Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.
A video is available from Parliament.
1:40 p.m.
Liberal
1:40 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
Thank you for being here today, Mr. Flynn.
It's important that we talk about this situation because, as my colleague pointed out, people are worried. It's essential that we find out more about the federal government's capacity to take action and the means we have at our disposal, especially since the committee just wrapped up a study on cybersecurity in the financial sector before Parliament rose in June. I'll touch on some of the things the committee looked at in its study because they pertain to the matter at hand.
I'd like to follow up on some of your answers. First of all, it is rumoured that personal data was sold to criminal organizations outside Quebec and Canada. I know you can't comment on this case specifically, but at what point does the RCMP step in to assist the highly competent people at such organizations as the Sûreté du Québec when a case involves a criminal organization operating outside Canada that the RCMP is already monitoring?
1:45 p.m.
C/Supt Mark Flynn
We have formal, regular engagement with our policing partners across the country. That occurs on a monthly basis in the cyber area, as well as biweekly in some other areas. However, when there are incidents such as this, as you described, there are immediate calls that go out to ensure that collaboration is occurring and that any of our international partners' information that's relevant could be utilized to aid in those investigations.
1:45 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you.
You said local police forces, the Sûreté du Québec and the Ontario Provincial Police were very competent when it came to dealing with cybersecurity issues and had significant powers. Does the RCMP have special expertise or information that could help them?
The reason I ask is that the government touted the consolidation of the cybersecurity capacity of the Communications Security Establishment, or CSE, the RCMP and all the other agencies concerned as a way to ensure information was shared and everyone was on the same page. I'll be asking Mr. Boucher, of the Canadian Centre for Cyber Security, about this as well when we hear from him.
Do you engage municipal or provincial police, as the case may be, in the same way?
1:45 p.m.
C/Supt Mark Flynn
Yes, we do. We work very closely, as I've stated, with our provincial and municipal police agencies. In fact, I take great pride in the fact that at some of those meetings that I described, where our federal policing prevention and engagement team brought together the private sector, financial institutions and cybersecurity, one of those policing partners actually stood up at the front of the room and thanked the RCMP for the collaboration they are seeing in the area of cyber, which is far better than anything they've ever seen in their career.
I take great pride in that because that has been a priority for me, my staff and our engagement folks, to ensure that we are not being competitive but are being collaborative and, in that collaboration, we are supporting each other. We are not superseding other police forces' authorities, but we're also ensuring that we can assist the others in that.
1:45 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you. I don't mean to cut you off, but I have a limited amount of time.
When the committee was studying cybersecurity in the financial sector, we talked about the fact that people tend to think of state actors as being the threat. I won't name them, but I'm sure everyone has an idea of the countries that could pose a threat to Canada's cybersecurity.
I realize you can't talk about it, but in this particular case, we are dealing with an individual—an individual who poses a threat because the stolen data can be sold and could end up in the hands of state actors. One of the things the committee heard was that individuals represent the greatest threat. Is that always the case? Does a lone criminal wanting to steal data pose a greater threat than certain countries we would tend to suspect?
1:50 p.m.
C/Supt Mark Flynn
The threat comes from multiple directions, and I can't say which is greater, because, in our experience, we have seen a significant number of organized groups or individuals perpetrating the crimes across the Internet. The Internet is an enabler as much as it's a tool for us to use in leveraging and utilizing all the fantastic services that are out there.
1:50 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I have to cut you off because I'm almost out of time.
Has the presence of organized groups or countries with ill intentions seeking to buy personal data created some sort of marketplace? Do individuals like the alleged perpetrator in this case have an incentive, albeit a malicious one, to steal information and sell it to interested parties? Does the existence of these groups incentivize individuals who have the expertise to do things they wouldn't normally do?
1:50 p.m.
C/Supt Mark Flynn
Yes, absolutely. We have seen a rise in what we refer to as cybercrime as a service to aid others who are less skilled at committing cyber offences, whether they are creating the malware, operating the infrastructure, or creating the processes by which somebody can monetize the information that is stolen. That is a key target area for the RCMP under our federal policing mandate, and we are targeting those key enabling services so that we can have the most significant impact on the individual crimes that are occurring, as opposed to chasing each individual crime.
