Public Safety Committee on June 7th, 2022

Thank you very much for inviting me. It's my pleasure to join you today.

I'm going to probably say some things here that are maybe a little bit different from what you might be expecting from a security expert. Specifically, I'm going to talk about how the cyber-attack vulnerabilities really have not changed since the start of the Russia-Ukraine war. What I'm talking about is that the vulnerabilities haven't changed, not necessarily the threat posture.

Basically, exactly the same threats exist now that were available before. The Russians are unlikely to have gotten any better at their attacks in the last two months or with the onset of the Russia-Ukraine war. Nothing's really changed, so what's going on with Canada's vulnerability?

As an energy producer, Canada is more likely to be targeted by an attack from Russia. Obviously, the pressures from sanctions, etc., are causing them to look for potential opportunities to attack alternative sources that might support the west. Attacks on these sectors have occurred since the start of the war, but it appears the sector—as a vulnerable resource and as part of Canada's critical infrastructure—was well prepared and has actually successfully defended the attacks that we have seen over the last two months.

Attacks are actually quite different from successes. There are actually a staggering number of attacks from all actors, state and stateless, on a daily basis and they've been going on for years. If these were not appropriately defended, this would have been a serious problem long before the war itself. In fact, it has been a serious problem and we've done a lot of things to try to protect ourselves.

However, we don't know what we don't know, so there is something called zero-day attacks that could occur. These are unknown attacks from before. These can be launched at different times on us unsuspectingly because we're just not prepared for them. We don't know that they're out there or what these vulnerabilities are. However, we haven't seen an increase of those over the last two months. Likely if attacks were being launched at this point of unknown origin then we would probably have had some kinds of cracks in the systems, but we haven't really seen that in the way that many people expected.

Canada's making an investment through the CSIN program and I think this is a key step in the right direction. It's a critical investment in Canada's current and future cybersecurity. This was initiated in 2019, long before this occurred, so the reality is that Canada has actually made some pretty good steps in the last little while in order to set itself on a very solid footing.

What we really want to do is build some sort of a cyber-safe ecosystem. Canada's critical infrastructure in general is vulnerable because it's built on legacy systems that are known to be particularly vulnerable. What I mean by legacy systems is that they're systems that were in existence before the Internet of things started to occur. With the advent of the IoT and the need to replace old components with Internet-connected ones, we are actually opening up a potential threat and attack on some of our critical infrastructure. This is part of what's being investigated both in terms of research and at the corporate level within the private sector.

Large corporations are actually likely to be reasonably well protected right now. The reality is that lots of money has been invested by the private sector because they recognize their vulnerability. As a result, they've managed to move things forward quite a bit over the last 20 years. Small and medium-sized enterprises, however, are simply vulnerable to various attacks and additional investment needs to be made to protect them in some sort of way. However, they are unlikely to be a specific target from Russia unless they exist in certain cybersecurity sectors and/or are suppliers to the critical infrastructure.

The key issue is that we have a critical shortage of experts in this area. Post-secondaries are trying to address that. We need to upskill and re-skill existing workers. We have a lack of education and knowledge in the workforce and in the general public, and hiring international expertise might help but it's unlikely to be sufficient simply because they're so much in demand.

With that, I'm done.

Thank you for having me. One of my former students is now an MP. Taleeb was in there... I can't see a thing, but it's a thrill to be here.

When I was asked to be here, I made it clear, because I wanted to declare, that the exact risk assessment for Canada is not something I'm an expert in. I'm an expert in what in our space and what I've worked on globally is called “right of boom”, which is essentially what the capacities are, especially in the cyber-field, assuming that a bad thing is going to happen.

Like Ken was saying, there are a lot of questions about increased vulnerability for a country like Canada, given the Russian conflict. There is a big issue in my space, in the sort of preparation space, around why we haven't seen more activity. The answers to that may be be multiple. The best one we know so far is that maybe, much like military capacity, Russian cyber-capacity to destroy as compared to disrupt—disruptions we can handle—was overestimated. It could also be that the invocation of article 5 by NATO might have had a disciplining effect, the idea that any attack on critical infrastructure that impacted individuals would be viewed as an attack similar to a military attack. We don't know and we're not done yet, so what does that mean for preparation for that?

Overall—and I was just in Canada getting a briefing on this about two weeks ago, so it's a funny coincidence—much like the United States, Canada's focus and its private sector critical infrastructure focus have been on what we call “left of boom” capabilities—in other words, stopping some sort of infiltration, some sort of boom, so to speak. Those are important and those are essential, but what hasn't been done enough, especially in coordination with the United States and the northern states, is what would happen if there was a disruption.

We measure success on whether you can stop more harm from occurring. In other words, how quickly can you respond? How quickly can you get systems back up? My standard is this: Can you make something less bad? In the cyber critical infrastructure space, as Ken was describing, there's a tremendous amount of focus on stopping the hack, the ransomware or the nation-state, and less on what you would you do if that were to happen. Do you have more than an on-off switch, which is generally what these have?

