Public Safety Committee on Dec. 9th, 2020

Absolutely, it's a much higher hurdle to jump over than if you have a simple and easily guessed password and you reuse your password.

Oh, oh!

I'll have to stick to the cyber advice, which would be our expertise.

First, if you do see something, whether it's a text message that seems to be spam or an email, report that. There are various ways to do it to your service providers. If you fill in 7726, which spells “SPAM” on your phone, and you send your spam text messages there, those go in and they deal with those. In some cases, they do share that information.

Certainly, if people are seeing malicious and threatening emails, or that contain malware or look suspicious, there are ways to submit them in safe ways. People tend not to do that, but there are ways to do it.

Make sure that your systems are always up to date if you feel that you're under threat with regard to cybersecurity. The biggest vulnerability is the system's being out of date—or unpatched, depending on if I slip into techy terms or not.

Oh, oh!

A bit of some of that might touch on some classified issues, but I can certainly talk about it and hope I answer your question fully.

There are a few things. Typically, what we're talking about here is that the way the Internet routes itself is that it works on what is the cheapest route, usually meaning fastest. You can pretend to be the cheapest route and fastest, which forces the Internet to direct across it. The technique for that is called “BGP hijacking”, but I won't go into all the techy grossness of it.

That's one of the things that we've been working on in partnership with telcos. I talked about innovation before, and we do look at ways to innovate and work with our telcos to detect this type of activity, and moreover, to ask what are the defensive ways we can do things to prevent this?

It isn't something that happens a lot, but it is something that can happen and it's something that we're looking for. We're looking for ways to mitigate and defend against it, but at the same time, though, not reduce the reliability of the Internet.

It is something where you're talking about big shifts, so it is a bit of a concern. Really, you're talking about being able to mass all the data that's going from one place to another, so encryption is a great defence against that.

With our apps, right now for example we are on an encrypted Zoom channel. You can't publicly just tap into this; you have to be able to sign in, and so on. There's encryption there. When I send a message over any of the messaging apps, and so on, that's encrypted.

Our websites are all encrypted now as well for the government, and hopefully, more and more commercial sites are fully encrypted. That immediately puts a barrier to actually using that information for anything, other than getting a whole bunch of encrypted data that you can't do anything with.

Those are some of the defences.

Absolutely. We started with the telecommunications sector, where we see from a cybersecurity perspective that they're the root of so much, but then we've expanded that into the energy sector, particularly concentrating on the electricity sector from coast to coast. So we do have partners that we're working with and have absolutely contacted the senior levels of those companies. We always look to grow those partnerships. I just described the work we did with the telecommunications companies. We're looking at doing something similar with the electricity companies—co-development, where they invest with us on how to combat this—to address some of the threats they're facing in research development. One of the criteria is that as we learn things, it has to be shared with everybody in the sector.

If we work with one specific company, we are very conscious never to create a competitive advantage for them. We want to make sure it's going to the whole sector. We're the government; our goal is to make sure that it's coast to coast to coast, and also shared openly so we can all benefit from it no matter where you are. There are bigger companies in Canada, and they have more resources. We've seen them step up. We've seen their senior executives step up. We work with them. I have fairly regular meetings with senior executives from the energy companies, for example, and also from the telcos, just to make sure that we're on track and are addressing the biggest threats. They have a very good understanding of risks. That's growing, but it still needs to grow.

To your point, critical infrastructure is large. There are a number of providers. It is very dispersed in Canada. We are looking for some leaders, but also for organizations like industry associations to bring all of their members to the table and represent them to us.

Absolutely, we know about them. It's always good to see any organization stand up. We have never claimed to have a monopoly on innovation or on addressing this problem. We try to come humbly to the table with our knowledge, knowing that others have expertise and will come at the problem from a different perspective.

There's always opportunity. We are trying to put out some of our challenges. We've done them through research challenges. CSE has published them. We worked with the NRC to publish some of our research challenges for the more research type of pieces than the development pieces. Then we also have events where and hosted something called GeekWeek in October. Organizations can come and apply. It was virtual this year, of course. Normally it's in person. Over 200 cybersecurity professionals from Canada, academia, industry, government and international come together to start to tackle those problems together. That would be another area where we could contribute and collaborate on research projects.

Finally, we're always open to good ideas. I have a partnership group that looks for places that we can work with together on things like collaborative cyber defence. We're always looking for great ideas and hearing what people have to say.

This is going to come across as a little bragging. These organizations all existed. Public Safety Canada, for example, had the Get Cyber Safe campaign ahead of time. At CSE we've had the IT security branch since the late forties or early fifties, primarily based on cryptography but growing into cybersecurity. Then, of course, Shared Services Canada had security operations. We brought all of those together, because we needed to start addressing this whole-of-economy thing.

In terms of what we've done, there's really been a collaborative approach with industry and partnerships. It's not, “We're the federal government and we're here to help.” Rather, it's, “We're the federal government and we want to work with you. You have knowledge and expertise as well.”

The second thing is that we've tried to make our advice and guidance practical. All our guidance, not only for small and medium-sized enterprises, is being rewritten to say, realistically, what should be done by a normal Canadian, not a computer scientist with a Ph.D. We wrote our advice and guidance to be almost inaccessible, and it's now accessible. I'm just really pleased to hear all the comments on the report. I really appreciate the feedback that it is accessible. It was written for every one of us to be able to read.

Third, we have done a lot on collaborative cyber defence, working with industry partners to say that we can solve this problem together. We bring certain expertise to the table. The Government of Canada has very good defences in place that we've built over the last decade. How can we apply those lessons learned? Canadian Shield is an example of that with the Canadian Internet Registration Authority. We do things with our telecommunications companies, critical infrastructures providers and of course the provinces and territories. That's an area where we're still developing our relationships, but we've certainly seen various provinces come to the table and say that we should work together. I can't think of a province or a territory where we don't have some ongoing relationship right now. One of the goals is to make sure there is a pan-Canadian approach.