Public Safety Committee on May 3rd, 2022

Absolutely. Thank you for that question.

Having a son in Saskatchewan, I really light up to the agricultural sector, because when you drive around rural Saskatchewan it's evident. It's evident when you're looking at modern-day farming.

I would say that modern-day agriculture on the scale that Canada is doing...and obviously you have a number of sensors out there. A farmer now is running operational technology as opposed to your traditional tractor and plow. There's data, there's critical data, and there is also data that, if manipulated, could really affect the outcomes of the farming operation.

Really, I think for the sophisticated Canadian farmer, you are partnering with the suppliers of agricultural goods and services. You're looking at what we refer to as third-party risk and how that could impact your organization, how that could impact your farm.

What do you look for? I believe you look for value. You look for asking exactly the questions you're asking of your suppliers. For large farmers, you look for potentially partnering with others who are going to help you make those decisions, because you are highly vulnerable from what we refer to as an operational technology perspective.

Good afternoon, everyone.

I will begin, as my colleague Frédéric Cuppens and I prepared a shared presentation.

Thank you all for inviting us to appear before this committee. I will provide some context, and Mr. Cuppens will give you a few recommendations.

We all know what the context is. On the one hand, there is the Russian Federation's invasion of Ukraine and, on the other hand, there is the assistance provided by western countries and the North Atlantic Treaty Organization, or NATO, to Ukrainians to deal with this invasion. We are now wondering whether we should worry about reprisal through cyber-attacks. In other words, will the war on the ground shift into cyberspace?

Russia has shown its ability to engage in cyberwarfare with highly organized cyber-attack groups. We know about and have identified a number of them. There is APT28, which carried out a cyber-attack on TV5 Monde, APT29, another mostly Russian organization, known for its interference in the 2016 U.S. election, the 74455 Russian military intelligence unit, which carried out cyber-attacks on critical infrastructure using BlackEnergy and Industroyer software, as well as the Conti group, which is known for its affiliation with the Ryuk ransomware.

We want to remind you that, well before the military attack against Ukraine, tensions between the United States and Russia were extremely high. Following the attack on the SolarWinds company, President Biden called President Putin a killer. He has used other terms to describe him since. Therefore, Russian cyber-attacks may multiply and intensify, targeting especially those who are helping Ukrainians, such as western countries, including Canada. What are the targets and the threats? That is the question we are asking ourselves. This cyberwarfare can take very diverse forms, with the most well-known being data exfiltration, denial of service attacks, fraud and, of course, sabotage.

The most visible form of cyberwarfare today is information warfare, consisting of disinformation. We should expect this information warfare to continue and fake news to proliferate. However, a number of experts agree that the impact of those cyber-attacks is limited for the time being. Shortly after the conflict in Ukraine began, the Conti group, which I mentioned earlier, claimed responsibility for the cyber-attack on the Alouette aluminum smelter, which you have probably heard about. Last week, there was also the attack on Rideau Hall, which had a very symbolic impact, but for the time being, Russia's involvement in that attack has not really been confirmed.

We may ask ourselves the following question: why hasn't Russia launched any major cyber-attacks yet?

We don't have an answer, but we can make two assumptions. The first is that, like a traditional war, a cyber war has to be prepared for. We have seen that the preparation on the ground is somewhat chaotic. Russia may not have prepared for a cyber war, or it may be waiting for the right moment to launch it. The second assumption is that either of the two camps starting a massive cyber-attack would without a doubt be seen as a crossing of the famous red line, which would inevitably lead to conflict escalation.

Therefore, critical infrastructure is a priority. We may worry specifically about attacks sabotaging that infrastructure. It goes without saying that our geographic distance is irrelevant when it comes to cyber threats. Some experts have not hesitated to compare cyber weapons to nuclear weapons as a deterrent, comparing the power of cyber-attacks to the power an atomic bomb could have.

In this context, two untruths that are often spread can be highlighted. The first is that infrastructure that is not connected to the Internet is protected from cyber-attacks through what is generally referred to as physical isolation. That is false, and we have known it full well since the Stuxnet worm attacks, which targeted nuclear power plants.

The second untruth is a Die Hard 4 liquidation scenario, whose objective would be to destroy a country's economy—

Okay.

That's a movie, but it is also false. So all the steps of the scenario are possible and feasible.

I now yield the floor to Mr. Cuppens, who will present our recommendations.

A liquidation scenario like the one in the movie is unfortunately entirely possible. We are talking about attacks on road traffic, air traffic, telecommunications systems, the media, power distribution systems, financial systems, the stock market. There are already examples around the world illustrating the possibility of those cyber-attacks. We think it is just a matter of preparation and means to unleash those types of large-scale attacks. Naturally, it is complicated for isolated individuals, but it unfortunately becomes entirely possible at country level.

We have some recommendations in that context. There are of course basic recommendations. The first recommendation is to stop using software from Russia, especially security software. A number of countries have already recommended that a famous Russian antivirus developer no longer be used.

According to the second assumption, cyber-attacks can come from anywhere in the world, not only from Russia. For example, it was recently shown that the Conti group was led by a 12‑year‑old girl living in Mans, France.

It is also absolutely necessary to raise the overall security level across Canada. That goes through the general mobilization of all resources to be able to address cyber-attacks and urgent needs in terms of federating and coordinating cybersecurity expertise in industry, academia and government.

We also suggest that the sovereign power take over anything related to the cybersecurity of critical infrastructure. That is what a number of countries have done, and that is what France did with its Military Programming Law 2019‑2025.

