Evidence of meeting #12 for Public Safety and National Security in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
4:50 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Harris.
Sorry, I cut you off a little early, Mr. Jones. Do you want to complete that sentence?
4:50 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Yes, I just want to say finally that part of the CSE Act is about defensive cyber-operations and foreign cyber-operations and being able to take action when Canada is threatened and with the authorization or the acknowledgement of the Minister of Foreign Affairs and the Minister of Defence to say that we need to take action in foreign space to protect Canada as well. That's part of the CSE Act that Parliament passed.
4:55 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Harris.
Earlier in your answer, I thought, you said there were something like two billion attacks a day.
4:55 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We take two billion actions per day to prevent some malicious activities. Some of those are scanning the government, looking for vulnerabilities. Others are malware that is attempting to have itself downloaded.
4:55 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Well, some of it is bulk scanning. It's like somebody is going to every government computer and rattling the doors and checking the windows to see if you left anything unlocked. So we stop that. If you can't see our vulnerabilities, you can't exploit them.
4:55 p.m.
Liberal
4:55 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
Thank you very much, Mr. Chair.
This has been a topic of some debate in Canadian politics as of late, brought on by a fairly explosive New York Times editorial regarding MindGeek and the abusive videos on the site Pornhub and other things. I'm just wondering if you have any comments on what can be done for victims of some of these terrible crimes, such as child pornography or rape. I would love to hear the practical solutions, the recommendations you would have to ensure that these terrible practices could be stopped.
4:55 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Well, it's a disturbing question just because of the material, but it's a deep question as well. I think the broader answer, the best position, would come from my colleagues at Public Safety Canada who really are looking at the online harms aspect to see how to reduce that.
Some of the cybersecurity elements—techniques and tools—that we emphasize are aimed at helping prevent people from getting into situations such that they could be exploited in that way or prevent their kids from being exploited in those ways. That's really one of the challenges.
I think one of the other areas that is a big challenge, though, is that these platforms are designed to be barrier free in a lot of cases. One of the famous Internet memes, again from the New York Times, is actually that, “On the Internet, nobody knows you're a dog.” Because people are so anonymous, you have no clue who is behind that. That's one of the things with online harms. How do you balance that fact with who is interacting with the kids, or with who is interacting with me online, etc? You can be anonymous, and that enables a lot of activity. But the broader answer to some of those questions should probably come from Public Safety Canada. From a cybersecurity perspective, we can continue to give tips and hopefully help people keep their kids and themselves safe online too.
4:55 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
I appreciate that. Certainly there is the prevention part and then there is the cybercrime part and then there are a whole bunch of other aspects that need to be addressed.
One of the concerns—and this goes back to the conversation about information and misinformation—is with foreign state-directed editorials and advertorials, and the threatening of or influencing of cultural groups or whatever the case may be in Canada, with foreign state actors using an online presence to try to direct influence within Canada. I am wondering if you could comment on that and on anything that could be done to help ensure that there is integrity in that side of things?
4:55 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I really wish my colleagues from Canadian Security Intelligence Service were here to take the lead on this. From our perspective in the cybersecurity realm, our challenge really is trying to inform people, through a national cyber-threat assessment, and to say, “look for factual information.” The Internet is designed to be open and free and to allow this type of communication. From our perspective, as the cybersecurity agency, the advice we have is really to look with a wary eye and not to just trust what you're finding online. On the other hand, I think Public Safety Canada is probably better positioned to talk about some of the actions that can be taken. From my perspective, it looks like and it is legitimate Internet traffic. I don't mean to legitimize it, but I'm trying to say that it doesn't look like it's a malicious cyber-activity. It's not malware or some other aspect like that which is trying to exploit technical aspects of cybersecurity.
5 p.m.
Conservative
Damien Kurek Conservative Battle River—Crowfoot, AB
That's fair.
Finally, we talk a lot about the cloud and how that provides a certain level of security that would not have been accessible as of late because you don't have to have servers and the physical-locked door and the various layers of cybersecurity to ensure that it could be safe. With the cloud, obviously, it's somebody else's responsibility. One of the further challenges with that is that you have a massive system that holds an unbelievable amount of data. Although there's a greater level of security, there are risks associated with this on a much larger scale, although it's much more difficult to infiltrate.
I wonder if you can comment as to how those risks are mitigated, because that especially impacts small- and medium-sized enterprises that will purchase a cloud storage option for $20 a month or $50 a month, which gives them access to the services, but the scale challenges exist there as well.
5 p.m.
Liberal
The Chair Liberal John McKay
Unfortunately, Mr. Kurek has gone way over his allocated time. If you can work your answer in some other way....
Madame Lambropoulos, are you up for a five-minute question, please?
5 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Yes, thank you, Mr. Chair.
Thank you very much, Mr. Jones, for being with us and answering our questions.
I have two questions for you.
With all the trade agreements we've signed over the past five years, more and more Canadian companies are doing business in global markets, as you know. It's great for the Canadian economy, it's convenient and it's good for business.
In the domestic cyber threat assessment, you indicated that the threat of online espionage is certainly much higher for Canadian companies doing business abroad or working directly with foreign state-owned companies.
You've already touched on the subject and given suggestions on how Canadians and businesses can protect themselves. I'd like to know if you have any advice for companies that have direct contact with actors who may be sponsored by foreign states that could threaten cybersecurity.
5 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Great. Thank you for that question. There are risks, and it depends on which country we're looking at. Specifically recall that we talked about state-owned enterprises and partnering with those.
This is where, depending on the Canadian business, there's quite a lot of advice out there. It's about understanding what the goal of the partnership agreement is. Is it a technology transfer agreement where it really is looking to transfer the technology to build, or is it about manufacturing and you're outsourcing something?
