Public Safety Committee on June 7th, 2022

Thank you for that question.

In some ways, the limitations that exist before a war, such as your capacity or your access to intelligence, will exist even during it. Thank you for the mention of the book. I will say that I've spent 25 years in what we call “all hazards”. Essentially, I'm not looking solely at cybersecurity. I'm looking at the vulnerabilities that nations like yours and mine have. I've been working a lot on the notion of a North American regional response capacity in cyber and climate change, because the kinds of attacks that we're seeing now and the kinds of vulnerabilities that we're seeing now are going to take a combined U.S.-Mexican-Canadian focus, just given our capacity.

That we need to focus our sense of success on whether we can respond and minimize the harm is particularly true in this space. Something that I would urge you to push on the private sector, which has essentially.... This is probably a little crude, but they have essentially focused almost all of their security efforts on “left of boom”. In other words, if we can stop the breach, we'll try to stop bad things from happening and stay, as I like to put it, on the left side of boom. One thing that can be pushed is to ask what their response planning is, what sort of tabletops, if they have a cyber-attack.

The most important thing I'm going to leave you with is this. The bifurcation of cybersecurity and physical security, which has happened in your country and my country, has to be remedied somehow. As we see in all of these attacks, there's really no such thing as a cyber-attack any more. It is a cyber and physical attack. What's happened in a lot of these companies, as I know you're aware of and what's happened even in some of our government institutions, is that both the cybersecurity apparatus and the physical security apparatus—the traditional gates, guns and guards, as we call it—have been built. There are not a lot of synergies between them if there is in fact a cyber-attack, and I think we have to really push that on the private sector.

There will always be physical consequences. These are rarely just issues about privacy or private information or reputation anymore. The adversary wants there to be disruptions and, worse, even destructions.

I would first challenge the question a little bit. I don't know what a “top secret” cloud is. If a cloud is a shared resource that people have access to for lots of good reasons, then in order to make that top secret you have to do it with access control. Access control is basically just a system where your top secret data is stored and you limit the access to it in some way.

Thus, I don't actually think.... The vocabulary is maybe populist, but it's not the right vocabulary.

There are two areas that I would focus on, given my understanding, which is not as deep as yours.

The first is the cross-border emergency management capacity. If there is a cyber-attack in Detroit, say, in the auto industry, in the OEMs, what capacity, what communications and what structures are in place that are going to essentially treat it as a borderless response? Because it has to be. It's going to impact both countries. It's going to impact, as we've seen with some of the protests recently, border crossings and our capacity to move across the border. Primarily, that would be one.

There's the other thing in terms of what the mandate should be for the emergency manager, because I agree with you. I think the distinction between public safety and emergency management can be hard at times. I said one requirement, but there are two requirements. What is the minister requiring in terms of what we call, in my space, “all hazards” response? In other words, you can't focus just on what the cyber-response is going to be. It's going to have all sorts of impacts. The same is true of climate and the same is true of a terror attack. The consequences are going to be generally the same.

I sometimes think—and I know you certainly do—that in the way the government is structured, and in the way the ministries are structured, we put information security off to the side in protecting our networks. I would just get much more forceful in terms of what reviews are being conducted, what capacity there is, what the consequences would be physically of a cyber-attack on major industry and then what we are doing to close that gap between information security and physical security.

I will tell you that I now advise a lot of companies to not have chief information security officers, chief security officers, and to just have chief preparedness officers, because it's too hard to figure out what the risk might be.

I don't have specific insight into what CSE's operations are. We do know that legislative powers were granted and the ability to conduct operations has now begun—

We absolutely do not want the private sector shooting back, because, first of of all, attribution is really hard. I ran cybersecurity for a university. We got hacked all the time and were used as a platform to attack government entities, private sector entities, etc. If someone started shooting back at my university because from their perspective we were the originating source, they would be hitting the end target. It's a fun little shell game.

Attribution is really hard. The private sector absolutely should not be shooting back. That should be a sole responsibility of the federal government, and it should be exercised. I think the challenge from a policy standpoint is, what's policing and what's military? We need better clarity on that, and we do need to flex. It's important that government actually speak forcefully about this.

We saw this with the Biden administration after critical infrastructure attacks in the United States. It was straight from the top: Don't mess with us. Who is the minister that actually is going to respond here in Canada?

My greatest concern right now is the threat to Canada's health care sector. Obviously, we're still in the pandemic. We're still recovering. When a hospital goes down, it goes down for weeks. Cancer patients don't get timely care, other surgeries are delayed, etc. We don't have good information sharing in this country. We've had multiple hits. We had an entire provincial system hit badly, and we don't have those lessons shared out.

Imagine if we had airplane crashes and we didn't investigate them or share the lessons learned. Well, you're going to get more airplane crashes.

I'm not familiar with the specific instances of that. However, based on what you're saying, I'll add that we've had warnings from our intelligence agencies talking about influence operations against MPs of all stripes, from various nationalities that have interests, whether it's Russia, China, etc. This is part of the game, and this is what they do, whether to score points, to try to keep us disengaged in this conflict or whatever the national aim, that's part of it. It's part of the importance of educating MPs and politicians about protecting themselves.

One thing that concerns me is how protected our political parties are in general from cyber-operations, influence operations. The hack of the Democratic National Committee in the States lays bare that what happens when a party isn't secure can have dramatic impacts on a country's course.