Evidence of meeting #171 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was protection.
A video is available from Parliament.
July 15th, 2019 / 2 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
Thank you, witnesses, for being here.
Mr. Boucher, I was intrigued by your opening comments on the Canadian Centre for Cyber Security being the national authority on cybersecurity and leading the government's response to cybersecurity events:
As Canada's national...security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses, and international partners to prepare for, respond to, mitigate, and recover from cyber incidents.
That's fantastic. It also leads to this question by me: What standards or measures do we have in place now? We consider banking in Canada to be a critical infrastructure in this country. What standards are in place at this moment to ensure that those are met? Do we have incentives? Do we have penalties? Do we have anything in the way of ensuring that we have a uniform approach across the industry to make sure that Canadians are safe? It's Canadians we are here for and are serving in that capacity. I'm curious to know if we have a mandatory baseline that everybody needs to operate at. If we don't, how come? And how can we?
2:05 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for your question. It's a vast question. I think you will have testimony this afternoon from experts from that specific sector of financial institutions.
I would say that from a cybersecurity perspective, the financial sector is quite mature, where we have both regulators in place and best practices that are part of the community. As cybersecurity-focused experts, we put a lot of effort into that collaboration in those best practices. We leave it to the regulators who are sector-specific to put in those minimum standards and guidelines that need to be in place, enforced and reviewed. We in fact appeal to the best and try to tease that up as much as possible for entire sectors, in this case the financial sector. The financial sector is one that's very mature. It's one where collaboration is established. It is where reputational risks are measured at their true value. Significant investments are made in that regard.
From a Canadian perspective, I would feel quite reassured that as a sector, there are both minimum standards and applications through the regulators that are in place and teams that are working at bringing the best out of enterprises so that they perform as well as possible.
2:05 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Approximately 2.9 million entities, individuals and Canadian businesses, are impacted by this particular occurrence, but millions of others across this country have also been victims of having their identities and credit card information stolen. They may not find solace in that particular statement that we have a mature banking industry in this country, because they continue to be victimized. I'm curious to know whether we are as vigorous in that way as we could or should be in pursuing the financial security of those institutions and of the people who put their trust in them.
2:05 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
I can assure you that we're quite vigorous in taking all the measures at our disposal, whether they be best practices in collaboration or measures that are enforced and in place.
The sad or unfortunate reality that we all have to compose with is that, as was pointed out earlier, when data gets lost and gets in the wild, we never get to recover it. It is not like a tangible asset that you can go and purge and bring home. It is a new reality for clients, it is a new reality for customers and it is a new reality for enterprises.
I would go back to the comment I made earlier that it just puts more fuel into the need to invest early, with early investments in having programs, in choosing our employees better, and in making sure we have a holistic approach to security to make sure we don't find ourselves trying to recover our losses.
2:05 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Okay. Thank you.
Chief Superintendent Flynn, as we've learned from this circumstance and from others, data is the hottest commodity on the dark web. We know that. People's names, addresses, dates of birth, social insurance numbers, IP addresses, email addresses—all those sorts of things are commodities that are traded at will on the web. I guess a couple of things come to mind for me. Can you help the Canadian public understand, number one, how that information is used by the criminal element, and number two, how they can then be vigilant? You answered Mr. Drouin partially with a response, but as the law enforcement agency in this country, what red flags or alarms could you make the Canadian public aware of that they need to be vigilant about if they've been compromised, and even before they become compromised?
2:05 p.m.
Liberal
The Chair Liberal John McKay
Mr. Motz asks an important question. Unfortunately, he's left you no time to answer it. I would invite you to work an answer into a response to another member. We have three hours' worth of hearings here, and if I don't keep this on track, we'll get lost.
Ms. Dabrusin, you have five minutes, please.
2:10 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
Thank you.
When we did our study on financial institutions and cybersecurity, we heard that banks had extensive security measures in place—something people may be questioning now. We also heard people being talked about as though they were cardboard boxes.
What can people do to better protect themselves? Can you give us any helpful information or details? Is there a place where members of the public can turn for information on how to better protect themselves—a website or a telephone line, perhaps? Is there anything you can tell us, Mr. Boucher?
2:10 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for your question.
We have an extensive program. On our website, cyber.gc.ca, people can find information on how to protect themselves. Of course, people have to be aware when they are online. That is the most basic rule of cybersecurity. People have to know not only how to use the Internet, but also what they are sharing with others online. We are constantly running campaigns to educate people on using their devices securely and being smart about who they choose to share confidential information with.
Having the best protection and keeping it up to date is the first step, but making smart choices is another. People should visit only the sites of companies they consider to be reliable and reputable. Once they've done those two things, people need to choose what information they agree to share with the company. It's a three-step approach, and it is all available in the information and guidance we provide to people.
2:10 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
I see.
I also saw a lot of information about passwords. For instance, it mentioned people who use the same password for all of their online accounts.
Can you share some things people can do to protect themselves when it comes to their passwords? That's an important element.