Knowing what's important to you as a company is the first step. What makes my information special? Is that intellectual property, some unique manufacturing process, tool technique design, or is is my customer base and how I interact with them, how I promote, etc.? By knowing what makes you special and unique, you know what you need to protect—that's the goal that you need to protect.
Then you go in with your eyes wide open. What's of interest to me? Is this a mutually beneficial relationship? When you start to assess this, it tells you where you need to put your cyber defences, which ultimately gets to what I'm responsible for. Are you positioning your company for a takeover? In this case you could expect to see a company looking to get information on your financials. Where are you particularly vulnerable, who are your suppliers, who's your legal counsel, etc.? You could see that in terms of a takeover bid.
If you're looking at a unique piece of technology, then you need to protect that. How am I protecting it and making sure that it isn't travelling, isn't going places where it walks out the door? Really think that through. You're thinking through the threats and then leveraging the advice that's out there.
5 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Perfect. Thank you very much.
On an unrelated note, I'd like to thank my colleague, Mr. Kurek, for bringing up MindGeek, which is about a 15-minute drive from my house. It's something that hits close to home, the fact that it's taking place and that these videos are being put up from a place so close to home.
What recommendations would you give the Government of Canada to ensure that children are not being exploited in a way that they already are? I know that you said that Public Safety is already working on this, but can you give us any insights as to what can be done and what can be enforced at the government level?
5:05 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I think the challenge I face here is really from a cybersecurity perspective. My advice would really be to the potential victims and how to protect things, protect themselves and try to keep themselves from getting into that situation, and really thinking before you share information. Once it's on the Internet, it's there forever. How are you sharing it? What apps are you using? The example of face apps that estimate someone's age was used, but similarly there is photo sharing, etc., as well, and the need not to place oneself in a position where you're vulnerable to that type of harm.
The next would be to get Canadians thinking about how they are using the technology base and asking if they really understand the harms they can get themselves into by slowly being drawn in. Then it's about minimizing the harms and dealing with them.
I'm just not positioned well to talk about the different tools that are placed, because that wouldn't be something that we would be doing from a cybersecurity perspective.
It's certainly something that, as a citizen, I would love to see dealt with harshly and quickly, and that it be resolved, but it's not something that we're in a position to really talk about from a cybersecurity perspective.
5:05 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Madame Lambropoulos.
We have gone through three rounds, colleagues. We still have 20 minutes left. I believe that the Conservatives want Madam Stubbs to be next, but before we get to that round, I have a couple of questions that I would like to ask. Maybe the Liberals could indicate to the clerk whom they would like to have. I'm proposing five minutes for the Conservatives and the Liberals; then two and a half for the NDP and the Bloc; and then a further five minutes, which should take us to two minutes for the Liberals and two for the Conservatives. Please indicate to me whom you want to be the questioners.
I want to circle back on Mr. Van Popta's question on the allocation of risk.
A couple of years ago, we had Desjardins here to talk about a data breach. It was based upon what they called a “rogue” employee. What I didn't understand was how a customer of Desjardins would be put at substantial risk of their data going into the dark web, and yet, apparently, Desjardins had no liability for any harm that would happen to one of its customers. I just wonder if, in the context of your cybersecurity centre, that has been a discussion and, if so, where you think that discussion is going.
December 9th, 2020 / 5:05 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
That's an interesting question.
I think we're faced with the challenge that an insider threat, which is really what we're talking about, is something that kind of hits different facets. One is that the person is in a position of trust and does do have access to types of data and information, especially if it's related to their position. Then what controls are put in place from an information security perspective? That's a case of understanding one of the things we say in our top ten, which is to segment and separate information.
There are things at CSE that I just don't need to know. Yes, I'm one of the senior executives there, but that doesn't mean I need to know everything. I don't have access to security files for security clearances. I don't need to know; I don't need to access them. We segment information away, and we protect it. That's for privacy reasons, but it's also for security reasons.
Even in the cyber centre, there are things where there's a limited group of people who have exposure to certain information. We do that deliberately to protect it.
Those are some of the cybersecurity elements that we would say are part of our general advice and guidance, but you first have to know what needs to be protected. That's one of the things, and also what that information could be used against. A lot of times, what I say to businesses is not to think about the harm that it can cause to you; think of the harm somebody could do with the information that you have. Who could they give it to that would harm you?
5:05 p.m.
Liberal
The Chair Liberal John McKay
Mr. Jones, shouldn't the onus be on the financial institution? The financial institution has a lot more resources available to it to protect me than I have to protect myself. What I don't understand is why the onus shouldn't be on the financial service provider.
5:05 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I fear that's a question that gets me into legal territory, for which I am wholly unqualified.
5:05 p.m.
Liberal
5:05 p.m.
Voices
Oh, oh!
5:05 p.m.
Liberal
The Chair Liberal John McKay
—but it is something that has irritated me for a while now.
My second question has to do with passwords, and you're right to argue for passwords. What I don't understand is why all Canadians, when accessing their bank accounts, don't just simply have facial recognition technology. Isn't that the ultimate protection for passwords?
5:10 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
That's a great question because it's something that we face in the government all the time. It really comes down to accessibility. Does every Canadian have the technology necessary to access using facial recognition?
It's not foolproof. It is one factor. We always say there are three factors. First is something you know, and a password is something that you know. Second is something you are, which would be facial recognition; a fingerprint is another example. Then third is something you have.
I always think, when I walk into the building at the CSE, that something I know is my PIN code to get in. Something I have is my badge, and something I am is my photo and my face that our security guards check as I pass through the different gates. Those are the physical-world examples of what's there.
Yes, that would add another factor. Passwords would be something you know. Something you have are things like hardware tokens, but those, again, are about accessibility. It really is about finding that balance, but it does add a factor of authentication and something that's important—