Public Safety Committee on Dec. 9th, 2020

Thank you for that question, which I think really does go to the root of some of the things we talked about in the national cyber-threat assessment.

The amount of personal data that's out there on us now is quite extensive. One thing that's been noted is that in any cyber-attack, not only do they have things like your usernames and passwords that they've stolen from other places; in many cases, they also have the answers to your security questions—your mother's maiden name, your first pet, what school you went to and things like that. Those things that we always relied on as kind of a second barrier to security are now just the same as the password type of thing. It's critical.

To protect information, I always ask, “Why does somebody to know this? Are they asking something that's legitimate?" If I'm going on and buying an online purchase and they ask for my social insurance number, they don't need that for the purchase. I'll walk away. They need to start collecting the minimum amount of information viable. The second thing I think about is the risk I am taking on. Of course I do online shopping, not just because of the pandemic but also because it's convenient for me. Where is it going? Who's behind this service? Is it using a third party payment system? That can protect you financially. In reality, though, things like credit cards do have good protection.

It really boils down to, “Do they really need to know?” Over-collecting of information is something we certainly look at. Even when we designed the cyber centre, we made it so that there's a phone number people can call for help. We looked at the minimum information we absolutely needed to be able to respond and help the person, and then we did a privacy assessment on that to protect it. That's something I think every business should be looking at: . “Do I really need to know all of this? Do I really need to keep the history of every purchase they made?" Maybe they do. There could be a real reason for that. That's something I think the privacy commissioners have advice on.

From a cybersecurity perspective, the more information we put out there and the more information we put on our social media accounts, the more vulnerable we're making ourselves. Frankly, we're giving them the information they need to target us.

I think that investigators at the RCMP, or perhaps at the Sûreté du Quebec, for example, might be in a better position to answer about the investigation phase.

One of the risks we see is that the dark web is certainly facilitating cybercriminals and cybercrime tools. There is an entire ecosystem out there where you can go on and say, “I want a tool that's going to allow me to do this.” Let's say you want to target this type of organization, or even a specific organization. They'll bid and tell you what it will cost. You can pay for 24-7 support or you can pay for a custom tool to be developed for you to achieve your goals.

Then there's the organized crime that goes behind all of that. It is a large enterprise out there. It's facilitated by the dark web and anonymous payment systems like Bitcoin and online currencies. One of the key challenges is that the entire system is designed to be anonymous and to not have attribution.

Let say there are a few areas where we would say that we have to be very careful about the increased risks. One thing is that with so many of us working from home, the fact is that it has changed our technology environment. We're mostly working outside of our organization's perimeter, so in terms of a lot of the defences we relied upon, many Canadians are now working from home and connecting directly to the Internet.

There are ways to try to minimize and mitigate those risks. Those are some of the things we published, but this is probably one of the biggest risks; it's the fact that we're now outside of the defensive perimeter that was set up. In some cases, we're not. For example, I never leave our defensive perimeter because of the way we have set up our remote access. We designed this to work remotely so that I could work from home and stay behind our full suite of cyber defences. In the majority of the government, it's like that.

For a lot of organizations, though, one of the things we have encouraged them to do is to make sure they are either doing something similar to the design we have for government or supplementing with other defences that are there.

That would be one of the major risks, but also, then, we're holding more data at home, and we're having conversations like this, although this is a public forum. There are things like that where we just need to be conscious of what we're doing as well.

That question really goes to some of the heart of what we've been doing. The goal is to not have this information sitting inside of the federal government, but to get it out to into other hands. I mentioned this earlier when I talked about the weekly call we do with the health sector. That includes our provincial and territorial colleagues, but also any organizations that come to the table. That grows every week as more people sign up for it, and we're happy to walk through what we're seeing on cybersecurity, including advice and guidance.

In general, though, when we also see.... This is where we do leverage in terms of what our foreign intelligence mandate can tell us in terms of where targeting is happening. We have gone out to specific organizations where we see things and have given them tailored advice because they're a system of importance to the government. Really, it's about getting that information into the hands of somebody...our goal is to get it before they are a victim so that they can proactively take steps to protect themselves. That's what we do every week, and we do it consistently.

Then, of course, we publish a number of alerts and advisories that go to sectors. We published the threat assessment for the health sector, and we made that public. We sent it to the health sector ahead of time as well to say what it was that we were going to be saying about things they needed to be aware of. We're really trying to raise the knowledge of the sector, but also to work with them on what solutions will work as well. Our goal is to encourage them to share within the sector best practices—

That's big.

We're really talking about some of the things we've highlighted in our first and second “Cyber Threats to Canada's Democratic Process” reports that we've issued to really try to highlight some of those. It remains a challenge.

Now, I think the response isn't necessarily a cybersecurity response. You'll see Elections Canada stepping in about disinformation. You face this as members of Parliament and as candidates at some point, etc., and how to combat that.... It is one of those areas where, from a cybersecurity perspective, we're very limited in what we can do, because it is just bad information being posted somewhere, frankly, and we're not in a position to be the arbiters of truth.

But it is something where we always are looking to say, number one, how do we bolster our cybersecurity? The goal of the report itself was to debunk some of the threats and some of the misinformation that could be out there and to say, no, this is how democracies work. You can't go online and just change Canada's vote tallies, as there are procedures in place, etc.