2:10 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Yes. I always look for opportunities to promote our website, so on our website, we talk specifically about how long and complex passwords should be. We also provide some tips. I encourage people to explore our website for themselves. It is often said that people should change their passwords regularly, but the problem with that is having to memorize a bunch of ever-changing passwords. The guideline has evolved over time. Nowadays, it is recommended that people choose at least one strong password, using certain parameters, which are available online, based on password length and/or complexity, depending on the available options. If it's possible to have a password containing up to 15 characters, people should try to choose a password that uses all 15 characters. If the password can have only eight characters, that's pretty bad, but people should at least choose a more complex password.
Constantly changing one's passwords is of minimal benefit if it means people have to write them down somewhere or use the same one for many different sites. What we want people to do is be diligent about choosing their passwords: choose something that is unique and as strong as the provider's parameters allow. People can use the same password, but if a data breach occurs, they have to act fast, changing their password and taking additional security measures. It's important to do a combination of things.
2:10 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
The other problem is that once people have a password that works well, they use it for all their online accounts. Some sites tell users that their passwords have to be longer, more complex or what have you, but they never remind people not to use the same password all the time or to use a different password than they do for other accounts. Would you mind talking about that as well?
2:10 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Now you're asking me to be very pragmatic.
2:10 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
What I would advise people, other than being very pragmatic, is to base their passwords on their level of uncertainty when it comes to the various online services they are using. For instance, for online banking, people should use a number of distinct passwords that are as complex as possible. However, for their online account with their local curling club, say, people may wish to be a little less rigorous and use the same password a few times, even though that isn't what I would recommend.
2:10 p.m.
Liberal
Julie Dabrusin Liberal Toronto—Danforth, ON
What can banks do to better educate the people using their services?
2:10 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
I believe most, if not all, banks require a minimum level of sophistication when it comes to the passwords they accept. They already have a certain standard in place to protect themselves from clients who are less diligent than they should be in selecting a password.
2:10 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Ms. Dabrusin.
Mr. Clarke, welcome to the committee. You have five minutes, please.
2:10 p.m.
Conservative
Alupa Clarke Conservative Beauport—Limoilou, QC
Thank you, Mr. Chair. I'm very pleased to be here today.
Thank you, gentlemen, for being here and giving up your time to reassure Canadians and answer our questions.
One of the cornerstones of the social contract that exists across this land is the protection of citizens, not just the protection they offer one another, but also the protection provided to them by the government. For the past three weeks, constituents in all of our ridings have been profoundly concerned. Two days after the data breach was made public, people started coming to my office. When I would knock on people's doors, that's all they would talk about. That tells me people are genuinely concerned and feel that the government has done nothing in response.
The question my constituents want you to answer, Mr. Boucher, is very simple. Can the Canadian Centre for Cyber Security indeed ensure the 2.9 million Canadians affected by this data breach are properly protected, yes or no?
Does your centre have the tools to respond to the situation and ensure the victims of identity theft are protected?
2:15 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
It's fair to say that the Canadian Centre for Cyber Security has the resources to deal with all aspects of cybersecurity. The case we are talking about today involves an insider threat and stolen information. Strictly speaking, it's not a cybersecurity issue.
2:15 p.m.
Conservative
Alupa Clarke Conservative Beauport—Limoilou, QC
I'm not talking about what's already happened. I'm talking about what's going to happen next. That's what worries people. I want to know whether the Canadian Centre for Cyber Security has the capacity to deal with international or national fraudsters who send text messages or whatever it may be.
Does your centre have the capacity to deal with that?
2:15 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
I'm not trying to evade the question, but the issue actually comes down to legislation or fraud. It's not a cybersecurity problem. That's not to say, however, that, if we see something happening, we aren't going to respond.
The first thing we do every day is talk to our partners, including the RCMP, to share what we know and update them on anything new. We make sure that whoever is responsible for the matter does something with the information we provide. The national team is the best there is and won't let anything fall by the wayside. The members of the team endeavour to fix any problems and do everything they can to keep Canadians' information safe.
2:15 p.m.
Conservative
Alupa Clarke Conservative Beauport—Limoilou, QC
I'm going to take advantage of your cybersecurity expertise.
Is Canada's current social insurance number regime appropriate in a modern age dominated by the Internet? We are at the point now where people shop on their cell phones and pay for their purchases at the cash in mere seconds. Is our system of social insurance numbers adequate in the world we live in?
2:15 p.m.
Assistant Deputy Minister, Operations, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for your question. You don't ask easy ones, Mr. Clarke.
I'm not an expert in social insurance numbers or their use, but I can talk about identifiers. No matter what identifiers are used, whether they involve complex or simple cryptology, information management is always an issue and the potential for data theft always exists. It's a very complex issue, and I'm going to let the experts in social insurance numbers speak to your specific question.
The bigger problem, as I see it, is how identifiers are managed. They are key pieces of information, and learning how to manage them properly in the large security systems I was talking about earlier is crucial.
2:15 p.m.
Conservative
Alupa Clarke Conservative Beauport—Limoilou, QC
Superintendent, my next question is along the same lines as that of my fellow member, Mr. Motz.
Whether they've approached me on the street, come to my office or answered the door when I was canvassing, everyone has asked me the same question. They want to know what crimes these fraudsters are going to commit down the road. They want to know what to expect. What crimes will the 2.9 million victims of this massive data breach be the target of in the future?
In addition, how long will it be before those crimes are committed? The media are reporting all kinds of things. We are hearing that it will take five or 10 years before the fraudsters do anything—that they'll wait until the dust has settled.