There have been lots of lessons learned so far because of this. We've learned this from Colonial Pipeline in the United States, which didn't have much capacity.

A lot of it has to do with response time. Do you know when your system has been infiltrated? How quickly can you protect yourself from what we call cascading losses? In other words, even if there is a disruption or a destruction, which is something even greater, can you stop the cascading losses and can you require the private sector to do that?

What does cascading losses mean? It's just essentially that there is the initial thing, and then there are all the things that happen after the fact that could have been stopped if you had been able to manage the harm.

The second is what sort of regional planning has occurred. We certainly know in this space that no company acts alone, no locality acts alone, but in terms of regional planning and communication, we know that there is a need for a greater understanding of what the consequences of the vulnerability are. It's not just what the risk is, not just what the vulnerability is, but what the consequences of the vulnerability are.

Then the third area where there is a lack is, I would say—and this is going to sound familiar, I think, across every country—more communication about whatever risk you are seeing in the government to the private sector so we could begin to prepare.

It's consequence management capabilities. It's all about response when you cannot exactly measure what the risk is.

Thank you.

Thank you, Mr. Chair, and thank you to the committee for the opportunity to be here.

I'm going to talk about three key recommendations. The first is the need for mandatory incident reporting so that we actually know what's happening left and right of boom. Second, I'm going to talk about the need for standards in basic cyber-hygiene to try to prevent the likelihood of incidents happening. Third, I'm going to talk about the desperate need to help small and mid-sized businesses and the subnational public sector—health care, municipalities and higher education—to secure themselves.

My name is David Shipley and I'm the co-founder and CEO of Beauceron Security. I have worked in cybersecurity for the past decade. I hold a certified information security manager designation from ISACA, and I've spoken with Canadian media hundreds of times over the past decade about cyber-attacks and social media manipulation.

Beauceron serves nearly 600 customers ranging from North America's biggest banks to national telcos, government, small business and more. Our technology is used to educate more than a half a million people to know more and care more about their role in cybersecurity. According to the Verizon “2022 Data Breach Investigations Report”, 82% of all cyber-attacks succeed because of the human element of cyber, whether that's people falling for expert use of emotional manipulation in emails known as phishing, or human error in the use or design of technology. The word “cyber” itself points to the importance of the human element. Cyber comes from the Greek word kubernetes and it's focused on the relationship between people, technology and control. A future in which individuals, organizations, governments and society are in control of the technology they rely on every day is a bright one for Canada, but that is not our dysfunctional present.

Those who seek to harm Canada and its interests understand how to use technology and control harm. Russia's capability in this regard is well documented. They have developed the capability, with state-backed hacking teams, to cripple critical infrastructure, as was mentioned earlier, hack into political parties and governments to find and leak sensitive information, and more. They have cultivated a robust cybercrime industry and have relationships with organized criminal gangs to avoid accountability for their actions. Russia also understands the use of websites and social media platforms as a means to control people with disinformation. Marcus Kolga with the Macdonald-Laurier Institute and others have documented this well. Social media manipulation is part of the spectrum of weapons when we talk about cyber-conflict.

Russia's actions in cyberspace have had severe consequences for Canadians. Cyber-attacks from Russian criminal gangs have crippled Canadian municipalities, health care organizations and more, with costs into the tens of millions of dollars. The cybersecurity firm Emsisoft estimated there were more than 4,000 Canadian organizations victimized by ransomeware alone in 2021, with estimated damages as high as $654 million.

While the Government of Canada has made significant efforts to protect itself from cyber-threats, most of the rest of Canada is in the hands of the private sector or subnational public sector. To reduce that risk we must get better insight into cyber-attacks, improve our regulations on basic cyber-hygiene and increase our resources to our most vulnerable organizations.

First, we must implement mandatory cyber-incident reporting that goes beyond federally regulated industries and that includes health care as well as vital supply chains, including manufacturing and food. We are lagging behind the United States and Europe in this respect. Most organizations are not going to voluntarily engage with the federal government during incidents. They are told by their legal and risk teams, or by their insurer, to limit information sharing and disclosure since working with government is seen to offer limited gains and to present much to lose. This means we lose crucial insights into attacks on Canada and, even more importantly, root causes and key lessons are not learned or shared effectively.

Second, we need national mandatory cyber-hygiene. CyberSecure Canada is a great start, but voluntary uptake will continue to be low. We need to take a lesson from the U.K.'s similar programs and tie access to government procurement with achieving basic cybersecurity standards.

Third, our most vulnerable sectors are the subnational public sector, such as higher education, municipalities and health care. They need dedicated funding from the federal government to improve their security as quickly as possible. On the private sector side, our small and mid-sized businesses desperately need help affording the security tools they need in an increasingly hostile environment.

