Evidence of meeting #28 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Thank you.
I want to put it on the record. Have you seen evidence of how the Russian “Ukrainians are Nazis” narrative has been used to create fear amongst left-of-centre political groups across the world and possibly in Canada? Has that been something that has been observed?
Chief Executive Officer, Beauceron Security
I think there's been reporting, covering attempts to.... I mean, it makes complete logical sense. How do you keep Canada out of the fight and get as many people on each side? I've seen right-of-centre folks saying, “This isn't our fight and why do we care what's happened?” There are left-of-centre folks saying, “Well, there are Nazis and fascism.”
It's just about muddying the waters. The problem is that we live in a post-truth era, and we have to work on that. There has to be truth still out there.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
I appreciate your putting that on the record.
I'm going to shift over to Professor Kayyem.
In your excellent work on this issue of domestic security, I'm very concerned about electromagnetic pulses. This might be an open fact, but I want your opinion. A nuclear explosion in the atmosphere can have very little kinetic effect on the ground but it could have a devastating effect on our electronics.
Would this be considered a violation of article 5 and require a NATO response?
Belfer Senior Lecturer in International Security, Harvard Kennedy School of Government, As an Individual
I really think that NATO and the Biden administration have been really brilliant in this, in terms of new threats. They're not actually looking specifically at the threat. If you take cyber or what you mentioned, electromagnetic disruption, they're looking at the consequences. They were early in making a distinction.
It took a while for me to figure out what they were doing, because they weren't quite transparent about it. They were, “Look, there are disruptions in the world, and we'll accept those disruptions for the price of doing business.” In other words, because we're connected, because the Internet works, because we need our electronics, we're always going to assume there's some level of vulnerability.
There will be disruptions because people just behave poorly, but those aren't reasons to go to war.
Conservative
Belfer Senior Lecturer in International Security, Harvard Kennedy School of Government, As an Individual
It would be, if it disrupts.... The standard is, does it disrupt civilian capability to live? In other words, will a mother not be able to feed her children, or—
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
I have only 10 seconds.
Would you recommend that we do more to protect ourselves from electromagnetic pulses?
Belfer Senior Lecturer in International Security, Harvard Kennedy School of Government, As an Individual
Yes, on most anything, I do.
Liberal
The Chair Liberal Jim Carr
Thank you very much.
Ms. Damoff, it's over to you for five minutes whenever you're ready.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
Thank you.
Thank you to all of our witnesses for your testimony today.
I actually want to follow up on a comment that my colleague, Mr. Lloyd, was talking about.
Professor Kayyem, this is directed towards you.
Misinformation and disinformation campaigns do tend to target pre-existing social and political divides in an attempt to divide us even more. We're seeing that more and more.
I'm just wondering. Do you have any recommendations to the government to ensure that we're treating this threat properly and adequately, and any recommendations on steps that we can take to both recognize what's happening but also to counter it?
Belfer Senior Lecturer in International Security, Harvard Kennedy School of Government, As an Individual
Yes, and this has been hugely contested in the United States. A recent attempt to create an oversight body, a new entity within the Department of Homeland Security dealing with disinformation, fell apart almost immediately when it was attacked.
Sometimes I think we make it not just too hard, but we now know what works—I'll go back to this—reliable voices from the government that are actually addressing the misinformation. I think for a long time our governments thought that no one could possibly believe that. If you actually come out early, whether it's called a “myth buster”.... At FEMA, the Federal Emergency Management Agency, they have something called “myth busters”, which is a way to just combat the rumours that go on during any crisis. That's first.
Second is, as we say in crisis management, consistent numbers and hope. In other words, government spokespeople have to provide facts consistently. They can't go into hiding. Then, what are you doing to make things better? Hope is always important.
Third—and I think we're learning a lot from Ukraine—we used to think that our governments were in a passive mode to this misinformation, as if Russia is doing this and we have nothing. Actually, I think the successes of Canada, the U.S. and other countries in calling out what we knew Russia to be doing early and often very much changed the battlefield literally in the effort against Russia. It prepared the Ukrainians. It prepared us. It prepared all of you.
I do think there are some excellent lessons learned out of the counterattack of the misinformation coming solely just out of the Ukraine war.
Talking about after action, I think it's something we should study because we don't need to be passive anymore. We always thought that the best response was just to move on. It is not.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
I just want to follow up on something that you said because you said “reliable voices from the government”, except that part of these misinformation campaigns are discrediting the government. How do you get people to trust what a government is saying when that's part of the campaign? It's not just government. All of our institutions are part of these disinformation campaigns.
Belfer Senior Lecturer in International Security, Harvard Kennedy School of Government, As an Individual
In some ways we'll never get to perfect, so I live in a world where less bad is my standard. We still have 19% unvaccinated in the United States. That's not a great number, but given a lot of misinformation, it's not as bad as I had worried before, so in some ways I think we were able to capture it.
