Public Safety Committee on Dec. 9th, 2020

I think there's a challenge. My goal is cybersecurity, so in raising the cybersecurity bar in this space, one of the things we're encouraging all Canadians to do, frankly, is to take some steps to raise that bar across the country with some basic security elements. Some easy steps can be taken that would increase our security bar. I mentioned them earlier: Basic hygiene, meaning patching our systems, would have a huge effect on our industry and on cybersecurity. That immediately makes us less vulnerable to outside activities and outside exploitation.

The second piece is that when we're looking at some of the applications and technologies out there, we're going in not just based on the cost. The lowest-cost product isn't always the best one. Sometimes looking and saying what's important in security and looking at how to measure that is a challenge that we all face. I know that we all want a good deal, particularly as we're heading into the holiday season and looking for gifts, but a lot of times cheap technology will be out of date and it will not be updated and patched.

That's an excellent question.

I don't want it to sound as if we're blaming Canadians for this, because it isn't easy, nor do I want to blame businesses. The problem with the technology world is that we've made it too hard for business to keep up to date, and a small business owner should not also have to be a firewall expert and a networking expert and a computer expert. There's a certain amount on business to take this on and make it easy for them to do.

But there are some simple things. Our small and medium-sized business guidance does give some simple steps that we've written to be accessible. I really did appreciate the comments about making the report accessible. We really are trying to write this for advice and guidance for all Canadians.

For individual Canadians, though, we do publish tips. We try to put them out such that it's one simple action to take to make yourself more secure. It can be, today I'm going to make a unique password for my bank. That immediately means if it's not being reused—you never use that password—you're raising the bar for your bank. Multi-factor authentication is harder. When you log in to your bank, for example, and you turn it on, it means somebody else can't log in as you. Even if they get your password, there's another step to verify. That, again, makes it hard, so the cybercriminal is going to move on. Essentially what we're talking about is putting hurdles in place. Why would a cybercriminal want to jump over them when they can move on to the next target, who doesn't have the same hurdle in place? That only works for individuals.

When we look at companies, especially large organizations, sometimes they're worth the effort, so they'll pay to invest to develop unique capabilities after them, and that's what we call “big game hunting”, which cybercriminals will target. That's where a large organization has the benefit of a larger budget and a larger cybersecurity organization so they can bring in a really qualified provider to help them.

One of the things we've done, which we started early in the pandemic, was to simply work with providers—partners around the world and commercial providers—to take down anybody that was impersonating the Government of Canada. I think we've all gotten the calls from someone pretending to be from a government agency. The same thing happens on the Internet, where you get emails, etc. We've taken down over 4,000 of these since March. It's something we did to try to decrease the amount of fraud that's happening.

The second thing that we've also tried to do is to raise awareness. We did some joint public awareness campaigns with the RCMP and the Canadian Anti-Fraud centre to get information out to Canadians to say, “Hey, look for this, because here's something we're seeing.” We've really tightened up the path of communications there in terms of making sure that information is being shared quickly and is getting out to Canadians so they can know what to be aware of and what is the latest scam.

The third piece, though, is that we have been working with telecommunications companies as Canadians report spam. For anything that's related to the Government of Canada, we've been able to proactively put things in place. For example, on the programs that the government has put in place in terms of the CERB or some of the other response benefits, we're ensuring that we know what those look like ahead of time so that we can pre-position fraud detection. If somebody tries to pretend to be the CERB site to try to get information, we have commercial providers that are looking for that proactively to take it down before any Canadian is victimized.

We're really trying to get ahead of the curve. It's something where we've really relied on those government departments that are responsible for delivery to get that out there.

Finally, we're also telling everybody to go to the root of the truth. If you're looking for the facts, go to the place to get the real facts. In a pandemic situation, Ottawa Public Health, Public Health Ontario and the Public Health Agency of Canada are those roots of truth for me. They'll obviously be different wherever you're—

I'm not sure I understood the question. I'm sorry.

Thank you. I'm sorry for the trouble in understanding that.

