Public Safety Committee on Dec. 9th, 2020

Thank you very much for that, Mr. Chair.

Good afternoon, committee members.

Thank you for the invitation to appear today to discuss cybersecurity and specifically the “National Cyber Threat Assessment 2020” report released on November 18.

As the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, I am very pleased to be here. CSE is Canada's foreign intelligence agency and lead technical and operational agency for cybersecurity. As was mentioned, I have appeared here a few times before.

Created in 2018, the cyber centre is a unified source of expert advice, guidance and support on cybersecurity operational matters. We work closely with other government agencies, industry partners and the public to improve cybersecurity for Canadians and to make Canada more resilient against cyber-threats.

Our goal with the national cyber-threat assessment is not to frighten Canadians or to be downers, but rather to inform all of us about the threats we will be facing in the coming years. I hope it spurs many of us to take simple actions to protect ourselves. We have seen that easy, simple actions can greatly increase our individual security.

Canada is one of the most connected countries in the world, which the NCTA highlights, and the COVID-19 pandemic has accelerated our reliance on the Internet to meet basic needs. We are increasingly leading our lives online, and at the same time threat actors continue to pursue new ways to use the Internet for malicious purposes. While this assessment does not provide specific mitigation advice, more guidance and best practices can be found on the cyber centre's website and through our “Get Cyber Safe” public awareness campaign. As I've said before, by taking even a single action, all Canadians can help shape and sustain our nation's cyber-resilience.

For those Canadians who would like to learn more, we have also published an updated “An Introduction to the Cyber Threat Environment”, which I will confess I may slip and call the “cyber primer”, in which we explain many of the terms and techniques used in cybersecurity.

The assessment analyzes cyber-trends since 2018 and draws upon the cyber centre's unique view of the cyber-threat environment to forecast those trends to around 2022. The assessment also highlights the most relevant cyber-threats to Canadian individuals and organizations.

Before I discuss those threats further, though, I would note that the assessment's findings are based on reporting from multiple classified and unclassified sources, including those related to CSE's foreign intelligence mandate. While the cyber centre must protect classified sources and methods, we have tried to provide readers with as much information as possible, including footnotes.

I'll now provide a brief breakdown of the cyber centre's key findings regarding the cyber-threat landscape. Broadly, these can be grouped into three key observations for our discussion today.

The NCTA 2020 highlights several key observations.

First, cybercrime is the threat most likely to impact Canadians now and in the years ahead, and cybercriminals often succeed because they exploit human and social behaviours.

Second, ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers.

Finally, while cybercrime is the main threat, state-sponsored cyber-programs of China, Russia, North Korea and Iran pose a strategic threat to Canada.

First, we assessed that cybercrime remains the threat most likely to impact Canadians. Now and in the years ahead Canadian individuals and organizations will continue to face online fraud and attempts to steal personal, financial and corporate information. Cybercriminals often succeed because they exploit deeply rooted human behaviours and social patterns as well as technological vulnerabilities. Unfortunately, as a result of this reality, Canadians are more at risk for cybercrime than ever. This has only increased during the COVID-19 pandemic.

Malicious cyber-actors are able to take advantage of people's heightened levels of fear to lure and encourage victims to visit fake websites, open email attachments and click on links that contain malware. These website emails and links frequently impersonate health organizations or the Government of Canada. Defending Canadians against these threats requires addressing both the technical and social elements of cyber-threat activity.

Second, the ongoing safety of Canadians depends on critical infrastructure as well as consumer and medical goods, many of which are increasingly being connected to the Internet by their manufacturers. However, once connected, these infrastructures and goods are susceptible to cyber-threats, and maintaining their security requires investments over time from manufacturers and owners that can be difficult to sustain.

We have assessed that ransomware directed at Canada will continue to target those large enterprises and critical infrastructure providers. As these entities cannot tolerate sustained disruptions, they are often willing to pay up to millions of dollars to quickly restore their operations. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potential consequences of refusing payment. The protection of these organizations and networks is crucial to the productivity and competitiveness of Canadian companies, and vital for Canada's national defence.

Finally, state-sponsored actors are very likely attempting to develop cyber-capabilities to disrupt Canadian critical infrastructure to further their goals. However, we judge that it is very unlikely that cyber-threat actors will intentionally seek to disrupt critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber-threat actors may target Canadian critical organizations to collect information, pre-position for future activities, or as a form of intimidation.