When I say “government” though, it's not simply at the national level. If you look at COVID specifically, one of the ways to overcome vaccine reluctance based on misinformation was very much a local-based communication strategy. In our case, Dr. Fauci had lost his ability to be persuasive among a pool of people. That's okay, and that happens. You pivot to much more localized spokespeople.
Liberal
Pam Damoff Liberal Oakville North—Burlington, ON
I have only about 30 seconds left so I might give it back to you in order to allow my colleagues to have the time to finish. It's close to one.
Liberal
The Chair Liberal Jim Carr
Then we will move to Ms. Michaud.
You have two and a half minutes, and then we'll go to Mr. MacGregor with two and a half minutes. That will take us to the end of the session.
Ms. Michaud.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
Mr. Shipley, I'd like to ask you a question about the incident at Sunwing a few weeks ago, which highlighted the importance of reporting cyber-attacks. In an article, you say that Canada should follow the U.S.'s example. A few months ago, the U.S. passed a law requiring organizations in the critical infrastructure sector to report any substantial cybersecurity incident to the Department of Homeland Security within 72 hours of learning of the breach or 24 hours of paying a ransom.
Do you think that's a good way to help small, medium-sized and large businesses in the private sector or those that operate critical infrastructure in a country like Canada?
Chief Executive Officer, Beauceron Security
We are lagging in getting instant reporting in place now. We have Canadian organizations that are going to be telling the United States what has potentially happened to them, and we're completely in the dark. The push to start with federally regulated industries, such as transportation, banking, energy, telecommunications, that's good, but the pain is often outside of those federally regulated industries.
What Europe has done is set certain size thresholds. What size of businesses has a meaningful impact on the economy? Then it set thresholds for participation and reporting on that. That's important, because a small and mid-sized business.... In the case of Sunwing, it was the IT provider for the ticketing system that got hit in the U.S. It wasn't Sunwing that got hit; it was the IT provider.
How do we get the lessons learned and how do we share them, so that we can find and fix vulnerabilities and learn lessons? We have to move beyond blame culture in cyber. This organization was a victim. Why was it a victim? How can we learn from that? For example, for our hospitals, how can 100 other hospitals not get hit after we have one hit so that we get better?
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you.
I don't have much time left, but I'd like to discuss Costa Rica, a country much smaller than Canada. A few weeks ago, Costa Rica had to declare a state of emergency because of a cyber-attack by Russian hackers. The departments of finance, health and labour, among others, came to a complete standstill.
Do you think we have reason to fear similar attacks in Canada, or would you say that we are adequately prepared and protected?
Chief Executive Officer, Beauceron Security
We have had Russian ransomware gangs attack us. We need to get better at it. Cryptocurrency, the flow of money, is fuelling this problem.
Liberal
The Chair Liberal Jim Carr
Thank you.
Mr. MacGregor, we'll go over to you for the last two and a half minutes of this session.
NDP
Alistair MacGregor NDP Cowichan—Malahat—Langford, BC
Thank you, Mr. Chair.
Mr. Shipley, when you were talking about the relationship that Russia has cultivated with criminal organizations, it reminded me of a few centuries ago when England cultivated a relationship with privateers to basically do its dirty business for it.
On the mandatory incident reporting, going beyond federally regulated industries, the federal government has its relationship with the provinces, even with the Federation of Canadian Municipalities, so those subnational governments. When it comes to the private sector, I guess I want to know.... I agree with you that this is important, but often, when criminal organizations are holding a company hostage, one of their biggest threats is that, if you go to the police, we'll come after you.
How do we bypass that specific threat? That's what has made private companies loath to go to the authorities, because that is a very real threat to their organization.
Chief Executive Officer, Beauceron Security
For barriers to the companies reporting, number one, the insurance companies often say, “We're running the response for this breach. It's cheaper for us to pay out the ransom. You're not involving the police. Shut up.” If you're a publicly traded company, this could affect share price. The lawyers get super wired about this.
We have to change the risk equation. It has to be that you need to report or you face consequences. Then all of a sudden legal, insurers and others will be saying, “We have to bring CSE and others into the fold”, and you change the relationship.
If the criminals know that we have laws that say they are going to call us, maybe then they are going to move on to somewhere else. I'm with Dr. Kayyem. I'm of the world of doing better and not getting it perfect. The old expression in New Brunswick was—my dad used to joke—“I don't have to outrun the bear. I just have to outrun you.” The same applies in cyber. We just have to get incrementally better about doing that.
Mandatory reporting changes the equation. We need it. If we go this route of provincial, you're going to have have-not secure provinces and secure provinces. Is that the kind of country...? This is a national security issue, and we have to deal with it. We are too small to deal with this without centralizing it, so we have to.
NDP
Alistair MacGregor NDP Cowichan—Malahat—Langford, BC
Yes, the fact that it's criminal, we have the authority over criminal law. It's often originating from outside of provincial boundaries, so that means the federal government does have jurisdiction. Yes, writing it into insurance contracts—
NDP