At Polythechnique, our efforts are focused both on research and on education. When it comes to education, it is extremely important to develop a program for basic education—bachelor's and master's degrees—but also for continuing education by establishing certificates and micro-programs, as well as a professional development program for short one to five day training.

Concerning research, we really believe there is a need to expand the work on cyber weapons as a deterrent. That goes through the development of solutions to meet the needs I will list on a priority basis.

First, there is attribution, the ability to find the true source of an attack. This is not a trivial problem; attribution is a key problem if we want to develop a doctrine for using cyber weapons.

Second, there is the internal threat. A lot of work today is focused on detecting and protecting against external threats. However, a large-scale cyber-attack, like the one we just brought up, will very likely require internal relays in the infrastructure targeted by the attack. So it is very important to develop solutions for monitoring internal threads to manage not only cases of malicious intent, but also cases of negligence. Unfortunately, internal threats are often related to negligence.

Third, parameters for measuring the real impact of a cyber-attack scenario are absolutely necessary to develop a cyber deterrence doctrine in line with the principles of response proportionality.

Fourth, there is cyber resilience, the ability to resist cyber-attacks. Polytechnique has worked on a number of critical sectors, such as finance, the supply chain, defence, the marine sector and aerospace.

In closing, I would say that, to meet those various needs, one of our priorities is the development of tailored solutions based in particular on artificial intelligence.

Thank you for your attention.

Ladies and gentlemen committee members, it is a privilege and an honour to testify before you today.

Evidence suggests that Moscow is a threat to our country's security. Over the past 15 years, Russia has carried out cyber-attacks on critical infrastructure of countries that are hostile to its interests. Since Canada is currently very hostile to Moscow's interests, it is potentially a prime target for the Kremlin. Russia's Minister of Foreign Affairs Sergey Lavrov recently told Italian media that Americans and especially Canadians played a leading role in preparing ultra-radical, openly neo-Nazi subdivisions for Ukraine. That says a lot about how the Russians see our role in the conflict.

Moscow funds information manipulation, or disinformation, campaigns against democratic institutions in the west. Its objective is clear, as it has been said over and over again, and it is to misinform and divide our fellow citizens in order to weaken our democratic institutions. Those activities have been well documented in recent years.

Since the invasion of Ukraine began, Putin's regime has repeatedly threatened to use tactical or strategic nuclear weapons because it feels that NATO is engaging in a proxy war against Russia.

As a result, since February 24, we have had to be very aware of various threats to our security. Our vigilance must be even greater now that western countries have expanded their objectives in the Ukrainian conflict and have openly sought to degrade Russia's capabilities. That more offensive posture has been contributing to escalating tensions with Russia. Since Canada is fully on board with that, the Kremlin is becoming a growing threat to our security.

I think the best security measure Canada should have with regard to Russia is a combination of deterrence through retaliation, which is possible, considering article 5 of the North Atlantic Treaty, the legal basis of an organization whose member Canada has been for many years, and deterrence through denial—in other words, cyber resilience—through education on disinformation and renewed continental defence.

I also feel that the principal threat to Canada are cyber-attacks on our critical infrastructure. The Government of Canada must increase its investments to enhance the security of that infrastructure and to make us even more resilient to Russian attacks. The idea is to discourage the Kremlin from carrying out such attacks because it would know that the probability of success is low. That is deterrence by denial.

As for Moscow's information manipulation campaigns, their impact is less immediate and more diffuse than that of cyber-attacks. I am of the opinion that Canada is pretty well-equipped to deal with that disinformation because it is relatively invulnerable. It would be my pleasure to elaborate on this.

Finally, despite Putin's alarming statements, Russia's use of weapons of mass destruction carries a lower risk for Canada then cyber-attacks. Nevertheless, since the progress of the war in Ukraine is unpredictable, the Canadian government has a responsibility to invest more in modernizing command and control through the North American Aerospace Defence Command, or NORAD. We must have an excellent monitoring system to quickly detect Russian missiles and, more importantly, hypersonic missiles. The Minister of National Defence has already talked about this, and announcements should be made soon, which is a very good sign.

I think it is also time to reconsider our participation in the North American missile shield, as Washington is not required to defend Canada in case of Russian missile attacks.

I will stop here, but I will do my best to answer your questions.

Thank you for the question.

Attribution is a big problem because it isn't easy to trace the source. These groups of attackers, even if they are identified and even if we manage to find out who they are, rarely claim responsibility for their actions. When they do, they try to provoke. When they decide to claim responsibility for their actions, they expect a reaction. In terms of the attack on Rideau Hall, they won't claim responsibility, but they leave enough doubt that it is assumed to have come from there. We have to be careful when it comes to this type of attack.

It's the same thing for the terrorist attacks. As soon as there's an attack, the terrorists claim it, whether it's linked to their movement or not. I think I've answered your question, but I will answer it more positively.

Yes, they can claim responsibility for an attack or make it appear that they are behind this or that attack, precisely to create fear. They want to send the message that if we do something, they can do something in response that will have a very significant impact. This attack is an example, even though it wasn't the Russians behind it. As you just said, this creates a climate of fear. It's said that you can have a significant impact through a reaction or a cyber‑attack.

The first recommendation relates to information, which is indeed a central element. More expert engineers need to be trained in cybersecurity, whether it's for protection, detection or the use of more offensive weapons. As part of our research, we are working more on defensive postures. We talked about cyber‑resilience and solutions for detecting internal threats. It is indeed—

We are working more on defensive posture to build cyber‑resilience and develop tools to detect external and internal threats. To work on that, you have to—