1:50 p.m.
NDP
1:50 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Dubé.
We have now been joined by Mr. André Boucher from the CSE, and I am going to give him an opportunity to make his statement.
I'll say to you what I said to Superintendent Flynn, that we are encouraging shorter statements rather than longer statements so that members will have more opportunity to ask questions.
Mr. Fortin, I see that you want to—
1:50 p.m.
Bloc
Rhéal Fortin Bloc Rivière-du-Nord, QC
If I may, Mr. Chair, I'd like to ask the witnesses questions. I'm not sure whether the agenda allows for that, but if so, I'd like a few moments.
1:50 p.m.
Liberal
The Chair Liberal John McKay
No, it's not, and I'm sorry, but you're not going to be able to speak to the witnesses.
1:50 p.m.
Liberal
The Chair Liberal John McKay
No, not right now. Thank you. We're still in this hour cycle.
Mr. Boucher, as I said, shorter is better than longer. Thank you.
July 15th, 2019 / 1:50 p.m.
André Boucher Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you, Mr. Chair. As requested, I'll keep my presentation on the shorter side.
Mr. Chair and honourable members of the committee, my name is André Boucher, and I am the associate deputy minister of operations at the Canadian Centre for Cyber Security.
Thank you for the opportunity to appear before you this afternoon.
Let me begin with a brief overview of who we are.
The Canadian Centre for Cyber Security was launched on October 1, 2018 as part of the Communications Security Establishment. We are Canada's national authority on cybersecurity and we lead the government's response to cybersecurity events.
As Canada's national computer security incident response team, the cyber centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response.
The cyber centre's partnerships with industry are key to this mission. Our goal is to promote the integration of cyber defence into the business model of industry partners to help strengthen Canada's overall resiliency to cyber threats. Despite these efforts and those of Canada's industry, cyber incidents do still happen.
This brings me to the topic we are here to discuss today. The cyber centre is not in a position to provide any details on this incident and does not comment on the cybersecurity practices of specific businesses or individuals. Any cyber breach, not just this specific instance, can be taken as an opportunity to revisit best practices and to refine systems, processes and safeguards.
In this case, media reporting and public statements indicate that the disclosure of personal information occurred as a result of the actions of an individual within the company—what is termed insider threat.
In our recent introduction to the cyber-threat environment, the cyber centre described the insider threat as individuals working within an organization who are particularly dangerous because of their access to internal networks that are protected by security parameters. For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly, what this incident underscores is the human element of cybersecurity. The insider threat is only one example of this.
Cybercriminals have proven especially adept at exploiting human behaviour through social engineering to deceive targets into handing over valuable information. Fundamentally, the security of our systems depends on humans—users, administrators and security teams.
What can we do in a world of increasing cyber-threats? At the enterprise level, adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cybersecurity practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.
Then we need to invest in knowing and empowering our people. Training and awareness for individuals and businesses are very important. Only with awareness can we continue to develop and instill good security practices, a fundamental step in securing Canada's cybe systems.
As well, we always need to identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.
At the cyber centre, we'll continue to work with industry and to publish cybersecurity advice and guidance on our website. We regularly issue alerts and advisories on potential, imminent or actual cyber-threats, vulnerabilities or incidents affecting Canada's critical infrastructure.
Under, we hope, different circumstances, we'll continue to participate in conversations like this one, which help to keep the spotlight on these issues.
Ultimately, there is no silver bullet when it comes to cybersecurity. We cannot be complacent; there is too much at stake. While long-promised advances in technology may make the task easier, the need for skilled and trustworthy individuals will remain a constant.
Thank you, and I look forward to answering your questions.
1:55 p.m.
Liberal
1:55 p.m.
Liberal
Michel Picard Liberal Montarville, QC
I would like to preface my remarks by pointing out that the incident we are discussing today falls entirely within the parameters of the study we began in January on cybersecurity and financial crime.
