Public Safety Committee on Dec. 9th, 2020

Thank you for the question, Mr. Chair, and your comments on the report.

I think there are a few things. If we look at cybercriminals, they very much reply upon an extremely developed ecosystem that relies on things like anonymous financial transactions—Bitcoin and the like. Having online digital currencies really does facilitate that.

In terms of the risk, it's certainly a question that I wish one of my colleagues from the RCMP were here to talk about in terms of prosecutions, but it remains a challenging environment in which you can achieve fraud against a Canadian from remote jurisdictions. As the report points out, there are many jurisdictions in which you will not suffer consequences from local authorities because as long as you don't target their citizens, they're not going to go after you. A bit of a quid pro quo seems to exist, and it certainly has been highlighted in some of the research.

In terms of some of the costs, we do try to impose costs. The government has done a number of attributions to call out state activity that we feel is crossing thresholds and crossing lines. Earlier this year we called out Russia for its activity against vaccine research companies. We have certainly joined our allies a number of times to do that. That was one instance in which we joined in with the United Kingdom and the United States to do that, specifically because it was targeting our areas, but we have, at some points, along with our allies, called out behaviour of each of the four nations I mentioned.

The value of attribution is pretty variable. The primary value of being a cyber defender and somebody who is worried about cybersecurity is that it spurs action. When we do an attribution, it tends to get organizations to take seriously the alerts we put out. When we say, “You need to apply this patch; it's important,” people will respond. When we say, “Apply this patch because country X is targeting this sector, ” they pay attention and they do it. It does have an effect domestically in getting the potential victims to take it seriously and to take action.

In terms of the international side, we certainly have not seen a significant change in the actors' behaviour because of it, but it does form norms. That is something that is probably more appropriate for my Global Affairs colleagues to talk about, and they're probably better positioned to talk about some of the things like sanctions and other aspects of foreign policy. I tend to try to stick to the technical and the cybersecurity elements.

Thank you for that question. There's a lot in there.

We have been working since the beginning to build up the resiliency of the health care community. One of the things we have been working on, which we've done in partnership with the provinces and territories—which clearly have such an important role to play in health care, in providing advice and guidance—is targeted briefings, targeted information, specifically to that health care sector to build resiliency over time. We knew we were going to arrive at a vaccine at some point, so we have been building up resiliency and making sure that the information flows are in place, and also ensuring that they have the information they need to proactively take steps to protect themselves. We've done that through things such as publishing other threat assessments that are specifically for the health sector. We take those, and then on regular weekly calls, we go over any threat we're seeing and how it could apply to the health sector and what could be done about that. We're trying to very much build up resiliency before something happens.

In terms of the current rollout of the vaccine, we are working with, obviously, our colleagues at the Public Health Agency and the overall task force to make sure that the information is in the hands of any organization that would be part of this to make sure we're taking actions earlier. Then, of course, we do leverage our foreign intelligence mandate, so if we do see things that are happening in foreign space or in our group of allies around the world and not necessarily just the Five Eyes.... We have a lot of allies in cybersecurity, and we all look at and share information very quickly to make sure we're getting that information out. Our goal is not to observe the problem but to give somebody, anybody who's a potential victim, something they can use to protect themselves. That's really been our goal.

We continue to look for new ways that we can build up our cyber resiliency in this [Inaudible—Editor].

Mr. Chair, that's a really great question. I'm glad to get the opportunity to address this.

We've been working with Canada's critical infrastructure providers for quite a while. Now, we do have to concentrate on the ones that are most at risk, so when we talk about the electricity sector in this report, that's a sector where we have been working both to build the relationships that we need across the country and with energy providers such as the Canadian Electricity Association to make sure we're addressing cyber-threats proactively.

Over a year ago, one of the things I did was that I participated in the tabletop exercise to simulate what would happen in an event where there was a cybersecurity incident, just to make sure that we're prepared, that we had gone through it and there were no gaps in the process. We continuously are looking to improve here.

This is an area where the technology changes are something that the sector is very aware of. They're very much resiliency based. They understand. They're used to dealing with things like major weather events, etc. Cybersecurity can be looked at as just a different source of the same type of impact. They're organizations that understand risk resiliency, and it's a very easy conversation. We're working closely with them. We are looking to address the threats. We're looking to see how we can expand not only into proactive cybersecurity, but into the discovery of threats before they manifest on the network, and we're looking for some joint projects.

At the cyber centre, one of the areas that we really like to concentrate on is innovation. We do that collaboratively, though. We do that collaboratively by bringing in partners from the energy sector and their suppliers, and we ask them if we can we tackle these problems together. If it is the convergence of operational technology, we ask how we can work with them and other leaders in industry, and we ask how we can detect when there's a threat or when there's somebody targeting and then proactively deal with it.

One of our goals is to make sure that is shared sector-wide from coast to coast to coast with every provider and to get that information out quickly. While one might fall victim, we don't want it to be two. Information sharing is also an important piece here when something is hitting, so that others can be inoculated against the threat as well.

I can. It's really the Canadian Internet Registration Authority's project, and I'm hoping that I'm not scooping them, but they did advise us that earlier this week we now have 100,000 Canadians using the service. That's a good number—although not as much as I would like, honestly, because it does offer a significant boost to the privacy of information.

I do understand that one of the things we really thought about when we designed this and worked with them on the service was for the government to be at arm's length. We didn't want it to look like there was the potential that we were collecting information on Canadians. That's not our mandate. That's certainly not within our law that governs us, but there's also a privacy assessment that went along with it.