There are a few things that I would want to highlight. I think that when we're looking at any new technology or new development that's out there.... There is some misinformation around 5G, but I will set that aside to really focus in on the security aspects of this. What we're looking for is that this is a network that can have many more devices that support much faster communications. It has much higher bandwidth. It's much faster, with many more devices connected to it, and it's pretty much real time, which means that you can do things like sending commands to self-driving cars over these types of networks. It's designed for that type of environment.

In general, the threats we look for are around the confidentiality, integrity and availability of things like the network. For the network itself, can I communicate? That's availability. You really look for things like the robustness of the equipment. Do you have multiple providers so that if one provider becomes unreliable you can replace their equipment at some point with something else? That's around the availability side.

Then we look at the integrity. If I send a message over that network, will it get there in the form in which I deliver it? That's where encryption is the key piece for integrity. If I want a message to be clearly delivered, I will send it in a way such that it can't be modified. That's what encryption gives us for integrity. You might have things like digital signatures, etc. What that does is say “this message cannot be modified now”, and we do that through cryptography.

The last—

We certainly don't want to blame the victims for this. It is hard, I understand, just keeping on top of all of this.

The first thing that we say to businesses, as well as individual citizens, is to just turn on auto updates—on our phones, just slide it to auto updates. However, the industry does need to make this easier. In many cases it is: Our home laptops, our home computers, etc., tend to do this now by default. You have to manually set them to not auto update so that the updates are manual.

That's good progress, but it needs to be made better.

The real challenge is for businesses where the equipment doesn't do that. The equipment requires a system administrator to download a patch or an update, to go onto the device, to install it, to test it, and it may or may not work because the device, really, is finicky. That's where the industry really does need to start stepping up on cybersecurity to make it easier for these small and medium-sized organizations to stay up to date.

However, there is some hope. The cloud does offer some benefits to these organizations where updates are automatic. With regard to the cyber centre, one of the things we did when we stood it up was to move our operations into the cloud because we wanted to work like every business in Canada either was working that day or was going to be working. We wanted to live our own advice. What we do is.... I get updates. In fact, I just saw—my computer just told me—that I just got an update for my Microsoft Teams environment that we use to say that, yes, we have the updates. You get them right away when they're issued by the vendor.

That makes it easier. That takes the pressure off those small and medium-sized organizations to do things. When you do that, that means that you don't have to do it yourself. You don't have to go in and download the patches and install them because it comes with it.

That's really where we're saying that it has to be easier for the users and not place the blame on them.

I think one of the areas where we have been doing significant outreach, and that we've been doing with our colleagues at the Canadian Security Intelligence Service, is really to help to inform universities of the threats they are facing, as well as give them some practical advice. They are open research organizations, and they face a unique challenge in that in terms of cybersecurity.

One of the other areas where we have worked is with what's called CANARIE, the Canadian network for research and innovation. It's a non-profit organization. We've been working with it on improving its cybersecurity, and we've been trying to help it bolster that for all Canadian universities as well. We're trying to take some practical steps to make it easier to protect intellectual property.

At the end of the day, one of the things that organizations need to balance and one of the things that I would rely on my colleagues at the service for is really that, in many cases, people just like to talk about the research that's going on and share it widely because they're really excited about their work. That's one of those areas that I would look to the Canadian Security Intelligence Service to provide the expertise on.

The insider threat from our perspective, though.... We are trying to bolster cybersecurity. We're doing it with partnership. CANARIE is the example in this case for the research access. We're also reaching out to the universities in Canada to provide them with advice and guidance, as well as realistic threat feeds that they should be expecting from cybersecurity to try to bolster it.

I wish I had an answer to that question. I don't know.

The way our mandate is structured, one of the things we don't do is collect information within Canada. We rely on statistics, like from Statistics Canada or anything that is published by other organizations. I haven't seen a figure that monetizes the loss to Canadian institutions, both short and long term.

Sorry.

I'm not an expert. That question's probably best for some of the areas where they're used to these university partnerships.

When we've been meeting with some of the organizations, one thing that has been emphasized to me is that research is done globally and partnerships are really important. All foreign partners...I'm not sure the universities would say they could sustain that.

One of the things we always say for any organization is to go in with your eyes wide open to the threat you're facing and to what their goals are. Is it a mutually beneficial relationship or is it about getting information out there? That's really where the outreach we've been doing with the service is. Hopefully, it's improving that for Canadian universities.