While cybercrime is the most likely threat to impact the average Canadian, state-sponsored cyber-programs of China, Russia, North Korea and Iran pose the greatest strategic threat to Canada. We have assessed that state-sponsored actors will almost certainly continue to attempt to steal Canadian intellectual property, proprietary information and, in today's context, information specifically related to COVID-19.

We have also assessed that online foreign influence campaigns are no longer limited to key political events such as election periods. They are now the new normal. Adversaries now look to sustain their influence campaigns across all levels of discourse deemed to be of strategic value. While Canadians are often lower-priority targets for online foreign influence activity, our media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as well.

I want to reassure you that CSE and the cyber centre are working hard to mitigate many of these threats and protect Canadians and their interests through targeted advice and guidance. CSE continues to leverage all aspects of its mandate to help ensure that Canada is protected against threats. Not only is the “National Cyber Threat Assessment” meant to inform Canadians, but it is also setting the priorities for action by the cyber centre on what actions we can take, often with partners in the private sector who are willing to stand up and assist in directly addressing these threats facing each of us.

A key example of this type of partnership is the Canadian Shield initiative from the Canadian Internet Registration Authority, CIRA. CIRA Canadian Shield is a free, protected DNS service that prevents you from connecting to malicious websites that might affect your device or steal your personal information. The service is provided by the Canadian Internet Registration Authority, a not-for-profit agency that manages the “.ca” Internet domain. The service uses threat intelligence from the Canadian Centre for Cyber Security. In simple terms, if someone who is using Canadian Shield clicks on a link that is known to be malicious, they will be stopped from going to that bad site.

CIRA has seen a number of Canadians pick up the use of this tool, although we would certainly like to see it accelerated more. We are just past the six-month mark. We do recommend that all Canadians take advantage of this free service built by Canadians for Canadians and designed to protect Canadians' privacy.

Through targeted advice and guidance, the cyber centre is helping to protect Canadians' cybersecurity interests. We are dedicated to advancing cybersecurity and increasing the confidence of Canadians in the systems they rely on. We hope this report will help raise the bar in terms of awareness of today's cyber-threats. I encourage Canadians who are looking for easy-to-follow tips on cybersecurity, such as our holiday gift guide, to visit our website, GetCyberSafe.gc.ca.

For businesses and large organizations, or if you would like to read more of the publications of the cyber centre, we can be found at cyber.gc.ca.

Thank you again for the opportunity to appear before you virtually today. I'll be pleased to answer any questions you may have.

Thank you for the question, Mr. Chair, and your comments on the report.

I think there are a few things. If we look at cybercriminals, they very much reply upon an extremely developed ecosystem that relies on things like anonymous financial transactions—Bitcoin and the like. Having online digital currencies really does facilitate that.

In terms of the risk, it's certainly a question that I wish one of my colleagues from the RCMP were here to talk about in terms of prosecutions, but it remains a challenging environment in which you can achieve fraud against a Canadian from remote jurisdictions. As the report points out, there are many jurisdictions in which you will not suffer consequences from local authorities because as long as you don't target their citizens, they're not going to go after you. A bit of a quid pro quo seems to exist, and it certainly has been highlighted in some of the research.

In terms of some of the costs, we do try to impose costs. The government has done a number of attributions to call out state activity that we feel is crossing thresholds and crossing lines. Earlier this year we called out Russia for its activity against vaccine research companies. We have certainly joined our allies a number of times to do that. That was one instance in which we joined in with the United Kingdom and the United States to do that, specifically because it was targeting our areas, but we have, at some points, along with our allies, called out behaviour of each of the four nations I mentioned.

The value of attribution is pretty variable. The primary value of being a cyber defender and somebody who is worried about cybersecurity is that it spurs action. When we do an attribution, it tends to get organizations to take seriously the alerts we put out. When we say, “You need to apply this patch; it's important,” people will respond. When we say, “Apply this patch because country X is targeting this sector, ” they pay attention and they do it. It does have an effect domestically in getting the potential victims to take it seriously and to take action.

In terms of the international side, we certainly have not seen a significant change in the actors' behaviour because of it, but it does form norms. That is something that is probably more appropriate for my Global Affairs colleagues to talk about, and they're probably better positioned to talk about some of the things like sanctions and other aspects of foreign policy. I tend to try to stick to the technical and the cybersecurity elements.

Thank you for that question. There's a lot in there.

