease operations after two hours. That is extremely expensive.
You are right. This creates a tremendous dependency. We address that with emergency plans and reconciliation tests with relays or data centres, and also with requirements we have for our service suppliers.
