Yes.
Evidence of meeting #12 for Public Safety and National Security in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
Evidence of meeting #12 for Public Safety and National Security in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was things.
A recording is available from Parliament.
5:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Yes.
5:25 p.m.
Liberal
5:25 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
I'll conclude with a less simple question. I'll leave you plenty of time to answer it.
If, at this time, the government isn't taking specific action to address the cyber threat to protect citizens, businesses and government infrastructure, do you think this could pose a danger to our democracy? What measures should be taken?
There seems to be some shared responsibility between individuals and companies, but that responsibility is also shared by public authorities. I'd like to hear your thoughts on that.
What are your expectations regarding the publication of this report?
You are a fairly new organization. Are there any specific steps that should be taken?
5:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I think there are a few things. We are taking quite a bit of action to try to raise that bar on cybersecurity, some them very public and some of them private. We are doing things. We have things that we call “strategic mitigation plans”, which directly address the threats mentioned in the report, one on cybercrime and one on protecting critical infrastructure. “Defending democracy” was the first one. Beyond that is the operations plan and then actual operations, which could involve defensive cyber operations to protect and take action, if we need to. That's really leveraging the mandate that Parliament has given us as part of the CSE Act and making sure we are doing it in a holistic way.
The second piece for us, though, is to make sure we're also getting practical information out to folks and working with them so that they can take action on their own. That's what the report was about, to say that these are the threats we're facing. If Canadians read the report, which I hope they do—I'd be thrilled—they can take some of those basic actions. They can follow Get Cyber Safe. Small and medium-sized organizations can read our advice and guidance on small and medium-sized organizations and look at whether or not they're addressing their cyber risks. Then that goes to CyberSecure Canada, a program that Innovation, Science and Economic Development Canada launched. It's something they can leverage to say, “Hey, I've done these things. I have a cybersecurity checkmark.” That's something I would like to see us use as a bit of a measure for Canadian companies, as a bit of a competitive advantage. They have this checkmark. They've done this.
Those are things that could be done directly from the report: Understand the threat, know where you're at risk, and then take action to reduce that. We have a lot of information out there that hopefully empowers Canadians to make those choices.
5:25 p.m.
Liberal
The Chair Liberal John McKay
Sort of like an ISO marking for a company, is that what you have in mind?
5:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
It's a program that's in place now. It can be looked at that way, but at a rate that is affordable for a small or medium-sized organization to attain. The ISO standards tend to be unaffordable for other than the largest organizations.
5:25 p.m.
NDP
5:25 p.m.
Voices
Oh, oh!
5:25 p.m.
NDP
Jack Harris NDP St. John's East, NL
Mr. Jones, I have a question that comes from a recommendation of this committee in 2019 when it looked cybersecurity in the financial sector as a national security issue.
The recommendation number nine says:
The Committee recommends that the Government of Canada explore ways to ensure all sensitive data moved within Canada has a domestically routed path, ensuring data packets are not exposed to foreign network infrastructure.
My question really is what has Canada done to act on that recommendation in the last year or so? You did mention encryption as one protection. Are there other things that Canada should be doing?
I'm thinking of this in the context of the recent sale of a company in my riding called Verafin for a whopping $2.75 billion to Nasdaq Inc. They look after the FINTRAC tracking of banks' and financial institutions' obligations.
In that context, how do we have sensitive data with a domestically routed route in order not to expose it to foreign network infrastructure?
December 9th, 2020 / 5:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
That's actually an issue that's near and dear to my heart. One of the things that we face in Canadian telecommunications infrastructure—and some more detail could probably be provided by colleagues at Innovation, Science, and Economic Development—is that our infrastructure tends to run north-south because of the way the Internet and the way the interconnections happen. We tend to connect to our American neighbours quite extensively, whereas the east to west connections are quite thin. That is something where we have seen some investment.
The capacity to simply route across Canada might not be there. That's something that they would be better positioned to face. We really say, how do we protect this no matter where it routes?
One of the fundamental things about the Internet is that I could be sending you an email right now and it could go all the way around the world to get to you in your riding. It doesn't necessarily stay within Canada, just because of the way the Internet works. It routes anywhere. We also say that you need to take protections. Encryption is the best protection for that. It does prevent that compromise of confidentiality.
In reality there are some things around the Internet infrastructure that certainly would make cybersecurity better from not only a sovereignty perspective but also from a reliability perspective, and this would be something that we would be interested in seeing. There is a tremendous amount of investment from the private sector required. Innovation, Science and Economic Development would probably be better positioned to answer that question.
5:30 p.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Harris.
We are technically past 5:30, but we are not being pressed by anybody. I had thought we had two questions still to go, one Liberal and one Conservative.
Do you want us to go past 5:30 or do you want to end it there?
5:30 p.m.
Liberal
The Chair Liberal John McKay
Okay.
Mr. Jones, on behalf of the committee I'm going to thank you. Your response in your report is done in an accessible way, which I think is 90% of the ball game, just to be able to explain how vulnerable we are both on a personal level and also as a nation, given all of the threats that appear in that regard.
Your security analysis has been very helpful to us. We appreciate your coming. I anticipate that we will be inviting you back.
With that, thank you, colleagues as well.
Just before I bring the gavel down, we have no indication from anybody at this point as to whether we will be able to meet next week. Stay tuned.
Thanks again.
The meeting is adjourned.