I'm hoping that as Canadians do look into this, they will see what's out there. We did have commentary from privacy experts in industry who talked about this program and how it's designed. I'm hoping that more Canadians, as they become aware, will grab onto this, because it is a way for every Canadian to do something to protect themselves, and it's something that is silent and in the background.

For me, here's the way I describe it. We're all worried that we're going to make that one mistake and click on that one link on an email and it's going to have devastating consequences. The goal with Canadian Shield and what we've tried to do is to make sure that if you click, it's not going to have devastating consequence, because it will be blocked. That's kind of what it does.

That's actually a great question that I was really hoping someone would ask me.

It wasn't an easy decision to name countries because it immediately draws the attention from all the other aspects of the report to the four countries named. However, in reality, we, the Government Canada, had called out.... At some point, we had attributed malicious cyber activity to one of these four, or we joined our allies in doing so. So they were the logical four. They are also the four that demonstrated the capabilities that we mentioned in terms of the risk to Canada. We thought that, well, on one hand, it draws the attention away from some of the things we would like to talk about, such as how is it very easy for a fifth country and a sixth country to appear on that list. However, on the other hand, we need to acknowledge the fact that these four countries are out there and represent significant strategic risk to Canada with their capabilities and what they are able to do.

That was some of the discussion, but one of the things I've said is that the decision to name is more from a cybersecurity perspective. We certainly support this, but it is really in alignment with foreign affairs and foreign policy.

I think there are a few things I'm.... I'm a little concerned. The report is meant to inform; we're hoping not to scare. We believe that fear doesn't really motivate Canadians, in most cases, to take action. However, what we are hoping is that we can give Canadians simple things that they can do to help themselves be secure online. Get Cyber Safe is a great source for that, whether it's the Twitter account or the online account. There are some really easy things that we would like to ask Canadians to do.

One of those is passwords. We've seen that the number one password in Canada remains “password”; the number two password is “123456”. That's from a report, and that's pretty common worldwide. That just leaves it open and makes it easy for the cyber-threat actors. I know that passwords are a nightmare for all of us, but something basic like that can actually really strengthen cybersecurity.

The second easy thing that people can do is just turn on auto updates. Instead of having to install the updates manually on your phone or your computer, just set it to auto update. That also raises the bar for cybersecurity. We find that, in the last year or number of years, it is still the basic, out-of-date systems that are causing most of the cybersecurity breaches, so those two things are simple.

With regard to your point, for small and medium-sized enterprises what we have tried to do is also prepare a guide of simple, straightforward things that small and medium-sized organizations can do because they don't need to be—they shouldn't be—cybersecurity experts. That's our guidance for small and medium-sized enterprises. We designed that specifically so that 20% of the effort would result in 80% of the benefits of what we would do from, say, an enterprise-grade cybersecurity program that exists.

We are trying to do things that are practical and pragmatic, and then we do things that are fun—like the holiday gift guide, etc., at this time of year—to hopefully try to help Canadians make some good online security choices.

I think there are a few things.

Certainly, embarrassment and shame and fear about a potential loss of business are preventing organizations from reporting. In cybersecurity, unfortunately, we tend to punish the victim and not the perpetrator in our actions as citizens. We tend to shift away, and so there's an incentive for an organization to not admit when they're victims of a cybersecurity incident.

Then there's the second piece where there is embarrassment because the situation usually involves a mistake. Sometimes it's not because a patch has not been applied, but a lot of times it involves their having clicked on something they shouldn't have, and we have to begin to destigmatize that, and make people aware. You can get fooled. Some of the cybercriminal aspects...I believe it's only a matter of time before I'm going to click on something because some of them are so well done.

So if I know that is the case in my job, then nobody else should be feeling shame for it. I will probably be embarrassed when I click, but I'll get over it.

Lastly, I think some of the things we have seen include indications that insurance companies are telling organizations not to report, not to go to police, which makes this a very challenging thing to respond to, and also to get accurate statistics about, so we that know where to apply our resources on the specific threats. If we wanted to start to work on a particular version of cybercrime, without knowing what's hitting Canadians, where do we start?

Cybercrime is a global enterprise, unfortunately, but we should be focusing on what's targeting Canadians, and that's a challenge both for ourselves and the RCMP, because Canadian organizations just simply are not reporting for whatever reasons—ranging from embarrassment all the way to being advised not to report and pay the ransom to get back online.

Yes, absolutely. I'm happy to answer that.

First of all with regard to DNS, the Internet works on a series of numbers and we go to www.website.com, but the Internet doesn't understand what that is. DNS translates back into the actual address on the Internet, which is called an IP address. So it tells the Internet how to route itself and how to get to the location.

Cybercrime actors take advantage of that, so when you click on a link, if you were going to impersonate the cyber centre, for example, you might create a domain or a website that would say “cyber.gcca”. You might miss the dot and so fool Canadians; they wouldn't see it—that's called “typo-squatting”—and then they would go to something that looks like the cyber centre website, except you're downloading malware when you're there.

So a DNS firewall says, hey, that's accidentally been blocked as an illegitimate site, so when you click, you don't go there. So it stops you from having the consequence of either the mistyped address or the deliberate....

In terms of my using these, I absolutely do. I put them on my personal devices because, frankly, it gives me a level of protection. I admit it's only a matter of time before something happens and I click. I want to make sure that I'm as protected at every level as I can be.