As suggested by my fellow Liberal members, I put forward a motion that we study the issue. That shows how deeply concerned we are about cybersecurity in financial institutions. I'm delighted that Mr. Scheer commended our efforts in relation to the study. He fully supports my motion, and I'm glad that his party is joining the Liberal Party in its efforts to address the issue of cybersecurity in financial institutions, so thank you.
Mr. Flynn, I think it's important to speak to Canadians today to help people manage their expectations when something as serious as identity theft occurs.
The public wants the police to conduct a criminal investigation. Generally, people want something done about the loss of their personal information. They want their identity to be restored, without having to worry that five, 10 or 15 years down the road, they will once again be targeted. In terms of a criminal investigation, what are people's expectations?
1:55 p.m.
C/Supt Mark Flynn
From a policing perspective, I believe that the public expectation is that police are going to pursue the person and anyone associated with that person who is involved in either the theft or the monetization of information—whether through cyber-threat, cyber-compromise, insider threat, or so on—and hold them to account and bring them into the judicial process to ensure that there are consequences, and that steps are taken to prevent this type of incident from occurring.
1:55 p.m.
Liberal
Michel Picard Liberal Montarville, QC
It's very hard for people to understand just how difficult it is to prove that you are the person you say you are. How are people supposed to prove their identity? It's extremely challenging when three different people are out there using the same name and social insurance number.
2 p.m.
C/Supt Mark Flynn
It's not an area of expertise for me, as a police officer, to confirm identity. I would go back to my earlier statement about using your local resources, whether it be financial institutions or other types of service. If you're able to use a local service to confirm it, that is your best way to deal with those companies when there are questions about your identity.
2 p.m.
Liberal
Michel Picard Liberal Montarville, QC
To a certain extent, the criminal investigation is a way to ensure justice is served, provided that it leads to the perpetrators being nabbed, the evidence being used to successfully prosecute them and their being punished, mainly sent to prison.
That said, data on the black market represent virtual assets, ones that aren't housed in a physical location. Data can be located in many places. I'm not trying to alarm people, but it's important for them to understand that, even if the perpetrators are arrested, it doesn't necessarily mean that their data are no longer vulnerable and their identity can be restored.
2 p.m.
C/Supt Mark Flynn
That is correct. It's important to point out that the only measure of success is not necessarily prosecution. In fact, in the cyber area many of those prosecutions will occur in other jurisdictions as we work collaboratively.
One of the approaches in the RCMP, and I know in some of our other police forces as well, is that we are bringing financial institutions and cybersecurity experts into our investigations. That is different from what we traditionally have done in our criminal investigative efforts. That has already borne fruit. It has already provided significant advantages. Those “partners”, as I refer to them, are able to see information that we as police officers might not know is important and we may not independently be able to identify that this could be used to provide protection for their customers. I know of at least one incident in a major investigation we've been undertaking where several financial institutions, through that collaboration, were able to identify and reduce potential harm to accounts that through that sharing were identified as compromised.
So I think the approach we are taking is providing benefits that are not solely measured by arrest and prosecutions.
2 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Mr. Boucher, your centre provides advice to other organizations. How can a business protect itself from its own staff? What advice do you have for businesses in that regard?
As we saw this winter, there is every reason to believe that banks, financial institutions and financial service companies have the best possible technology to protect their data from outside threats. What concerns us are threats from the inside. I don't think any software out there can protect against that risk. How do you advise organizations to safeguard against the human element when it comes to fraud?
2 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for your question.
That ties in with my opening statement. A few tools are available, but what works best is going back to the basics—in other words, taking a holistic approach to security.
First, that means a well-established internal security regime for staff. It is important to understand exactly where the information that needs protecting resides, to know the individuals the organization works with and to constantly update the security regime. An individual's personal situation can easily change after they've been interviewed, so an organization should have those kinds of conversations with staff members on a regular basis. For individuals, a clear training and education program should be in place, one that includes refreshers, and the underlying processes should be clear.
IT teams have access to data loss prevention tools that can help to detect fraud. By the time fraudulent activity is detected, however, it's often too late. It is therefore important that organizations invest as early as possible in measures that build trust and confidence and that they work with reliable people.