Public Safety Committee on Jan. 30th, 2018

In the hyper-competitive world we live in, offence would indeed be the way to go. We are dealing with foreign nations that are in no way subject to the same rules as we are, or to the scrutiny of organizations like the one Ms. Vonn represents; these things mean that the government here must be accountable.

Earlier I spoke about the possibility of a cyber-attack against one of our organizations. It's hard to say if we could easily tell if such an attack came from a particular country or its representatives. In any case, I think it is increasingly possible for us to determine specifically which computers and operations centres we could target, attack and remove from the international communications network.

No, I'm of a view.... I very much appreciate the work that Ms. Vonn and her colleagues in other organizations in Canada and the western democracies do. It's an important part of that debate and discussion, but quite often I do feel a little concerned that we spend so much time focusing on what are, I believe, organizations that operate by the rule of law. They're subjected to multiple layers of review, including everything from the Auditor General to the Privacy Commissioner. We now have a number of additional bodies, which, as I said, I've welcomed. I think we live in the age of transparency and accountability, and agencies that operate with these special powers must accede to them, but I also think that sometimes we forget, as we focus on the incidental collection of some Canadians, that despite the characterization, it's not massive, in my view. I know from my time it was minuscule, but it's incidental. It will happen because of the convergence of all the global information and communications infrastructure. It does occur, yet Canadians don't seem to be having the same debate about all those data brokers out there that have hundreds, if not thousands, of unique identifiers about them.

Sometimes I wish Ms. Vonn's organization or others would focus a bit more on that, just to have some sense that Canadians need to look at their data and their privacy and their personal information, and not worry about the security establishments as much because they have rules of engagement and overview and review. We need to look at those who don't.

Thank you.

It's of critical concern to civil libertarians that the public understand that collection, incidental or otherwise, of personal information into national security agencies is not innocuous. In part because we do have these alliances, information sharing does flow in ways that are potentially problematic for those individuals, even with the notion that perhaps we're not exploiting it and perhaps we're not using it.

We're going to try to give assurances, but we don't know what's being used in terms of exploitation. We know it's everything from network mapping to profiling, which has been identified as a huge problem. It definitely resonates with Canadians as a threat to their own personal security. All those aspects of trying to figure out what the jeopardy is for this collection, use, retention, and exploitation are critical. It's critical to figure out those tentacles and ensure that we have mechanisms that are not merely paper mechanisms when we say we have measures. What are those measures? How do we know where they work? Do they cover off all the aspects?

Those are aspects behind the curtain that goes on with national security that most Canadians cannot see. We've come to have reason to distrust, because we haven't seen, for example, the simple definitions for things that would allow us to have the insight that we should have for democratic accountability.

When we see failures of definitions in Bill C-59 around things like publicly available information, to pick up my colleague's point, and a national security agency can acquire data through a data broker using the kinds of techniques that were just being described and ingest that into a system in which information may get shared with allies abroad, you can see the magnification effect of the impact on security of individuals—not national security, but personal security—in relation to all of those data practices.

People are not as alive as we would like them to be to these threats, but they're increasingly alive that these are the problems, as you illustrate.

It's going to be very difficult. It's a very complex world and it's getting more complex. Data is growing exponentially.

It's a two-part play. One part is the opportunity that technology will allow us to do many things. The second part, of course, is that it's an enlarged threat surface for attackers to focus on to break into those same networks to steal personal identifiable information in the same way as is being suggested the security establishment can under warrant, in a predicated investigation—lawful work—go in there.

We have a big problem around data and around privacy and about the invasion or the loss of security of the person. I think as much or more of it is occurring from the threat actor side than from security agencies and others.

You see the tension around this when you give the CSE broad, active cyber-powers that exploit vulnerabilities in the system that of course Canadians need to protect themselves against. Are you going to disclose those or are you going to exploit them? It's one of the tensions inherent in this new power.

At the present moment, I think we're on the low side of response in terms of investment and I think in terms of empowerment for the security establishment to respond.

I think that may shift. We have a pending government cyber-strategy that may boost us into a new level of the atmosphere, but currently I think Canada is seen as being somewhat trailing its key allies, from the United Kingdom to Australia and New Zealand and elsewhere. To me that's very problematic, because while my responsibility as the provincial security advisor is to help or assist in certain strategic issues around the prosperity agenda, it's mostly around protecting critical infrastructure and around cybersecurity.

With that in mind, as I said, we or they—those who own that critical infrastructure—cannot do it alone. These are some of the large independent agencies of the Ontario government in, let's say, the health care sector, education, transportation. We need to bolster our capabilities to make ourselves on par with places like Australia.

First let me affirm too that it's really important to understand that the health care sector in general is now the most targeted area of governments around the world. Right up there with .mail and .gov domain addresses, most health care sectors are under attack. Why? It's because data is the new oil. It's the most expensive and most sought-after commodity in the world, and threat actors of all varieties and types are converging upon it. Those are also arguably the least defended sectors of our society, unlike the large government and military sectors.

I think we need to quickly move to a place where we can bring to bear some of those cyber-offensive tools. One example would be to go out into the dark web consistently and look for early indicators of compromise and look for where threat actors are talking about you, talking about your domain and talking about your strategies, as early opportunities to get at them.

There are also the opportunities in a sort of offensive way. Should a massive DDoS attack occur, as we've seen against places like Spamhaus, The New York Times, and other organizations—and they are amplifying in size—without the aid of large agencies, those particular important aspects of our democratic societies will fall. It's about going out there, targeting those servers—of course consulting with the Minister of Global Affairs, and of course with the approval of the Minister of National Defence—and hopefully exercising some sort of kinetic effect on those servers and taking them offline.

Yes. As I was saying earlier, terrorism is effective because it terrorizes. It has a disproportionate effect. The number of Canadians adversely affected by a terrorist event is very small.

Conversely, though, infrastructure is everything that sustains our life. It's the heat, the lights, the food at the grocers, the petrol at the service stations. All those fundamentals that allow us to exist are all now increasingly built on automated systems—on a machine, on machine learning. It's interconnected interdependencies across the board. That's why those are at risk. They're at risk mostly in the age of fifth-domain warfare. We went from land to sea to air to space, and now it's about cyber. We probably won't see another debate over an F-35 again, because most of that money in most jurisdictions is moving toward information warfare.

They will do what Russia's done in Moldova, Ukraine, and Georgia, which is to go after something and signal. You might just take out something small, then something a little bit bigger, and then something that threatens to be cataclysmic. I think that's really where the big threat is.

Are terrorists using cyber-tools? Not so much yet. Is Daesh going to go from dominating social media to tuning its skill sets toward attacking? I think that's very possible.

I recognize that this is a very complex area, as I have pointed out previously. New opportunities are cropping up. Canada has to deal with a new economic reality, just as negotiations are ongoing with its North American partners.

China represents a real opportunity, but we have to keep our eyes open. As for investments in certain sectors, particularly the technological sector, I do in fact have several concerns.