We have been working since the beginning to build up the resiliency of the health care community. One of the things we have been working on, which we've done in partnership with the provinces and territories—which clearly have such an important role to play in health care, in providing advice and guidance—is targeted briefings, targeted information, specifically to that health care sector to build resiliency over time. We knew we were going to arrive at a vaccine at some point, so we have been building up resiliency and making sure that the information flows are in place, and also ensuring that they have the information they need to proactively take steps to protect themselves. We've done that through things such as publishing other threat assessments that are specifically for the health sector. We take those, and then on regular weekly calls, we go over any threat we're seeing and how it could apply to the health sector and what could be done about that. We're trying to very much build up resiliency before something happens.

In terms of the current rollout of the vaccine, we are working with, obviously, our colleagues at the Public Health Agency and the overall task force to make sure that the information is in the hands of any organization that would be part of this to make sure we're taking actions earlier. Then, of course, we do leverage our foreign intelligence mandate, so if we do see things that are happening in foreign space or in our group of allies around the world and not necessarily just the Five Eyes.... We have a lot of allies in cybersecurity, and we all look at and share information very quickly to make sure we're getting that information out. Our goal is not to observe the problem but to give somebody, anybody who's a potential victim, something they can use to protect themselves. That's really been our goal.

We continue to look for new ways that we can build up our cyber resiliency in this [Inaudible—Editor].

Mr. Chair, that's a really great question. I'm glad to get the opportunity to address this.

We've been working with Canada's critical infrastructure providers for quite a while. Now, we do have to concentrate on the ones that are most at risk, so when we talk about the electricity sector in this report, that's a sector where we have been working both to build the relationships that we need across the country and with energy providers such as the Canadian Electricity Association to make sure we're addressing cyber-threats proactively.

Over a year ago, one of the things I did was that I participated in the tabletop exercise to simulate what would happen in an event where there was a cybersecurity incident, just to make sure that we're prepared, that we had gone through it and there were no gaps in the process. We continuously are looking to improve here.

This is an area where the technology changes are something that the sector is very aware of. They're very much resiliency based. They understand. They're used to dealing with things like major weather events, etc. Cybersecurity can be looked at as just a different source of the same type of impact. They're organizations that understand risk resiliency, and it's a very easy conversation. We're working closely with them. We are looking to address the threats. We're looking to see how we can expand not only into proactive cybersecurity, but into the discovery of threats before they manifest on the network, and we're looking for some joint projects.

At the cyber centre, one of the areas that we really like to concentrate on is innovation. We do that collaboratively, though. We do that collaboratively by bringing in partners from the energy sector and their suppliers, and we ask them if we can we tackle these problems together. If it is the convergence of operational technology, we ask how we can work with them and other leaders in industry, and we ask how we can detect when there's a threat or when there's somebody targeting and then proactively deal with it.

One of our goals is to make sure that is shared sector-wide from coast to coast to coast with every provider and to get that information out quickly. While one might fall victim, we don't want it to be two. Information sharing is also an important piece here when something is hitting, so that others can be inoculated against the threat as well.

I can. It's really the Canadian Internet Registration Authority's project, and I'm hoping that I'm not scooping them, but they did advise us that earlier this week we now have 100,000 Canadians using the service. That's a good number—although not as much as I would like, honestly, because it does offer a significant boost to the privacy of information.

I do understand that one of the things we really thought about when we designed this and worked with them on the service was for the government to be at arm's length. We didn't want it to look like there was the potential that we were collecting information on Canadians. That's not our mandate. That's certainly not within our law that governs us, but there's also a privacy assessment that went along with it.

I'm hoping that as Canadians do look into this, they will see what's out there. We did have commentary from privacy experts in industry who talked about this program and how it's designed. I'm hoping that more Canadians, as they become aware, will grab onto this, because it is a way for every Canadian to do something to protect themselves, and it's something that is silent and in the background.

For me, here's the way I describe it. We're all worried that we're going to make that one mistake and click on that one link on an email and it's going to have devastating consequences. The goal with Canadian Shield and what we've tried to do is to make sure that if you click, it's not going to have devastating consequence, because it will be blocked. That's kind of what it does.

That's actually a great question that I was really hoping someone would ask me.

It wasn't an easy decision to name countries because it immediately draws the attention from all the other aspects of the report to the four countries named. However, in reality, we, the Government Canada, had called out.... At some point, we had attributed malicious cyber activity to one of these four, or we joined our allies in doing so. So they were the logical four. They are also the four that demonstrated the capabilities that we mentioned in terms of the risk to Canada. We thought that, well, on one hand, it draws the attention away from some of the things we would like to talk about, such as how is it very easy for a fifth country and a sixth country to appear on that list. However, on the other hand, we need to acknowledge the fact that these four countries are out there and represent significant strategic risk to Canada with their capabilities and what they are able to do.