I'll have to be careful because the policy decision is still pending.

In general, what we're looking at when we're looking at anything approaching a 5G network is that the system needs to be secured in layers, everything from how it's maintained to who's accessing it, to the variety of equipment itself, to whether the software used is open source, publicly scrutinizable or closed, meaning it comes from a particular vendor, and then it's also how we leverage it. That's one of the things where modern telecommunications offer a significant advantage now.

We used to rely on the network itself for security and how you transmitted because encryption couldn't be used. It was too expensive. Our devices weren't fast enough to do it. It is a challenge, when you talk about the law enforcement context.

Encryption offers protection for private information that you're transmitting. It's hard to observe. Encryption is now enabled more and more on our devices by default. All of the Government of Canada websites mandate that they're encrypted. So encryption itself is protecting confidentiality and the ability to know what I'm saying or what's happening.

The second piece is the integrity, knowing that when I send a message, nobody is modifying it. That's one of the areas where we need to think about end to end. For example, if the city is facilitating an ambulance to get to the hospital and is changing the lights, you want to make sure that it's not sending green, green, where traffic will cross—things like that. That's the integrity of the message, meaning that the message you want to send is getting there exactly as determined. You use encryption for that. You don't really care if somebody sees the message; you just care that they can't change it.

Then there is availability: we need the networks to be there. That's where we really look at a robust strategy talking about vendors building better equipment and better software. How is it tested? It's international in scope to make sure that it meets minimum standards, but you also have multiple vendors in place. We want a multi-vendor strategy. We want diversity in the market. We want these things in every section regardless of the type of network or the type of equipment. We're always better off than when it's a monopoly.

We really want to leverage all of those things. That's what I think the Citizen Lab report was getting at. It said it's multi-faceted. There's not one solution to the challenge we face; you need to apply multiple different aspects of security. That's certainly what we try to layer into any security program we do. It's not unique to the next generation mobile network versus a fixed network or anything that's.... For example, we use the same security modelling for the incredibly high-speed network I have at home right now.

It's certainly a challenge, and I wish I had an answer to that question. It's certainly one of the challenges we face.

The COVID alert app was a frustrating experience because of that exact concern. From my perspective, the application was built in the open. We tested it with commercial providers to make sure that we had done everything we could to test for vulnerabilities or just coding errors. It was open sourced. Privacy commissioners reviewed it, but it still persists. It just comes with, “Well, it's the government”.

I saw a cartoon. It was the 1950s. It read, “I can't talk. The government might be listening on the phone”. And now, you say, “Hey, listening device”, which is one of those home speakers we have, “tell me what I'm doing?” It's recording everything we're saying. It's this dichotomy out there, where people are....

I wish I had a great answer.

I'm going to assume that you're talking about the work of the security and intelligence threats to the elections task force that CSE chaired on behalf of the community.

We're doing a few things. We did work with Elections Canada to support them overall on cybersecurity. I could go into a lot of detail on that, but so could the Chief Electoral Officer and his team.

One of the aspects for us was also making sure that every registered political party that wanted to was getting regular cyber briefings. My team did that on an ongoing basis throughout the campaign to make sure that we shared any cyber-threats that we were seeing. We also contextualized it to say what was really important and what they could be expecting to see. That tended to be with the officials inside of the party.

We also had the hotline set up where political parties could call if they needed assistance with something, such as fake social media accounts, etc. Most of the social media providers were fairly responsive to those types of things. We would try to ensure that connections were made there.

It does remain a challenge. That's one of the areas where we are always looking for ways to connect.

On the other hand, one of the things that has been repeatedly reinforced to me is that if, for example, you are impersonated on social media, I cannot make a complaint on your behalf. You have to do that. The social media companies are quite adamant about that. It's one of the areas where, if something like that does happen, we try to facilitate and hopefully accelerate getting a resolution. We did see some incidents like that where parties asked for some support.

Then, of course, in the report itself—the first and second ones—were the threats to Canada's democratic processes, where we really try to lay the groundwork for what cyber-threats we expect to see to Canada's democratic institutions.

We are part of the Department of Defence and we report to that minister. We report to the minister, but we are a separate agency under Defence. I almost slipped back seven years there for a second.

With “cyber defence” we're really talking about when we're actively doing something to prevent a cybersecurity incident. We're taking a block. We are the cyber defenders of the Government of Canada. We take over two billion actions a day, over and above those that are available commercially to protect the Government of Canada. We have a cyber defence part of our program.

“Cybersecurity” is the broader term that we use. That's also about the proactive measures. Rather than just taking action at the point of compromise, it's building those defences and building it to be secure from the start. It's security by design. That's really, in my mind, where we differentiate cybersecurity from cyber defence. Cyber defence really is about that action you take to protect.

In terms of our work with the Department of Defence, obviously they are responsible for the defence of their systems. They're the experts on military equipment, but we do provide a number of services. One would be cartography and the encryption systems that they use to protect all Canadian forces operations. That's a 70-year partnership where we've worked with them on those types of things. We certainly work with defence on any exercise planning.

We would also do that with any other organization to say how we respond to any cybersecurity incidents. We really look for opportunities to raise that bar proactively. We would do that as part of our mandate.