I would be remiss if I didn't comment on the need to regulate social media as an important part of our national cybersecurity strategy to put Canadians in control of the technology they use. Social media algorithms that amplify fear, anger and hatred are tools highly leveraged by Russia and other enemies to fracture our society. We must give back to Canadians control over the content they see by mandating that the default view for social media be one of chronological order, not one algorithmically decided, and require an opt-in model for algorithmic content.

Failure to act today damns us to a future where our businesses are crippled from waves of foreign extortion attempts, our citizens and politics are poisoned with division and disinformation, and our ability to provide the essentials of life is significantly diminished.

The idea of tying it to government procurement came from the U.K. cyber essentials program, which is what some of our program was modelled after. They dramatically improved their supply chain security for the U.K. national government. The benefit to the rest of the country is that they had a more secure SMB sector. This is a great starting point.

We've seen the benefits of good hygiene. The efforts by Ukraine and the United States government to prepare for the conflict we now see has significantly reduced the impact of Russia's efforts in that country. Good hygiene and good left of boom saves us a lot of misery.

I've been on the phone with a small or mid-sized business. It was a hardware store. They'd been hit by ransomware. This was the worst three days of that owner's life. It turned out to be weeks to fully recover. They were back to pen and paper. Had they only had more help and resources or an incentive to invest in security and the help to do it, they could have avoided that bad day.

The last thing I'll mention about supply chain is that you never know how a supply chain vulnerability will play out. It was tax software in Ukraine that led to the crippling in 2017 with the massive wiper malware called NotPetya. It was a small tax software firm.

Small and mid-sized businesses can have an oversized impact. We just don't know how the combination will come out.

Well, 48% of small businesses don't spend anything on cybersecurity today. It could be in the form of tax credits. You could also look at models like CDAP, which has helped with digital adoption and was much needed in the pandemic. Unfortunately, that digital adoption has actually increased vulnerabilities for small and mid-sized businesses.

We need to tie being secure into grants, loans and other things that have a direct tie to businesses.

I probably need a bit more context for the question.

The existential threat from quantum is probably a future one. It's not a current one, in the sense that it's actually a threat to the cryptographic systems in place that we currently use to operate all of our systems.

I'm trying to avoid getting too technical here.

A future possibility is that quantum computing could effectively undermine all modern encryption techniques and shorten the lifespan, if you will, of how long something could be considered cryptographically safe. That threat isn't current. It might be 10 or 20 years away, to be blunt. Certainly people who champion quantum technology would argue that it could be just around the corner. They're not wrong. The reality is that it's probably quite some distance in the future.

The threat, though, is still real today in the sense that if it's cracked in 20 or 25 years, we would probably have quantum-safe cryptography available by that point. However, the existing stuff that's currently being secured by modern encryption becomes vulnerable 20 years from now. If it's stored some place in an encrypted way and we think it's safe for the next 2,000 years, it could become vulnerable at that point. All of that legacy encrypted data that we consider very secure at this point could become very vulnerable at that point. Much of it could be released or hacked into and be sitting out some place. It could become vulnerable at that stage.

I'm not sure if I've actually answered the core of your question. It's a very complicated one.

No, I think we should be having these discussions now. The mechanisms that we might want to put in place 20 years from now are going to take 20 years to develop. We're talking about doing fundamental research and development efforts.

Canada, in many ways, is leading in this space. We made investments several years ago that were critical to moving to promoting quantum, but I will say that the rest of the world is starting to catch up. I think there's an opportunity here for us to be world leaders in that particular space. That will, obviously, help protect our cybersecurity.

I think that's right. I think you're exactly right that not every crisis is a disaster. In other words, if we're built for it, we can—for any type of attack—survive something if we're prepared for it.

It becomes—in words that I quote from the NATO language—“destructive” if you cannot manage even the smaller things. They build on each other. This is the notion of cascading losses. If you cannot stop the harm close to the vulnerability...although you don't even know what those impacts will be downstream, especially in the cyber context, which is what we've experienced with critical infrastructure here in the United States. In a simple ransomware attack like the Colonial Pipeline, which was really simple and not that sophisticated, because they did not have a response capability, it meant the whole system was down for a week. That's not sophisticated.

One way to think about the relationship is.... As a nation and as a government, you're really focused on—from Russia—the destructive stuff. I think NATO made that clear in its language. It's not going to define what the difference is between a disruptive attack and a destructive attack. I think that's been good. In other words, that is actually keeping enough vagueness in the system so that the adversary doesn't know where the line is. The last thing you want to do is to say, “We would view this as destructive and this as only disruptive”.

I think the best response.... This is, now, not the world of rocket science. The fact that we talk about cybersecurity or cyber-attacks make them seem technological. On the response side, it's really not that sophisticated. You don't need to know coding. A lot of it is having communication systems that have multiple defences and systems that stop the cascading losses, in other words, bifurcated or divided regional support systems that can service mutual aid. If an energy system went down, you could share or get systems from others. Those are tried-and-true emergency management capabilities.

I've spent a lot of years trying to focus the cybersecurity world on how you don't have to reinvent the wheel. A lot of what we've learned from both disruptive and destructive attacks was already known.