That was some of the discussion, but one of the things I've said is that the decision to name is more from a cybersecurity perspective. We certainly support this, but it is really in alignment with foreign affairs and foreign policy.

I think there are a few things I'm.... I'm a little concerned. The report is meant to inform; we're hoping not to scare. We believe that fear doesn't really motivate Canadians, in most cases, to take action. However, what we are hoping is that we can give Canadians simple things that they can do to help themselves be secure online. Get Cyber Safe is a great source for that, whether it's the Twitter account or the online account. There are some really easy things that we would like to ask Canadians to do.

One of those is passwords. We've seen that the number one password in Canada remains “password”; the number two password is “123456”. That's from a report, and that's pretty common worldwide. That just leaves it open and makes it easy for the cyber-threat actors. I know that passwords are a nightmare for all of us, but something basic like that can actually really strengthen cybersecurity.

The second easy thing that people can do is just turn on auto updates. Instead of having to install the updates manually on your phone or your computer, just set it to auto update. That also raises the bar for cybersecurity. We find that, in the last year or number of years, it is still the basic, out-of-date systems that are causing most of the cybersecurity breaches, so those two things are simple.

With regard to your point, for small and medium-sized enterprises what we have tried to do is also prepare a guide of simple, straightforward things that small and medium-sized organizations can do because they don't need to be—they shouldn't be—cybersecurity experts. That's our guidance for small and medium-sized enterprises. We designed that specifically so that 20% of the effort would result in 80% of the benefits of what we would do from, say, an enterprise-grade cybersecurity program that exists.

We are trying to do things that are practical and pragmatic, and then we do things that are fun—like the holiday gift guide, etc., at this time of year—to hopefully try to help Canadians make some good online security choices.

I think there are a few things.

Certainly, embarrassment and shame and fear about a potential loss of business are preventing organizations from reporting. In cybersecurity, unfortunately, we tend to punish the victim and not the perpetrator in our actions as citizens. We tend to shift away, and so there's an incentive for an organization to not admit when they're victims of a cybersecurity incident.

Then there's the second piece where there is embarrassment because the situation usually involves a mistake. Sometimes it's not because a patch has not been applied, but a lot of times it involves their having clicked on something they shouldn't have, and we have to begin to destigmatize that, and make people aware. You can get fooled. Some of the cybercriminal aspects...I believe it's only a matter of time before I'm going to click on something because some of them are so well done.

So if I know that is the case in my job, then nobody else should be feeling shame for it. I will probably be embarrassed when I click, but I'll get over it.

Lastly, I think some of the things we have seen include indications that insurance companies are telling organizations not to report, not to go to police, which makes this a very challenging thing to respond to, and also to get accurate statistics about, so we that know where to apply our resources on the specific threats. If we wanted to start to work on a particular version of cybercrime, without knowing what's hitting Canadians, where do we start?

Cybercrime is a global enterprise, unfortunately, but we should be focusing on what's targeting Canadians, and that's a challenge both for ourselves and the RCMP, because Canadian organizations just simply are not reporting for whatever reasons—ranging from embarrassment all the way to being advised not to report and pay the ransom to get back online.

Yes, absolutely. I'm happy to answer that.

First of all with regard to DNS, the Internet works on a series of numbers and we go to www.website.com, but the Internet doesn't understand what that is. DNS translates back into the actual address on the Internet, which is called an IP address. So it tells the Internet how to route itself and how to get to the location.

Cybercrime actors take advantage of that, so when you click on a link, if you were going to impersonate the cyber centre, for example, you might create a domain or a website that would say “cyber.gcca”. You might miss the dot and so fool Canadians; they wouldn't see it—that's called “typo-squatting”—and then they would go to something that looks like the cyber centre website, except you're downloading malware when you're there.

So a DNS firewall says, hey, that's accidentally been blocked as an illegitimate site, so when you click, you don't go there. So it stops you from having the consequence of either the mistyped address or the deliberate....

In terms of my using these, I absolutely do. I put them on my personal devices because, frankly, it gives me a level of protection. I admit it's only a matter of time before something happens and I click. I want to make sure that I'm as protected at every level as I can be.