Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.
A video is available from Parliament.
2:15 p.m.
Liberal
The Chair Liberal John McKay
Again, that's an important question. You have about 15 seconds to respond to it.
2:15 p.m.
C/Supt Mark Flynn
The reality is that whenever personal information, passwords, etc., are released on the Internet, they are there forever. People need to be cautious and vigilant about that, and use the services that are available, like credit monitoring, etc., to ensure that triggers are put in place to notify them when someone's trying to use that information, to help prevent an actual fraud from occurring.
I'm trying to respect the timeline.
2:20 p.m.
Liberal
2:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
About 15 years ago, I was in an IRC channel—I'm not sure whether you're familiar with that forum—and someone was selling credit card numbers, along with the three-digit code on the back and the billing address. Everything was ready to go. The person was offering to sell them to people. I felt that was wrong and I wanted to call the police or some other authority, but no one replied or knew what to do.
If someone saw something similar happening on the Internet today, is there someplace they could call to report it?
2:20 p.m.
C/Supt Mark Flynn
The RCMP operates the Canadian Anti-Fraud Centre in partnership with the Ontario Provincial Police and the Competition Bureau. That is one of your best places to go to report fraudulent activity, whether it be the telephone numbers that people are calling from, or an individual identity theft or fraud that occurred. They collate that information. They share that information. Police investigations are launched based on the collation of that. That would be the first place you should call, as well as your local police force.
Local police forces—whether they be the RCMP or, in Ontario and Quebec, another police force—need to hear about the crimes that are occurring. There are connections between organized crime involved in fraud and other criminal activities.
2:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
What powers does the Canadian Centre for Cyber Security have? What can the centre do?
July 15th, 2019 / 2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Do you mean generally or in this specific case?
2:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I mean generally. At the centre, do you accept comments from people on the outside, or do you work only with businesses? Explain how it works, if you don't mind.
2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
As I explained earlier, the Canadian Centre for Cyber Security is responsible for providing advice. It prepares and protects information of national interest. It is responsible for incident management and response, including mitigation strategies. Every step is undertaken in coordination with the centre's partners, as per its mandate. When a fraud-related issue arises, the national team is called in. It is made up of centres that have already been appointed. We make sure all stakeholders have access to the available information so we can move forward. Work on the case continues, and if more information becomes available, it is shared with the person responsible.
Here's where the value of this business model lies. If something changes while the case is under way—for instance, if it ceases to be an investigation—the Canadian Centre for Cyber Security takes over until the victim receives or, rather, until the case is closed.
2:20 p.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Earlier, we were talking about passwords. Nowadays, we see two-factor authentication being used a lot more for bank accounts. Could the same thing be done for social insurance numbers?
2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
I'm going to say the same thing I did earlier. I'm not an expert in social insurance numbers, but we strongly advise people to use two factors whenever possible. It's not perfect, but it improves the security of their information.
2:20 p.m.
Liberal
Michel Picard Liberal Montarville, QC
I'd like to revisit the issue of a unique identifier.
Other models exist. On other committees, we've talked about the popular Estonian model, I believe. It's a system that's in line with our discussions on open banking. All the information is centralized and people can access it using a unique identification number.
At the end of the day, no matter what you call it, a social insurance number is a unique identification number, so it's important to understand the system's limitations. It's all well and good to have the ultimate ultra-modern system, but if a single unique identifier is assigned to an individual, the information will always be vulnerable if someone gets a hold of it.
2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Absolutely. I can't name them today, but a number of countries around the world have endeavoured to adopt a system that relies on a national unique identification number. Some have been successful, and others, less so. As you said, the number becomes an essential piece of information and the slightest vulnerability puts the data at risk.
2:20 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Does your centre manage its employees' personal information itself?
2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Yes, absolutely, using all the measures I mentioned earlier.
2:20 p.m.
Liberal
Michel Picard Liberal Montarville, QC
How do you protect against an employee who wakes up in a foul mood one day and decides to help the other side?
2:20 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
We have an extensive security program in place from the get-go, starting with the selection of personnel. Of course, a culture of security prevails throughout the organization, one that encompasses personnel security, physical security and computer system security.
The processes are in place. The system is evergreen, meaning that it's constantly updated. We don't rest on our laurels, so to speak. We review the system on a regular basis. It's an extensive and complex process, but the investment is worth it.
2:25 p.m.
Liberal
Michel Picard Liberal Montarville, QC
Is your approach used elsewhere in the market? Has another organization established a culture of security similar to yours?
2:25 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Our approach is modern, but we don't have a monopoly on security programs. Documentation is available. Public Safety Canada put out a publication on developing appropriate security programs. It's an excellent reference that refers to the same models we use.
2:25 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Picard.
Mr. Dubé, you have three minutes.
Mr. Fortin, we'll have a few minutes left. Do you wish to ask a couple of minutes of questions?
2:25 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you, Mr. Chair.
Mr. Boucher, I didn't get a chance to ask you questions earlier.
My first question is about something your colleague Scott Jones said when he appeared before the committee as part of the other study we've been referring to a lot today. He said it was important that institutions and businesses report data breaches and thefts that affect them.
In its recommendation, the committee remained rather vague. Should it be mandatory to report such breaches to police in order to minimize the impact on the public and catch those responsible?
That brings me to two other questions. They're for you, Mr. Flynn.
Since the information remains online forever, should police treat these threats in the same way they do physical ones? If a murderer or someone else poses a physical threat, I imagine police investigations are conducted with a certain level of urgency. Should the same apply to cyberthreats? Desjardins contacted Quebec provincial police in December, if I'm not mistaken.
My last question is about background checks and ongoing security checks. Given how savvy individuals are these days, should these checks become the norm?
You can have the rest of my time to answer.
2:25 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Regarding your question about reporting incidents, I would just point out that we recommend organizations invest before an incident occurs. The organization has to have a security program in place, one that can detect threats and so forth. We always recommend that people report incidents and share them with their community because there are usually commonalities that everyone can learn from.
As the country's cybersecurity centre, we work to gather that information across all communities and to find commonalities in order to issue advice and guidance that could lead to enhanced security nationally. Yes, incidents should definitely be reported.
